Corix Partners have recently co-sponsored the Open Forum event held in London on 1st July 2015 around the theme “Digital Public Services: Rethinking, reshaping and rewiring services”. For us, having worked all of our lives for and within the private sector, it was a discovery exercise – aimed at getting an understanding of some of the dynamics within the public sector, essentially around our niche consulting area: Security Strategy, Organisation & Governance.
From our perspective, any definition of “digital public service” was always going to have the internet as its engine – together with the vast proportion of citizens connected to it through a growing variety of devices. The internet cannot be seen as a neutral media. It is a hostile environment where countless virulent threats are active – and there can be no digital public service of any kind without strong cyber security.
However, the fact that cyber security was hardly mentioned at all by any of the speakers on the day is a concerning factor. And this certainly clashes with the message central government is driving towards the private sector.
During the event, there were only one or two questions on the topic from the audience (mixed with privacy concerns), indicating that it was on the agenda of some participants – but these were generically handled by the panel.
One comment from Mark Thompson – a senior Lecturer in Information Systems from Cambridge University – hinted that security measures may sometimes be over-engineered, however he certainly did not expand on that.
Privacy seemed to be a bit more of a controversial topic, with Eddie Copeland – from think tank Policy Exchange – making references to the “privacy lobby” and to the fact that the “right of privacy” could soon become “the right to suffer privately” for the less-privileged echelons of society.
Despite the fact that cyber security was not explicitly part of the event’s theme, the topic was raised surprisingly few times across the day considering its importance to the sector. All panel members (some mentioned above) had the opportunity or were prompted to seize the topic explicitly, but didn’t do so – and we have to ask ourselves where cyber security genuinely fits on their agenda and in their mind-set.
To a large extent, the speakers’ attitude towards cyber security matches some of our analysis, published ahead of the 1st July event in an article titled “Rethinking and rewiring InfoSec”: Technologists are trained and incentivised to deliver functionality – not controls, and Security does not blend well into that. But because of the sensitivity of what it does and its level of threats exposure, the public sector needs to look beyond that and lead the way.
Cyber security cannot be taken for granted, and shouldn’t simply be seen as another technical layer among other technical “nuts and bolts” to tick boxes mandated from above. It cannot be treated like something of extreme complexity that has to be left to the intelligence community, or seen a “necessary evil” that is at odds with functionality.
Cyber security must be at the heart of the digital agenda and must be seen as a necessary barrier against real and active threats. It needs to be actively implemented at a people, process and technology level. It also needs to be embedded in the mind-set of any organisation (public or private) for digitalisation to work. Cyber threats can and will derail the digital agenda otherwise.
At the same time, protection from cyber threats can only come from the real application of controls – at the right level across the field. A sound principle of proportionality must prevail in order for each public body to play its part at its own level and with its own resources.
A “one-size-fits-all” approach to cyber security across the public service tailored around the needs of the intelligence community would be (at best) frightfully expensive, or (at worse) impossible to deliver by many in the context of the current cuts – leaving the public exposed.
Many practical lessons can be learnt from the private sector on these matters, but the public sector – because of its high profile and exposure – must lead the way in terms of cultural transformation.
Corix Partners can supply services to public sector organisations through the Crown Commercial Service’s (CCS) G-Cloud 6 framework. Find out more about how protect public services from cyber threats by contacting Corix Partners.
Corix Partners is a Boutique Management Consultancy Firm, focused on assisting CIOs and COOs in resolving Security Strategy, Organisation & Governance challenges.