Lots of people, even my neighbours and relatives, are asking me what I think about the UK Government’s new National Cybersecurity Strategy. It certainly attracted a fair bit of surprising degree of publicity, which is rather surprising given the limited scale of the investment and the lack of anything remotely controversial or unusual.
Of course any investment in cyber security has to be welcomed, so we have to congratulate the chaps at the Cabinet Office for negotiating their way around the cutbacks. But let’s keep this in perspective: £650 million is not an insubstantial amount, but it’s a drop in the ocean when spread over four years and shared across several departments.
One might also have expected a little more innovation in how to spend this money. A new strategy is a terrific opportunity to drive through change or create a new paradigm. And existing approaches to security are failing so we need fresh thinking and forward looking solutions.
Yet it’s the same ideas that we’ve seen before: continue with the existing agenda; talk to the private sector; hold a summit; restructure a few organisations. The most innovative idea is to provide expertise to the private sector. This might help with the funding, but it’s an approach was tried and abandoned by many big companies back in the nineties.
Strategies can be excellent vehicles for inspiring a community and focusing its efforts, but this one adopts a bit too much of a scattergun approach. Strategies don’t need such detail. I recall hearing one Chairman announce to senior management that the new strategy was that “we’re going to be bloody good at running this business”.
The real danger, however, is that this strategy is seen as having solved the problem resulting in complacency or acting as a brake on new ideas and initiatives. A small step forward is not the answer to a problem that demands a great leap forward.