Recently officially opened by the Queen, the National Cyber Security Centre (NCSC) brings together and replaces the information security arm of GCHQ, the Centre for Cyber Assessment, Computer Emergency Response Team UK and the cyber-related responsibilities of the Centre for the Protection of National Infrastructure. It’ll also bring in experts from the private sector and Chancellor Philip Hammond said the "best and the brightest in industry" will help "test and challenge the government's thinking" in cyber security.
As with any situation which brings together a number of organisations under one roof, it takes time to form new ways of working. But with over 180 cyberattacks classed by the NCSC as category two or three during the last three months, there’s no time to lose.
So how can the NCSC ensure it works internally and with industry to be operationally effective?
Don’t reinvent the wheel
With any merger there’s a temptation to scrap the work that was done before and develop something new. But the trick is to bring together the best technology, cultures and processes from the original organisations and see how they can best work in the new one.
For example, PA supported an insurance group post-merger to help them reach their business objectives. We carried out a swift review of existing projects and in the short term provided clarity and coherence to enable them to deliver sooner; concurrently, we implemented an effective programme and project management framework against which new strategic and existing projects would be planned and controlled. Within all of this we focused on finding and exploiting best practice.
In addition to a seamless integration, deliver at scale needs continuous innovation and the identification of external delivery capability. The recent announcement of 100 Industry integrees in the NCSC is a fantastic opportunity to exploit their expertise, and their corporate reachback, to the benefit of the whole enterprise.
The increasing threats, and the convergence of technology across industries and sectors means that increasingly industry is facing similar challenges regardless of their traditional sector boundaries (e.g Financial Services and Oil & Gas)
To reduce the susceptibility to cyber-attacks, the NCSC will need to work increasingly closely with industry to share information, data and intelligence. The NCSC already runs the Cyber-security Information Sharing Partnership – a great way to learn from the experiences, mistakes and successes of other organisations. These types of ‘information exchanges’ should be encouraged, as they act as a great catalyst for change, but sharing across industry boundaries is just as important.
Take the financial services industry – they’re great at using regulation to ensure integrity and conformity of data, while the nuclear industry focuses on the physical protection and availability of systems. The convergence of threats and technologies means that the different approaches and strengths within a sector will need to be increasingly applied across each sector.
Engage the board
PA has long held the view that there is a disconnect in expectations between IT decision makers and C-suite executives, each believing the other is responsible in the event of a breach; our experience of working with senior boards on Cyber wargaming shows this hasn’t changed. And executives also predict the cost of cyberattack to their business to be significantly less than their IT colleagues. A worrying disconnect and one the NCSC should address by involving and educating the boardroom. If these leaders better understand the threats, risk and implications of a cyberattack, they’ll be better placed to support, and challenge, their technical colleagues. Cyber Security can be expensive, but heightened cyber threats means that it is now a necessity. Boards must understand how real these threats are and understand the level of investment required to make their business resilient and secure in a digital world. This must involve focus and investment in educating the users as well as adopting the best technology approaches because the user remains the weakest link.
Encouraging effective collaboration and engaging Industry fully, especially at Board level, will enable the NCSC to lead a comprehensive approach to ensuring Britain’s defences against cyber attack.