This article is part of a monthly blog series from Chris Chant, who, as the former Executive Director of the G-Cloud Programme was responsible for setting the strategy for the use of cloud computing across the public sector.
So your organisation is fully behind a user-centric, iterative approach to your digital transformation. Great.
This month I want to consider security, not because it’s the next thing you should be considering, but because my experience of public sector culture has taught me that it’s an issue that prevents true user-centric services.
At the heart of your design must be user need. Your design must start exactly there, and when you understand that need and what must be measured, only then do you consider the security need. Appropriate security is a user need, though that may not always be understood by the user or our organisations.
In the past we have often identified the highest system security level and put all systems behind the same locked doors, processes, policies and technical controls. This was too often done regardless of the impact on user needs. Customers spending unnecessary hours using services or abandoning them, staff frustrated by slow, unresponsive and inappropriate tools, is it any wonder that ‘computerisation’ often failed to deliver promised savings or customer satisfaction?
Previously, we have handled unauthorised access, destruction and tampering by building walls, policies and processes around our data. Such an approach means trust is at the core of our defence capability. Until recently that has been our only resource and has often proved expensive, an enemy of user need and sometimes limited in effectiveness.
The aim must be for ‘appropriate’ security. We need to understand that absolute security is impossible. Many of us remember pen and paper only systems — absolute security wasn’t possible then either.
‘Working out loud’ is as important in the area of security as anywhere else. If buyers share their validation of supplier assertions, vitally, others will be able to make use of that to avoid rework.
All public sector organisations have clear accreditation processes. Good accreditation will, if sensibly followed, provide appropriate understanding of controls and risks. Many critics of cloud computing suggest it means less security. G-Cloud has never suggested any change to the use of public sector assurance and accreditation processes. Indeed the original Pan-Government Accreditation used existing processes.
However, if we are to build user-centric, cost effective and secure systems, the security must be appropriate. All systems will require some assurance and the senior risk owner must be aware of what you are building or buying, to help speed formal accreditation when needed.
The relationship with assurance, users and delivery folk should be collaborative. In the past this relationship has often been combative, but it shouldn’t be. There must be opportunities during the design stage to voice concerns about what information is captured, used and stored. Remember these folk too have embarked on the journey to user centricity and appropriate security. There are many opportunities for the assurance community to engage with their peers and get advice.
The more decisions we take for users in the field of security, the less sensible they will be. You can see that just about anywhere. People care more if they feel they own some of the risk. One example would be roads where all the traffic signs and road markings have been removed. The drivers slow down, the pedestrians are more careful. They own some of the risk, because some of the key decisions haven’t been made for them anymore.
It’s a logical step to put security in the hands of the business, if we want to get people involved in supporting it.
We have that opportunity. The change to the Government’s protective marking scheme means that the whole business of risk analysis needs to be revisited, and that little job is next on the agenda.
It’s a safe bet that whatever the outcome, the same principles will apply, and broadly the same process. A risk analysis will still look for combinations of threat and impact, and the protective measures will still be based on the most significant perceived risks. But the analysis will likely be more intuitive, and carried out by people closely associated with the user need, rather than someone focussing just on security.
The ball is still in play, but if you take into consideration the points below you probably won’t go far wrong:
- Today, the effect of a security incident isn’t going to come from a checklist. A good place to start when you’re asked to think about this would be to exploit the implicit business knowledge: ‘if I were attacking us, I’d definitely go for resource XYZ, it’s worth a fortune’.
- Open source information is a significantly under-used resource. There are security reports out there (such as the FireEye report) that give you a good start on who would attack you, and why. For most Government systems and services, it’s not rocket science to come up with a list of bad guys and their toys. Rather than trawling through tech sites, or waiting until the mainstream news catches up, the five-minute SANS Institute daily podcasts from the Internet Storm Centre on what’s hot in internet security are worth a listen.
- There will still be a need for some kind of external scrutiny or accreditation. When you’re drawing up your security requirements, go for effectiveness — does this document accurately convey the key things we’re worried about, or is it a document that was put together on our behalf and we don’t really understand it ourselves? Work with the accreditor, not against them.
- The world will be based on services not systems. Don’t go old school, and give a service provider a list of countermeasures. The point here is to buy commodity services. If there’s an attack you’re worried about, and the service provider doesn’t cover it, look around for a third party add-on service that does.
- Be even handed. Security is important (ask Apple, Target, Home Depot, Sony, Kim Kardashian, whoever he is…), but it mustn’t rule the roost. If you set yourself a ‘risk appetite’, you must set yourself an ‘inconvenience appetite’ as well. So if it comes to it, you may want to take the risk on security instead of compromising on user need.
- Own it, own it, own it. There’s no better illustration of that than a quote from actress Jennifer Lawrence, who said (allegedly): ‘My iCloud keeps telling me to back it up, and I’m like, I don’t know how to back you up. Do it yourself.’ You get the point.
Things are definitely changing. Start gaining knowledge of what products and approaches are out there, that you can make use of. It’s well worth getting ready to take part.
Note: Rainmaker Solutions has partnered with Guardtime to bring their product to the UK Public Sector. Guardview allows organisations to identify and visualise threats and changes to important digital assets and data; such as copy and transfer, deletion, and manipulation in real-time. Integrity instrumentation allows you the ability to tag, track, and locate your assets in cyberspace, like a GPS for data.
Chris Chant works with niche consultancy Rainmaker Solutions. Previously he served in a number of roles in central government including Ex-Executive Director of the G-Cloud Programme; Interim Executive Director of Government Digital Service (GDS); and Executive Director of Direct Gov and Digital Engagement in the Cabinet Office. He was responsible for the implementation of the Martha Lane-Fox report ‘Revolution not Evolution’ and launched the Alpha version of the GOV.UK website.
This is a reproduction of an article Chris Chant contributed to the Local Digital Campaign.