January 2022 marked an important change in His Majesty’s Government’s (HMG) approach to Cyber Risk, with the publication of a new government-wide cyber strategy. Just over a year on from this, Deloitte’s Government and Public Services Cyber practice reflect on the impact of the strategy, as well as the opportunities and challenges it poses for our clients.
The Government Cyber Security Strategy 2022-2030 is a companion to the National Cyber Security Strategy 2022. There is a lot to unpack in the strategy, but there were four areas that stood out for us:
Although there have been previous attempts to set standards for cybersecurity across departments, there was still ambiguity as to the level of cyber capability needed across government and much was left to the discretion of local leadership and risk owners. The new cyber strategy sets bolder and what appear to be non-negotiable targets. We predict some departments and public bodies may have significant work to do if they are to achieve the 2025 and 2030 targets.
“Critical functions to be significantly hardened to cyber attack by 2025, with all government organisations across the whole public sector being resilient to known vulnerabilities and attack methods no later than 2030.”
The strategy points towards new centrally-provided resources to support departments in raising their cyber capability. Examples given in the strategy include: development of a Cyber Assessment Framework (CAF) aligned central policy framework, a shared supplier security risk management approach for critical supplies, and the establishment of a Government Cyber Coordination Centre (GCCC).
Security capability is often realised through the three pillars of People, Processes, and Technology. A shortage of people with Cyber Security skills is evidently one of the most significant challenges for the UK Public Sector when improving Cyber Security. There continues to be a global shortage of individuals with cyber skills, and for those with skills, the private sector can be competitive for attracting talent. The strategy addresses this point through an attempt to better define cyber skills, the introduction of a new cyber careers pathway and a range of related skills/talent initiatives - similar to those seen in the Digital Data & Technology (DDaT) employment scheme.
The Strategy establishes the CAF as the cyber assurance framework for government. This will likely significantly increase the CAF’s usage both within government and public services, with a corresponding requirement on suppliers to government to align their own offerings and capabilities to CAF. The new cyber assurance scheme is called GovAssure, and it establishes an annual regimen of assurance by accredited independent reviewers to verify departments’ posture against CAF. GovAssure is currently set to launch in April 2023.
Throughout the CAF, reference is regularly made to protecting an organisation’s “essential function”. This means that, to be audited against CAF, departments will need a thorough understanding of what their “essential function” is. This leads to a further requirement to understand services that make up the essential function, and the systems and applications that underpin them. Given the increasing breadth and complexity of the digital landscape across government, compounded by reliance on legacy systems and networks, understanding these assets will be a challenge for many departments.
To meet this challenge, and whilst defining critical systems is mandated by the Cyber Strategy, understanding criticality of department assets will result in more benefits than just compliance with the strategy. Further beneficial outputs of a criticality assessment include:
Securing a Moving Target: In many areas, governmental functions and systems are dynamic and evolving, driven by continued digital transformation. As such, it may be challenging for organisations to have a current view of which services, processes, systems, and underlying technologies are critical, and what the interdependencies between essential functions are. Without this view, appropriate prioritisation of controls and security resources is impossible.
The Capacity Shortage: As departments will have to be significantly hardened against cyber attacks by 2025, a skilled and available security workforce is key. Even organisations that have the skills to conduct this work, those staff are already at capability with Business As Usual activities, so to complete a criticality assessment there will need to be a reprioritisation of workloads or a surge in capacity.
Hidden Critical Systems: As well as critical systems hidden within the organisation, further challenges arise when critical functions, systems, and infrastructure, are shared or outsourced to a third party. There are three common risks associated with this:
I. These systems, their criticality, and their vulnerabilities, can sometimes be poorly understood by the department due to not being managed as an internal asset. They are, to an extent, “hidden systems”.
II. The department can wrongly assume that the third party has strong security controls in place, and that their capabilities meet the required standard. Many organisations apply differing assessments of risk which results in variations on controls. While useful as baseline indicators, security certifications do not necessarily guarantee maturity as defined through CAF.
III. Confusion around responsibility for managing the security of systems between the department and the third party. For example, the approach to securing the configuration of cloud solutions, often based on a shared responsibility model, differs based on provider and solution.
Familiarity Bias: It may be a challenge for departments to assess the criticality of their own systems without applying familiarity bias. Departments may apply a bias on certain elements of the Confidentiality, Integrity & Availability (CIA) triad based on their industry. This may result in an incomplete view of the risks posed to critical functions if they focus on one element of the triad.
Deloitte have established an approach to help organisations better understand their Minimum Viable Company (MVC), and what within their organisation is truly ‘critical’ to business operations. This helps to combat some of the challenges presented above, whilst also acting an important first step in enabling the identification, protection and recovery of these systems, applications, and processes.
When defining an MVC, our first step is to ask our clients the most basic questions: What are your core functions? What elements are needed to maintain business operations? What or who, can’t you operate without?
Our approach is made up of some further key activities:
Having delivered MVC and criticality assessment work for a number of organisations across the public and private sectors, we have learnt the importance of:
1. Extracting plain English impact statements, to describe the importance of systems on essential functions. This clears up misconceptions and assumptions about what a system does and combats the natural bias among stakeholders, who assume systems they own are the most critical. Stakeholders can then have jargon-lite discussions comparing the impact of various systems.
2. Consulting a wide range of stakeholders, including both system administrators and users, to understand the real-world impact of systems on essential functions. System owners may not have a true understanding of what systems do or why they are critical to business operations, remembering that different users have different needs when it comes to systems. Consulting widely reduces the risk of deprioritising a system or applying bias.
3. Conducting thorough discovery work prior to stakeholder interviews, to review existing documentation on systems and processes. It is likely that certain areas within the organisation already understand their critical systems and have controls in place to protect these.
Useful documentation to review as part of the discovery work may include:
4. Making sure stakeholders are using the same purpose and mission statement of the organisation. Some departments and organisations have broad remits, and it is important to have a clear baseline understanding of what the purpose and priorities for the organisation are. Without this, there is a significant risk of stakeholders failing to reach agreements as they are working towards a different set of priorities.
5. Keeping the focus of interview discussions on maximising value. One of the key benefits of a criticality assessment is being able to make sure that investment of finite resources is being targeted at the most critical systems, where it will ultimately have the greatest impact on the organisation’s essential functions. This helps keep maintain stakeholder engagement and commitment to the processes and outputs.
The Government Cyber Security Strategy 2022 – 2030 is a notable step forward in synchronising and accelerating efforts to mature cyber security across critical government and public service organisations. Departmental CISO’s have an opportunity to harness the strategy as a ‘call to arms’.
As with almost every cyber framework, however, the core of achieving these strategic outcomes rests on first understanding what it is that we most need to protect. Perhaps now is the time to make that investment in order that we can then move to secure the services on which we all so heavily depend.
For more information on Deloitte’s approach, find us at CyberUK23 in Belfast or contact Rob Bridge (rebridge@deloitte.co.uk) or Alistair Grange (agrange@deloitte.co.uk).
Reference
i Digital, Data and Technology Profession Capability Framework - GOV.UK (www.gov.uk)
ii https://www.ncsc.gov.uk/collection/caf/cyber-assessment-framework