How organisations can use the UK government's Cyber Report to strengthen IT
The first Government Cyber Security Strategy (GCSS) sets out a unified approach to 'protecting and promoting the UK cyberspace'.
Recognising that cyber threats are clear and growing, the Government is investing over £2 billion in cyber defences across multiple industries, retiring legacy IT systems and stepping up development on skills and coordination.
The report offers strong advice for organisations across the maturity scale on implementing a stronger approach to cybersecurity. However, some key learnings might have gone unnoticed or are hard to find in this 80-page document.
In this article, I'll highlight what I regard as some of the key stand-outs - distilling them into practical and beneficial advice for UK organisations.
Secure by design
The Government is working to ensure connected consumer devices have security built in from the offset - a term known as 'secure by design'. While it's fantastic to see the Government encouraging these practices, many businesses have significant legacy systems that present far greater cyber risks than new projects.
To adopt an effective 'secure by design' approach, organisations must have a full picture of their environment, including all assets and systems - not just the most recent ones. Virtually every large organisation has legacy systems in place, creating significant security gaps in their network environment.
Implementing more 'secure by design' may therefore require a complete overhaul of the different layers of an organisation's cybersecurity strategy. Often, organisations are relying on outdated systems and protection, particularly in a world of cloud transformation and 'work from anywhere', which puts them at increased risk of cyber threats and the quick compromise of systems in the event of a breach.
For example, when an organisation wants to move to the cloud, it may need a complete overhaul and modernisation of existing systems. Many often depend on outdated systems for day-to-day business continuity, making this change more complex and often forcing them to leave those systems in place.
To make this process easier, businesses can invest in real-time visibility of their whole IT environment, including legacy systems. This will make their digital transformation journey easier as they gain efficiency in operations, performance, and agility.
Cyber assessment framework
While the Government suggests organisations update their cyber assessment framework, many don't know where to start. Generally, it should involve reviewing an organisation's own cyber assessment practices.
This could require working with a third-party to ensure dot-to-dot type guidance is provided on exactly how to implement the advice offered in the report.
Cyber assessments should offer a comprehensive view of risk posture across the organisation and land on proactive ways to protect the business from growing cyber threats like ransomware, insider threats and the latest vulnerabilities, like Log4shell.
In this new hybrid workforce, these evaluations should cover all endpoints, regardless of where they're located - to ensure the overall risk assessment is accurate and complete. This is important, as many organisations still rely on assessment tools that only scan their on-premises network - leaving their most vulnerable remote devices out of range and creating huge risk.
Skills and resources
The report details how organisations need to become more active, automated and react to threats at speed and scale in real time. While this is imperative, more needs to be said about the importance of the skills required to do so — especially for businesses that don't fully understand this concept.
For example, the report discusses implementing AI technology to battle cyberattacks, but the industry should focus on empowering employees with intelligence augmentation (IA). This should run alongside training on how to accurately use data and insight to bolster cybersecurity defences. The effect will be to create more intelligent organisations and help close the cyber skills gap - boosting efficiency in the process.
Another challenge is the excessive proliferation of tools in the cybersecurity space. Having all 'best of breed' tools isn't effective if they're poorly deployed, understood, or managed. Segregating cybersecurity alerts into different systems ensures that threats can't be quickly correlated, mitigated, and remediated. Over-stressed and under-trained workers need to be able to react to emergent situations without having to 'swivel chair' switch between consoles.
Risk reporting
Identification, prioritisation, and mitigation of risk have become the top items on every IT leader's action list, regardless of discipline. The GCSS report leads to the conclusion that risk must be managed to create a consistent, resilient infrastructure. However, there are significant issues and complexities that companies need to address along the way.
Technology risk management is often viewed as a 'gut feeling' principle - balancing the intuition and development of the organisation. Few organisations have a viewpoint that can bring all their risk factors together to be observed and compared equally.
For example, cyber and operational risk teams often work separately, creating gaps between architects, engineers and analysts. Overcoming this problem and ensuring teams work together as a single unit is one example of how organisations can start to build their own processes in a more 'secure by design' fashion.
However, new technology creates wider risks that impact the entire business. And if overall business systems are compromised, no one can do their day-to-day job.
Organisations need to get the basic principles of risk reporting right and make sure this is seamless across the business. The overall goal for CISOs and CIOs should be to work with different teams to provide a single, live, simple risk score the board can understand and refer to.
The Government report offers a balanced view, with plenty of positive advice for organisations looking to strengthen their approach to cybersecurity and operations, highlighting how being data-driven and insight-led is critical to managing business technology in an always-on and ever-changing era.
By focusing on these key themes, businesses can boost cyber hygiene to improve protection against current cybersecurity threats, as well as setting themselves up for sustainable long-term business continuity.
Oliver Cronk is chief architect, EMEA at Tanium