Left column

Middlecolumn

The government recently published its new Cyber Security Strategy specifically aimed at building a cyber resilient public sector. Resilience is key in underpinning its vision to make the UK a cyber power in a world increasingly shaped by technologies that offer many benefits but also pose risks. The strategy reiterates that government remains an attractive […]

Article

Taking on the challenge of public sector cyber security

Posted on March 8, 2022 by

The government recently published its new Cyber Security Strategy specifically aimed at building a cyber resilient public sector. Resilience is key in underpinning its vision to make the UK a cyber power in a world increasingly shaped by technologies that offer many benefits but also pose risks. The strategy reiterates that government remains an attractive target for a broad range of malicious actors with 40% of incidents 2020-21 affecting the public sector. 

The main benefits highlighted are the need to protect key UK assets and the uninterrupted continuation of vital services. The strategy also aims to enable the development of skills and capability in cyber awareness and risk management.   

This has been a major theme in our work, we recently published our good practice guide, aimed at Audit Committees, on cyber and information security where we set out the type of risk and capability management in relation to cyber security we would expect to see in organisations. 

In order to harden government to cyber-attack and build the required resilience in the public sector by 2030, the Cyber Security strategy has two main pillars and five objectives:  

Pillar 1Build organisational cyber resilience Pillar 2 – ‘Defend as one’
Objective 1

Manage cyber security risk
Objective 2

Protect against cyber attack
Objective 3

Detect cyber security events
Objective 4

Minimise the impact of cyber security incidents
Objective 5 – Develop the right cyber security skills, knowledge, and culture

Each objective has a range of outcomes to be achieved in two stages, the first tranche by 2025, and the next by 2030. The government plans to invest £2.6 bn in cyber and legacy IT over the spending review 2021 period and will devise a number of key performance indicators to measure progress. 

The strategy is ambitious and welcomed given the increasing threat environment the UK government is facing. In order to succeed, it will need to overcome a range of challenges that we have come across in our work on digital and cyber security. From our point of view, two of the key ones are: 

  • The public sector will need to overcome known legacy and data issues in a situation where IT assets are not always catalogued or risk assessed; and where data quality varies with expanding and interconnecting supplier systems that increase the likelihood of vulnerabilities. 
  • Cyber risk management with effective escalation and mitigation, in and across departments, will need to be established – whilst also aligning disparate central and arms-length bodies across government to focus on the right things, in the right way at the right time. 

Our Cyber and information security: Good practice guide addresses these and a number of other challenges. It enables Audit Committees to ask the right questions of organisations to help them start aligning themselves to the new Cyber Security Strategy.  

About the author

Daniel Lambauer joined the NAO in 2009 as a performance measurement expert and helped to establish our local government value for money (performance audit) team. He is the Executive Director with responsibility for Strategy and Resources. As part of his portfolio, he oversees our international work at executive and Board level and has represented the NAO internationally at a range of international congresses. He is also the NAO’s Chief Information Officer and Senior Information Responsible Owner (SIRO). Before joining the NAO, Daniel worked in a range of sectors in several countries, including academia, management consultancy and the civil service.


Share this article on social media:


Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Right column

  • About the NAO blog

    Our experts share their views about issues and common challenges facing government, what public sector leaders should look out for and how organisations have addressed issues. Our posts draw together threads from across our reports, share secrets spilled in events and reveal our experts’ expectations for the future.

    We encourage comments that support the exchange of ideas for improvement, but ask that those posting are respectful of others.

  • Sign up for automatic feeds

    Sign up to receive email alerts:




    RSS IconSubscribe in an RSS Reader