Left column

Middlecolumn

March 2022

    Taking on the challenge of public sector cyber security

  • Posted on March 8, 2022 by

    The government recently published its new Cyber Security Strategy specifically aimed at building a cyber resilient public sector. Resilience is key in underpinning its vision to make the UK a cyber power in a world increasingly shaped by technologies that offer many benefits but also pose risks. The strategy reiterates that government remains an attractive target for a broad range of malicious actors with 40% of incidents 2020-21 affecting the public sector. 

    The main benefits highlighted are the need to protect key UK assets and the uninterrupted continuation of vital services. The strategy also aims to enable the development of skills and capability in cyber awareness and risk management.   

    This has been a major theme in our work, we recently published our good practice guide, aimed at Audit Committees, on cyber and information security where we set out the type of risk and capability management in relation to cyber security we would expect to see in organisations. 

    In order to harden government to cyber-attack and build the required resilience in the public sector by 2030, the Cyber Security strategy has two main pillars and five objectives:  

    Pillar 1Build organisational cyber resilience Pillar 2 – ‘Defend as one’
    Objective 1

    Manage cyber security risk
    Objective 2

    Protect against cyber attack
    Objective 3

    Detect cyber security events
    Objective 4

    Minimise the impact of cyber security incidents
    Objective 5 – Develop the right cyber security skills, knowledge, and culture

    Each objective has a range of outcomes to be achieved in two stages, the first tranche by 2025, and the next by 2030. The government plans to invest £2.6 bn in cyber and legacy IT over the spending review 2021 period and will devise a number of key performance indicators to measure progress. 

    The strategy is ambitious and welcomed given the increasing threat environment the UK government is facing. In order to succeed, it will need to overcome a range of challenges that we have come across in our work on digital and cyber security. From our point of view, two of the key ones are: 

    • The public sector will need to overcome known legacy and data issues in a situation where IT assets are not always catalogued or risk assessed; and where data quality varies with expanding and interconnecting supplier systems that increase the likelihood of vulnerabilities. 
    • Cyber risk management with effective escalation and mitigation, in and across departments, will need to be established – whilst also aligning disparate central and arms-length bodies across government to focus on the right things, in the right way at the right time. 

    Our Cyber and information security: Good practice guide addresses these and a number of other challenges. It enables Audit Committees to ask the right questions of organisations to help them start aligning themselves to the new Cyber Security Strategy.  

    About the author

    Daniel Lambauer joined the NAO in 2009 as a performance measurement expert and helped to establish our local government value for money (performance audit) team. He is the Executive Director with responsibility for Strategy and Resources. As part of his portfolio, he oversees our international work at executive and Board level and has represented the NAO internationally at a range of international congresses. He is also the NAO’s Chief Information Officer and Senior Information Responsible Owner (SIRO). Before joining the NAO, Daniel worked in a range of sectors in several countries, including academia, management consultancy and the civil service.

    Comment on this post...

  • Pillar 1Build organisational cyber resilience Pillar 2 – ‘Defend as one’
    Objective 1

    Manage cyber security risk
    Objective 2

    Protect against cyber attack
    Objective 3

    Detect cyber security events
    Objective 4

    Minimise the impact of cyber security incidents
    Objective 5 – Develop the right cyber security skills, knowledge, and culture

    Each objective has a range of outcomes to be achieved in two stages, the first tranche by 2025, and the next by 2030. The government plans to invest £2.6 bn in cyber and legacy IT over the spending review 2021 period and will devise a number of key performance indicators to measure progress. 

    The strategy is ambitious and welcomed given the increasing threat environment the UK government is facing. In order to succeed, it will need to overcome a range of challenges that we have come across in our work on digital and cyber security. From our point of view, two of the key ones are: 

    • The public sector will need to overcome known legacy and data issues in a situation where IT assets are not always catalogued or risk assessed; and where data quality varies with expanding and interconnecting supplier systems that increase the likelihood of vulnerabilities. 
    • Cyber risk management with effective escalation and mitigation, in and across departments, will need to be established – whilst also aligning disparate central and arms-length bodies across government to focus on the right things, in the right way at the right time. 

    Our Cyber and information security: Good practice guide addresses these and a number of other challenges. It enables Audit Committees to ask the right questions of organisations to help them start aligning themselves to the new Cyber Security Strategy.  

    About the author

    Daniel Lambauer joined the NAO in 2009 as a performance measurement expert and helped to establish our local government value for money (performance audit) team. He is the Executive Director with responsibility for Strategy and Resources. As part of his portfolio, he oversees our international work at executive and Board level and has represented the NAO internationally at a range of international congresses. He is also the NAO’s Chief Information Officer and Senior Information Responsible Owner (SIRO). Before joining the NAO, Daniel worked in a range of sectors in several countries, including academia, management consultancy and the civil service.

