Taking a strategic approach to digital security in the public sector

Get buy-in from senior business leaders and move from legacy purchasing models towards more agile security purchasing structures, says Paul Heath of McAfee

Digital security is a fast-moving space, with hundreds of new and established security tech players in the market, many claiming they offer unique solutions to help public organisations meet their cybersecurity challenges.

Every single new component of IT infrastructure and each new digital process that's introduced into an organisation involves new security risks - from tools that ensure secure app development, to those that help network admins spot malicious activity or provide updates on the latest threat intelligence and malware strains, through to solutions that keep your cloud data secure.

Yet even if you are using the best of what the current market has to offer in terms of security solutions, many large organisations in the public sector are still finding that they are more and more vulnerable to attack.

And if you are responsible for securing your own organisation against this increasingly complex and diverse threat landscape, then it's essential that you have a clear cybersecurity strategy, otherwise it's far too easy to get lost amongst the multitude of ‘solutions' on offer.

A key problem here - and this is particularly the case for public sector organisations - is the tendency for IT departments to purchase specific cybersecurity technology solutions piece-by-piece, bolting elements on to existing defences as and when a need arises, which opens you to the risk of leaving gaps that can be exploited by hackers.

Technology itself is not the solution

This is why more public sector IT buyers are realising that technology itself is not the answer, particularly due to the excessive time and effort that is required to manage numerous different solutions.

Getting senior leadership sponsorship and ‘buy-in' to a long-term strategic digital security plan is about delivering the business outcomes that your organisation needs, not responding tactically to every single new cyber threat out there.

Somewhat ironically, it is often the fact that budgets are particularly tight in the public sector that makes it more of a challenge for IT leaders to put in place the long-term strategic cybersecurity initiatives that are needed.

Not only this, the fact that the UK is experiencing a major cybersecurity skills shortage means that staff with cybersecurity skills are at a premium - and it doesn't make sense to have them spending all of their time managing a complex suite of disparate cybersecurity apps.

Instead, your in-house cybersecurity talent needs to focus on strategy and not get bogged-down in day-to-day firefighting. The need for knowledgeable and skilled digital security staff to help public organisations safely and securely navigate 'digital transformation' cannot be overstated.

Many NHS trusts or local and central government departments, for example, are investing a considerable amount of money, time and effort in moving workforces to cloud services such as Office 365, Microsoft Azure and Amazon Web Services. Yet in many cases organisations are still lacking a comprehensive security strategy that takes into account the privacy and security risks of moving to the cloud.

How to take a strategic approach to security

So what does it mean in practice to 'take a strategic approach' to IT purchasing?

Essentially, you need to have a senior board-level business leader to review your existing IT security processes and to sponsor a more strategic approach to cybersecurity.

A key aspect of this is to educate the board about the necessary investments that need to be made in new solutions, new skills and in properly planning and implementing organisation-wide technology and culture changes to ensure you have the best defences and security practices in place for today's evolving cyber threat landscape.

While many business leaders don't feel qualified to make changes to cybersecurity processes, the National Cyber Security Centre (NCSC) provides information on key threats, as well as practical guidance on delivering a more strategic approach to cybersecurity, that takes from the key learnings of NCSC partners, including McAfee.

Digital security is a long-term game, which means investments should not be about short-term fixes and cost-effective solutions. There is no silver bullet that is going to mitigate the numerous threats that are out there, so IT departments are having to constantly update their defences and be able to remain flexible, aware and vigilant.

That's why it's essential to get buy-in from senior business leaders to ensure that your organisation shifts from those types of legacy purchasing models towards more agile, effective and strategic purchasing structures.

Otherwise, you're risking the private, personal and sensitive data of your staff, your customers, your clients and your organisation at large. Which is clearly not an option.

Paul Heath is regional director UK&I public sector at McAfee