Cyber security cannot be taken for granted, and shouldn’t simply be seen as another technical layer among other technical “nuts and bolts”
In July 2015, Corix Partners co-sponsored an Open Forum event in London around the theme “Digital Public Services: Rethinking, reshaping and rewiring services”. For us, having worked all of our lives for and within the private sector, it was a discovery exercise – aimed at getting an understanding of some of the dynamics within the public sector, essentially around our niche consulting area which is focused on Cyber Security Strategy, Organisation & Governance.
From our perspective, any definition of “digital public service” was always going to have the internet as its engine – together with the vast proportion of citizens connected to it through a growing variety of devices. The internet cannot be seen as a neutral media. It is a hostile environment where countless virulent threats are active – and there can be no digital public service of any kind without strong cyber security. So we were expecting cyber security to have a degree of prominence in the debates.
The fact that cyber security was hardly mentioned at all by any of the speakers on the day was a very concerning factor for us. This totally conflicts with the message central government is driving towards the private sector.
During the event, there were only one or two questions on the topic from the audience (mixed with privacy concerns), indicating that it was on the agenda of some participants – but these were generically handled by the panel.
One comment from Mark Thompson – a senior Lecturer in Information Systems from Cambridge University – hinted that security measures may sometimes be over-engineered; however, he did not expand on this.
Privacy seemed to be a bit more of a controversial topic, with Eddie Copeland – from think tank Policy Exchange – making references to the “privacy lobby” and to the fact that the “right of privacy” could soon become “the right to suffer privately” for the less-privileged echelons of society.
Despite the fact that cyber security was not explicitly part of the event’s theme, the topic was raised surprisingly few times across the day considering its importance to the sector. All panel members (some mentioned above) had the opportunity or were prompted to seize the topic explicitly, but didn’t do so – and we were left asking ourselves where cyber security genuinely fits on their agenda and in their mind-set.
Since then, we have observed similar attitudes very often, online, on social media and elsewhere. As an example, the SOCITM annual conference “Revolution to Reform” held in October 2015 did not have any session dedicated directly to cyber security across the 2 days.
This, in our opinion, is totally unacceptable, but to a large extent, it also matches some of the analysis published on our blog ahead of the 1st July event in an article titled “Rethinking and rewiring InfoSec”: Technologists are trained and incentivised to deliver functionality above controls. Security does not blend well into that and is often deprioritised. But because of the sensitivity of what it does and its level of threats exposure, the public sector needs to look beyond that and lead the way.
Cyber security cannot be taken for granted, and shouldn’t simply be seen as another technical layer among other technical “nuts and bolts” to tick boxes mandated from above. It cannot be treated like something of extreme complexity that has to be left to the intelligence community, or seen a “necessary evil” that is at odds with functionality.
Cyber security must be at the heart of the Government digital agenda and must be seen as a necessary barrier against real and active threats. It needs to be actively implemented at people, process and technology levels. It also needs to be embedded in the mind-set of any organisation (public or private) for digitalisation to work.
Otherwise, cyber threats can and will derail the digital agenda. The citizens’ trust in digital public services would be badly damaged by the type of aggressive media coverage that surrounded the TalkTalk data breach in October 2015, and this may be irrecoverable.
Change in that space is very highly vulnerable to ambiguity: Government ministers and their representatives must place cyber security at the heart of each and every public communication they make around digital transformation. It is only at this price that the digital transformation will be successful at the pace the Government is marking.
Corix Partners is a Boutique Management Consultancy Firm, focused on assisting CIOs and other C-level executives in resolving Cyber Security Strategy, Organisation & Governance challenges.
Contact Corix Partners to find out more about developing a successful Cyber Security Practice for your business.