    -->

    Step back and see the full picture: lessons learned in risk management   

  • Posted on March 1, 2022 by

    Confessions of a risk manager

    A few years ago, I decided to renovate my bathroom, it wasn’t a small feat and required all new electrics, plumbing, new boiler, the works. I was reliant on contracted experts to get the results I wanted. I decided to handle the project management myself, I was confident, I’m a risk manager after all! Once the project was underway little things began to go wrong, delays, disruptions and scheduling conflicts cascaded, and I found myself in the middle firefighting. I could manage some of the problems myself, but most of the uncertainty was coming from the people and expertise outside of my direct control. I’ve made a resolution this year to start the next renovation project and I know that to succeed, I will need to learn the lessons from the past.  

    Enterprise thinking

    Uncertainty is at the heart of risk management, and without a doubt we have been living in very uncertain times over the last two years. The impact of the pandemic has been felt across all sectors and has redefined the risk landscape. Here at the NAO, the increased level of uncertainty has influenced our programme of value for money and insight work. It sharpened our focus on the arrangements in place for government to identify, evaluate, and respond to risks. In our latest preparedness report: The government’s preparedness for the COVID-19 pandemic: lessons for government on risk management we found the pandemic has exposed vulnerabilities in government’s approach to managing whole-systems risks and that lessons, that would have helped prepare for a pandemic like COVID-19, were not fully implemented.

    Enterprise thinking in risk management allows us to integrate the practice of risk management across the whole system, from strategic decision making to execution and delivery. However, looking at uncertainties inside the organisation won’t give us the full picture about what is happening outside and across other organisations. We need to step outside and look out into the extended enterprise. If we think of an organisation as a castle, the extended enterprise refers to anything outside of the castle walls. To go back to my project, I was on the inside and close to the project, I wanted the project to succeed, clouded by optimism and missing the full picture. I’d forgotten to account for what might be happening outside of my “castle walls” and how uncertainty would impact what I was trying to achieve.

    I am of course not alone in having optimism bias. Being close to the detail is not a bad thing, in fact it’s often vital, but when we’re on the inside it’s much harder to cast our view out to the horizon and to see the uncertainties just out of focus. We need to see the whole system in order to anticipate, coordinate and prepare for what might happen, even if we’re really hoping it won’t.

    Connecting the dots

    By taking an enterprise approach to identify, evaluate, and respond to risks, we get a better understanding of the full picture. We can see the interdependencies and connections between the various risks facing the delivery of objectives. The NAO’s reports NHS backlogs and waiting times in England and Reducing the backlogs in criminal courts are both clear examples where identifying the complex interdependencies and taking a whole-systems approach will be needed to tackle and improve outcomes. For instance, understanding the inherent risks of harm to patients as a result of longer wait times, and the cascading impact this could have on local partnerships, community support and organisations outside of the NHS.

    Yet, applying this thinking to the extended enterprise of government will also be necessary to tackle and achieve some of the most complex risks of today and of the future. In our report Achieving net zero we concluded that the all-encompassing nature of net zero means that all government bodies, including departments, arm’s-length bodies, and executive agencies, have a role to play. This is perhaps the clearest example of the importance of whole-systems thinking and enterprise-wide risk management.

    Opportunities

    We mustn’t forget that uncertainty can generate both threats and opportunities. We’re often taught to see risks only as threats. However, those threats can also present us with opportunities to improve, providing we have the desire, agility, and resilience to respond and act. I’ve already started planning for my next project and I know that by applying the lessons learned from last time I can increase my chances of success.

    As we continue to recover from what we hope is the worst of the pandemic, it’s important to look at the full picture, identify the lessons and apply improvements where we can. Our lessons learned programme of work at the NAO has highlighted opportunities to strengthen government’s approach to risk management, to ensure that it includes a clearer view of whole system risks. Applying this learning will require collaboration not only within and across government but also across sectors and the entire extended enterprise. The challenge questions is: who is providing the enterprise view of risks across the whole of government and what other lessons are there to be learned?

    You can read more about our findings and insights on our website.  Links to the specific reports and topics explored in this blog are set out below:

    Please feel free to comment and share your thoughts, your views are very welcome.  

    About the author

    Russell Heppleston

    Russell Heppleston

    Russell Heppleston is a Risk Manager for the Financial and Risk Management hub at the NAO. He joined the NAO in 2021 as an experienced risk manager with over 15 years experience working in Local Government, specialising in internal assurance, risk and governance. He is a Chartered Internal Audit Leader (QIAL) and Certified Risk Manager (CMIRM).

    1 Comment

Right column

  • About the NAO blog

    Our experts share their views about issues and common challenges facing government, what public sector leaders should look out for and how organisations have addressed issues. Our posts draw together threads from across our reports, share secrets spilled in events and reveal our experts’ expectations for the future.

    We encourage comments that support the exchange of ideas for improvement, but ask that those posting are respectful of others.

  • Sign up for automatic feeds

    Sign up to receive email alerts:




    RSS IconSubscribe in an RSS Reader