Discover how transparency in the UK's public sector is reshaping cybersecurity strategy and improving risk management for a safer digital future.
Earlier this year, the government launched its ( Government Cyber Security Strategy PDF ) 8-year Cyber Security strategy, and a crucial part of it was adopting a data lead decision approach to enable a UK broad understanding of Cyber Risk within the UK Government. This critical policy document has often had an impact on the other arms of the UK public sector, this time in the Health and Social Care Cyber Security strategy, which recently laid out a similar approach for the Health Care sector, including the adoption of the NCSC Cyber Assessment Framework away from the existing DSPT Toolkit. The policy calls out the value and importance of establishing a measurable approach to cybersecurity that produces valuable insights into the health (if you excuse the pun) of the Cyber capabilities across the sector.
With the relatively recent restriction consolidation of the health and social care sector towards 42 ICSs in England, these local partnerships bring health and care organisations together to develop shared plans and joined-up services. NHS organisations form them with upper-tier local councils in that area, including the voluntary sector, social care providers and other partners in improving local health and wellbeing. As our critical public services become increasingly interdependent, cybersecurity risk must be understood by everyone involved as we become one large supply chain whereby impacts in any area could have a cascading and amplified impact across the wider chain, leading to these organisations needing to understand an aggregated view of cybersecurity risk across these organisations.
So, is it all doom and gloom? Not with the adoption of an open data approach, something that the UK government has done with success with other initiatives, can create a culture of improvement and measurement that can drive meaningful improvement across the sector, aligning to a shared set of expectations that are continuously measured against, bringing Cyber Security in line with many other parts of the UK public sector where lessons have been learnt around the sharing of data to improve outcomes in patient safety, such as the National Reporting and Learning service, which enables better analysis of the issues and incidents to help organisations to learn from things that went wrong to better improve in the future.
Adopting a transparent approach to Cyber Risk sharing will have some challenges we must overcome to succeed. Establishing the mechanisms to enable the sharing of this data from a complex organisational structure that acts as a single organism but as fundamentally centralised will be critical.
Ensuring this shift is manageable for already stretched resources within these organisations, we can be something other than an Excel-based approach, which consumes this limited time away from making improvements to providing data and reporting.
The proper measures need to be selected to be measured, and understanding which Key Performance and Risk Indicators have a material impact on cybersecurity risk will be critical. If the proper measures are chosen, there is a risk that the good intentions will lead to better outcomes or misplaced effort.
The Government Strategy sets out a bold vision to enable a data-based approach to measuring cybersecurity risk across a connected ecosystem. If delivered appropriately, this can allow previously unachievable levels of visibility and empower investment to tackle some of the most significant challenges.
We must adopt a radical, transparent approach to cyber security risk to create cyber success in such a hyper-connected environment. Real-world data, not subjective analysis, must back that transparency and be fair and more real-time than an annual audit. Only with measurement can we make meaningful improvements and, more importantly, invest in a service that almost all of us will rely on at some point in our lives.