Our thoughts on Cyber Security for Government
We recently attended the Think Cyber Security for Government, held by Think Digital. Here's an in-depth look at the key themes of the day.
Cyber Security has become a bigger issue in 2020 than ever before. With the rise of working from home and the need for flexibility, the private and public sectors have increased their digital transformation and use of tech such as the Cloud. This has brought about many complications and needs, including the need for strong Cyber Security.
We recently attended the Think CyberSecurity For Government Conference which brought together some leading experts to look at the various aspects of cybercrime in government, as well as how SMEs can help in minimizing the risk. Some amazing sessions and talks happened throughout the morning, including some very useful breakout sessions, that really got us thinking.
Here’s our takeaways from Think Digital Partner’s first Cyber Security event, plus a summary of our own.
2020 and beyond
It all kicked off with a keynote from Paul McKay, Senior Analyst, Security & Risk at Forrester. With CISO spend changing in 2020, total spending on Cyber Security services and tech has increased massively. The most meaningful way it’s changed this year has been through the focus on Cloud Security. This is largely due to migrating legacy IT systems to public or private clouds in the wake of COVID. It’s not a small shift, and there’s a lot more required from the cloud to allow people to work remotely and effectively without issues. We were shown that Cloud Security is the biggest spend during 2020, overtaking staffing which used to be the biggest in 2019.
Although Paul did explain that we shouldn’t expect this to be a permanent change, as he expects to see trends return to some form of normal in 2021 when restraints start to ease.
Using procurement frameworks like G-Cloud have increased the government’s use of cloud services and technology. Which we’ll see enhance the migration to the cloud for a lot of organisations and departments in the public sector. There’s no longer a huge hesitancy to move to the cloud.
Getting the right staff
Government digital services, as well as the Cyber Security that comes along with it, are developing very quickly. It’s often hard for government departments and organisations to keep up. As pointed out by Saj Huq, Director at LORCA, in the day’s first panel: when you’re already behind, making up the ground is difficult.
There are a lot of changes to policy and the whole landscape for UK gov coming up too. National security and changes after leaving the EU will mean that things have to change quickly and a big focus on security is needed.
Jessica Figueras, Founder of Hither Ventures, explains that the reason that the UK government find it difficult to keep up is that there’s clearly a shortage of people coming into the profession. Those leaving school, around the 16-19 age group, don’t take up cyber security as a career path as much as others. On top of that, the percentage of females going into the field is very low – if existent at all. The issue isn’t just about diversity though – it’s about numbers overall.
So should the government look to those who are already in workforce? Is it about making it easier for those who wish to return to the cyber security field? These are important questions to ask.
There is a lot to say about inclusivity and diversity in the workplace for those getting into the Cyber Security fields within the public sector. It could be argued that it’s seen as a discipline owned by certain types of people. The stereotype is male, white, technically minded individuals. In reality the profession is so much broader than that, with a lot of skills needed – such as a good risk focus and governance focus.
Chris Green, Head of PR and Communications EMEA at (ISC)2, seemed to agree during the panel. Contributing that 1 in 5 companies(public and private) have a shortage of cyber security staff. Where government services are becoming more utilised, this is a growing concern.
What about outsourcing?
Rob Anderson, Principal Analyst for Central Government at Global Data, opened the next panel discussion with some valuable input. His view that over the last few years, the pendulum was certainly swinging towards outsourced services. Although there’s not a huge uptake in the procurement of managed security services, he expects there to be one in the future.
Austerity cuts, Brexit and COVID has put pressure on the government. The aforemented skills gap – and an apparent pay gap – is going to force civil service to look outwards to deliver managed security services. As it’ll be tricky to find the right people in-house. This might not be done in same way as typical outsourcing, maybe more niche.
2021 is going to be difficult, there is a huge budget deficit. However Rob remains encouraged by the recent Spending Review by government. There’s money outlined to fix outdated IT – and some of this will have to be around security.
Jos Creese, Founder of Creese Consulting and Strategic Adviser here at Advice Cloud, also agreed that the market was maturing. He stated that larger departments or organisations in the public sector tend to use major partners or outsourced services. The market has moved on now though, with many local authorities building their own capacities around security models – only using specialists for particular, specific services.
The concerns are that organisations are buying a vast, array of products. Which could be expensive, hard to internally manage and not the best to manage corporate security as a whole.
The headache for local gov, health and the wider public sector is that many services are hard to manage. It’s a difficult balance for CIOs to find. Using hybrid solutions is key, according to Lisa Niekamp-Urwin, President and CEO of Technology’s Tomorrow Today.
Security is one of the key roles for IT in the public sector from 2020 and beyond. However, it needs more input than just the IT departments. It needs support from HR, business, finance, it all!
During this session, the three panellists were also asked their opinion on Artificial Intelligence as a solution for cyber security in government. It could be seen as an overused word. Traditionally, departments and organisations such as central government and the civil service are seen as less innovative. Cyber criminals are, at the moment, always going to be a step ahead. This does point toward using a more managed service approach, as they can ensure they’re more up to date. If Ai is going to be used, it has to be the most current iterations to support government services.
There was a lot to take in from this really useful session. One thing we took away though was an interesting take from Jos: The pandemic has accelerated a view on the importance of a move to a business model not just an IT model. Public sector organisations have grown up because they’ve had to. Ultimately concluding: Cyber Security cannot be outsourced. But there are many companies who can provide services and solutions to help and organisations shouldn’t be shy in looking to external companies.
Not all legacy is bad legacy
The final panel discussion was an in-depth discussion about how legacy technology forms government’s digital services. To summarise the whole thing: Legacy isn’t all bad.
It’s very doable from government departments, and the public sector, to live with legacy systems. And the phrase “systems are legacy as soon as they hit production” is a bit of a myth.
Failure to put in processes and standards for when that kit needs to be replaced is a big problem and the reason that legacy can become bad. When new staff come into the mix, they’re more likely not to have the skillset for the legacy tech in place and older staff may have moved on from their roles. There’s a ‘legacy gap’. This makes it harder to maintain, but also harder to replace.
Shortening the ‘legacy gap’ takes money and time. This year showed what can be done if people get behind it. Is Desktop dead? Needs a leader to push change and roll-outs.
Overall, it was a hugely insightful day of information and insights from top experts. There’s a lot to think about but the information from all areas, and from public sector and private sector perspectives, means that attendees are left with a lot to chew on!
So, what next? There was a lot of thoughts about what comes next in 2021 and beyond. As mentioned – and seen in the news a lot this year – Cyber Security is a big talking point and an even bigger action point for central government and the wider public sector. For suppliers, it’s about keeping their finger on the pulse, being innovative but flexible, and being at hand to support the public sector when needed. For the public sector CIOs or IT professionals out there, it’s about checking if they have the capability in-house. If they don’t have it in-house, then they’ll need to know where to look.
Collaboration is key in this case. Procurement, whether in a traditional sense or something new, needs to be easily accessible for any member of the public sector who needs to buy. As well as getting the right suppliers on board. Dynamic Purchasing Systems such as Cyber Security Services 3, or frameworks such as G-Cloud or Digital Outcomes and Specialists, provide those routes already – but are they fit for purpose? Providing managed services might fit well for some departments, but some may look for smaller, fitted services to meet requirements.
In any case, it will be interesting to see what 2021 holds, and we look forward to catching up with the Think Digital team about just that at next year’s event!