January saw the UK government publish yet another cyber security strategy, the Government cyber security strategy 2022, not to be confused with the National cyber strategy 2022, published only a month earlier.
This new strategy is focused on ensuring the government’s critical functions are hardened to cyber attack by 2025, with all public sector organisations becoming more resilient to cyber threats by 2030. This clear aim is welcome, but is it realistic or achievable?
The timelines set out in the strategy are incredibly tight. Government departments have many competing demands on them, budgets are under pressure and cyber security is not at the top of many of their priorities. Implementing the strategy by 2025 will be difficult.
The strategy has two pillars: build a strong foundation of organisational cyber security resilience, underpinned by the adoption of the NCSC Cyber Assessment Framework (CAF); and “defend as one”, which will be enabled by the establishment of a Government Cyber Coordination Centre (GCCC). These pillars link to the National Cyber Strategy’s key message of alignment and integration across government.
In addition, these pillars are supported by five objectives:
- Manage cyber security risk;
- Protect against cyber attack;
- Detect cyber security events;
- Minimise the impact of cyber security incidents;
- Develop the right cyber security skills, knowledge and culture.
All these are sensible and provide an easy-to-understand approach to build a transformation programme around. However, experience suggests these objectives are difficult, costly and time-consuming to achieve, especially in operations-focused government departments.
Integration will be key
Success will be determined by the levels of integration achieved across government, regions, with industry partners and specialist organisations, maybe even with our international allies.
The strategy enables cross-government integration through the creation of the GCCC and the use of the CAF. It will also be important to integrate with all the people required to deliver this strategy – it is not just about cyber security specialists. Human resources, commercial, and technology…