This article is part of a monthly blog series from Chris Chant, who was responsible for setting the strategy for the use of cloud computing across the public sector.
The new Government security policy framework and guidance is out now, as are some early surveys. The numbers are astonishing. In the US, for example, there are around 70 million cyber-attacks on the Department of Defence per week, or roughly 115 per second.
Cyber-attacks on the US federal government increased 782% between 2006 and 2012, and critically 66% of security breaches go undetected for months. Building walls is clearly not effective.
While we have security systems based only on trust, with little ability to truly track the ‘who’ and ‘where’ of the data journey, we are left with handling risk in conventional ways. The movement to Cloud, the Snowden affair, constant worry about data location and the explosion of innovative SMEs in the market mean things won’t remain the same for long.
Open visible competition is vital for the healthy propagation of G-Cloud and right now, even after Memset’s recent press release announcing IL3 accreditation, there aren’t nearly enough accredited services. Anything we can do to improve that situation is a welcome change.
There has always been a need for individual organisational IT security risk assessment. It has to happen. Even if the application was identical and identically hosted, the data at least will be different and therefore the risk needs reassessing.
There was never going to be a simple tick-box assessment. It was never envisaged in that way in the development of G-Cloud. There was never any intention to lower security standards. CESG are looking to drive judgement based security but we must have collaborative working to avoid wasted effort, the reuse component of the guidance is key.
What we must do, and the GDS user-centric approach will eventually ensure this, is ruthlessly eliminate duplication and nugatory work for the user, supplier and buyer. I believe the updated guidance takes nothing away from the original G-Cloud vision. Such an approach will leave us with security that is appropriate for the service in question and services that are usable for all at an appropriate cost.
The key to success for now, as in so many areas of public sector transformation, is working out loud — and I love the level of engagement, debate and openness surrounding public sector IT today — sharing experience and engaging with suppliers and buyers across the public sector landscape.
Only this will ensure we get the right service at the right cost for our users.
Chris Chant works with niche consultancy Rainmaker Solutions. Previously he served in a number of roles in central government including Ex-Executive Director of the G-Cloud Programme; Interim Executive Director of Government Digital Service (GDS); and Executive Director of Direct Gov and Digital Engagement in the Cabinet Office. He was responsible for the implementation of the Martha Lane-Fox report ‘Revolution not Evolution’ and launched the Alpha version of the GOV.UK website.