In January, the British government published another cybersecurity strategy, the Government cybersecurity strategy 2022not to be confused with the National Cyber Strategy 2022published only a month earlier.
This new strategy aims to ensure that critical government functions are strengthened against cyberattacks by 2025, with all public sector organizations becoming more resilient to cyberthreats by 2030. This clear target is welcome, but is it realistic or feasible?
The timelines set out in the strategy are incredibly tight. Departments have many competing demands on them, budgets are under pressure, and cybersecurity is not high on many of their priorities. Implementing the strategy by 2025 will be difficult.
The strategy is built on two pillars: establishing a solid foundation of organizational cybersecurity resilience, underpinned by the adoption of NCSC’s Cybersecurity Assessment Framework (CAF); and “defend as one”, which will be made possible by the establishment of a Government Cybercrime Coordination Center (GCCC). These pillars link to the key message of government-wide alignment and integration of the National Cyber Security Strategy.
In addition, these pillars are supported by five objectives:
- Manage cybersecurity risk;
- Protect yourself against cyberattacks;
- Detect cybersecurity events;
- Minimize the impact of cybersecurity incidents;
- Develop the right cybersecurity skills, knowledge and culture.
All of these make sense and provide an easy-to-understand approach to building a transformation program. However, experience shows that these goals are difficult, costly and time-consuming to achieve, especially in operations-oriented departments.
Integration will be key
Success will be determined by the levels of integration achieved within government, regions, with industry partners and specialist organizations, perhaps even with our international allies.
The strategy allows for intergovernmental integration through the creation of the GCCC and the use of the CAF. It will also be important to integrate with all the people needed to implement this strategy – it’s not just cybersecurity specialists. Human resources, business and technology specialists, as well as program and change management specialists, will also be needed to integrate cybersecurity into an organization.
The government should also seek to learn from the experiences and capabilities of industries such as financial services or critical national infrastructure (CNI), which have developed more mature approaches to cybersecurity.
These organizations are already using the tools of this strategy (including CAF), and we can learn from their offerings. They have also traveled long and difficult paths to arrive at their current capacities. By learning where they went wrong, these pitfalls can be avoided and delivery can be more focused on correct answers and therefore expedited.
Engage leadership early
Developing the right cybersecurity skills, knowledge and culture is a key objective of this strategy and underpins the other four.
While the strategy primarily focuses on training and retaining the cyber workforce and increasing cybersecurity awareness across all departments, all of this can wait as operational leadership must be engaged first. .
To get this work started quickly, organizational and departmental leaders need to understand and prioritize the implementation of this strategy. This will require strategic direction from the top, informed by clear reporting on cyber risk management, with all impacts aligned with operational effects.
Helping non-technical senior executives understand cyber risks and compare them to other operational risks will support their decision-making and lead to accelerated delivery of strategy results.
One bite at a time
Across government, the processes for justifying investments in major programs and obtaining approvals are often lengthy and delay the start of delivery. This situation will be exacerbated by current budgetary challenges, as departments must prioritize and do more with less. In particular, many smaller ministries and their independent bodies will start from a less mature position, giving them a lot to do.
To solve this problem, they must adopt a “think big, start small and scale quickly” approach while continuously engaging with all stakeholders. This means investing time to understand the work required, breaking it down into prioritized and manageable steps, and looking for ways to start delivery quickly. This could be by starting a small project that can be justified quickly or by attaching deliverables – like a secure-by-design process – to existing programs (not necessarily cybersecurity programs) that are already funded.
While this initial delivery work is underway, departments can focus on creating larger e-transformation programs to allow the work to grow and deliver quickly. This approach has proven to speed delivery and improve cybersecurity capabilities for many organizations across all industries. He has been particularly effective in implementing the major improvements needed to secure remote working during the Covid-19 crisis, in particular helping small and medium organizations to adapt quickly in difficult circumstances.
This combination of onboarding, clear leadership and breaking down the task into manageable pieces will be essential both to sustainably achieve the ambitions of the strategy and to start delivery quickly to build buy-in and trust.
This article was written by Laura Marsden, Utilities and Cyber Security Expert, and Chris Goslin, Cyber Transformation Expert at sound advice.