January saw the UK government publish yet another cyber security strategy, the Government cyber security strategy 2022, not to be confused with the National cyber strategy 2022, published only a month earlier.
This new strategy is focused on ensuring the government’s critical functions are hardened to cyber attack by 2025, with all public sector organisations becoming more resilient to cyber threats by 2030. This clear aim is welcome, but is it realistic or achievable?
The timelines set out in the strategy are incredibly tight. Government departments have many competing demands on them, budgets are under pressure and cyber security is not at the top of many of their priorities. Implementing the strategy by 2025 will be difficult.
The strategy has two pillars: build a strong foundation of organisational cyber security resilience, underpinned by the adoption of the NCSC Cyber Assessment Framework (CAF); and “defend as one”, which will be enabled by the establishment of a Government Cyber Coordination Centre (GCCC). These pillars link to the National Cyber Strategy’s key message of alignment and integration across government.
In addition, these pillars are supported by five objectives:
• Manage cyber security risk;
• Protect against cyber attack;
• Detect cyber security events;
• Minimise the impact of cyber security incidents;
• Develop the right cyber security skills, knowledge and culture.
All these are sensible and provide an easy-to-understand approach to build a transformation programme around. However, experience suggests these objectives are difficult, costly and time-consuming to achieve, especially in operations-focused government departments.
Integration will be key
Success will be determined by the levels of integration achieved across government, regions, with industry partners and specialist organisations, maybe even with our international allies.
The strategy enables cross-government integration through the creation of the GCCC and the use of the CAF. It will also be important to integrate with all the people required to deliver this strategy – it is not just about cyber security specialists. Human resources, commercial, and technology specialists, as well as programme management and change specialists, will also be needed to embed cyber security across an organisation.
Government should also look to learn from the experiences and capabilities of industries such as financial services or critical national infrastructure (CNI), which have developed more mature approaches to cyber security.
These organisations already use the tools in this strategy (including the CAF), and we can learn from their offerings. They have also been through long and difficult journeys to arrive at their current capabilities. By learning where they went wrong, these pitfalls can be avoided, and delivery can be more focused on the right answers and thus accelerated.
Engage leadership early
Developing the right cyber security skills, knowledge and culture is a key objective in this strategy and underpins the other four.
Although the strategy focuses mainly on training and maintaining the cyber workforce and increasing cyber awareness across departments, this can all wait as operational leadership must be engaged first.
To get this work started quickly, organisational and departmental leadership need to understand and prioritise the delivery of this strategy. This will require strategic direction from the top, informed by clear cyber risk management reporting, with all impacts aligned to operational effects.
Helping senior, non-technical executives understand cyber risks and compare them to other operational risks will support their decision making and lead to the accelerated delivery of the strategy’s outcomes.
One bite at a time
Across government, processes to justify investment in large programmes, and gain approvals, are often long and delay the start of delivery. This will be exacerbated with the current budget challenges, as departments have to prioritise and do more with less. In particular, many smaller departments and their arm’s-length bodies will be starting from a less mature position, giving them a huge amount to do.
To tackle this, they should adopt a ‘think big, start small and scale fast’ approach while continuously engaging with all stakeholders. That means investing time in understanding the work required, breaking it into prioritised, manageable bites and looking for ways to begin delivery rapidly. This could be by starting a small project which can be justified quickly or by attaching deliverables – like a secure by design process – to existing programmes (not necessarily cyber security programmes) which are already funded.
While this initial delivery work is being done, departments can focus on building larger cyber transformation programmes to enable the work to scale up and deliver fast. This approach has proven to speed up delivery and improve cyber security capabilities for many organisations across sectors. It was especially effective when delivering the major improvements required to secure remote working during the Covid-19 crisis, particularly helping small and medium-sized organisations adapt quickly under difficult circumstances.
This combination of integration, clear leadership and breaking down the task into manageable pieces will be critical to both sustainably meeting the strategy’s ambitions and starting delivery quickly to build buy-in and confidence.