Government agencies and public service bodies are becoming primarily digital organisations. They are almost entirely dependent on the use of information and technology to support and deliver their day-to-day operations. This means that information security and cyber risk management are of paramount importance. But, how do you balance the needs for openness and innovation, with the requirements for control and minimising risk?
The latest meeting of the Digital Government Security Forum looked at the topic of ‘Making Security Fit the Realities of the Modern World’. The aim of this forum event was to take a forward look at how public sector and technology are changing, and to consider the security implications. It looked at how public service bodies can satisfy the business pressures for innovation and flexibility without compromising security; how they need to take a holistic view that incorporates business objectives, resource constraints, digital opportunities and risk management.
Bletchley Park, home of the World War II code breakers, was a fitting setting for these discussions and the event included a tour of the site and exhibitions, together with a demonstration of an Enigma machine.
The event, which was under Chatham House Rule, looked at the issues from three different perspectives. The director of ICT of a large county council started by asking: ‘why change – what’s the problem?’. He highlighted the conflicts between the Government’s transparency agenda and security requirements, including some of the requirements for connecting to the public service network (PSN) and difficulties in implementing the new Government Security Classification Policy. He also stressed the changing shape of public service organisations. To illustrate this he commented that his council now employs about 8,000 people, whereas a few years ago this number would have been over 50,000.
The second perspective came from the Chief Risk Officer of a global insurance company. He explained that the company currently spends about 30 per cent of its IT budget on security, but emphasised that success in this area was about much more than expensive technology; it required complete buy-in from staff.
He reminded attendees that the Enigma programme used people-based communications to identify and break the Enigma codes. For example, a common code setting was Hitler’s birthday and encrypted messages routinely ended with “HH”, for “Heil Hitler”, which was very helpful to the code breakers.
The Chief Risk Officer explained how, in most organisations, at least 60 per cent of security breaches happen as a result of people issues, and how he had introduced a culture change programme across his company. He stressed the need for a shared understanding across the organisation and a common language. He also indicated the scale of the challenge. His company receives around 10 million emails each day that are affected with malware, but of these fewer than 15 get through and require further action.
The third view was provided by a representative from Intel Security. He gave DGSF members a sneak preview of a major report to be published in October, talking through the political, economic, social and technology trends that will likely shape government agencies of the future. The report considers the security implications of an increasingly digital public sector.
The representative explained that people now use their phones to do digitally many of the things that they used to do physically, for example banking and getting news updates. As one doesn’t know what new technologies will be coming over the hill, he continued, organisations have to adopt a holistic approach that is capable of dealing with current threats and adapting to changing circumstances.
In a wide ranging discussion looking at the security issues and implications, forum members concluded that a major concern going forward will be identification and authentication. There were also concerns about implementing BYOD and problems with the new government security classification scheme.
The aim of the Digital Government Security Forum (DGFS) is to bring together senior individuals from across government and the wider public sector to share practical guidance on managing and mitigating information and cyber security risks. Many public sector organisations have found its white paper style report entitled ‘Operating Securely in the Digital World’ to be useful in understanding and raising awareness of cyber issues.
Click here for more information on the Digital Government Security Forum.