This week I joined an expert panel (as a last minute replacement) at a CNI Expo conference at London Excel on the subject of security and resilience for the public and private sectors.
The conference had an excellent format, with top security experts and government officials debating key issues on national security risks, rather than simply delivering long-winded presentations. It was reasonably well attended, though I was surprised that there were not more attendees from government security departments, who have a big stake in the issues discussed. With a new government in power, this is certainly the time to challenge or influence public policy.
I tried my best to be controversial. That’s not difficult. Public sector information security is laden with legacy thinking and practices. Bureaucratic controls frameworks continue to tick the boxes for the policymakers, but they fail to connect with end users, small businesses and citizens. I’ve long argued that we need a revolution in priorities, skills and methods. Government is a good place to start.
Interestingly, some security authorities often take the view that their standards are higher than the private sector. That might be true but expectations don’t always translate into practice. Closing the loop is the weak link in public sector security.
Priorities are also an issue. The role of risk management was a key item on the conference agenda. It’s increasingly used to shape the national security agenda and determine priorities. There are dangers here, as less visible threats can slip through the net. High-level heat maps look professional at first glance, but they are over-simplistic snapshots of the threat landscape, failing to capture the richness and volatility of the growing range of emerging hazards.
Security priorities are too often driven by knee-jerk responses to major incidents rather than smart analysis of the factors that might help to prevent them in the first place. Understandably, there’s too much focus on known problems rather than future ones. I tend to share the view of the expert from Chatham House, who argued for more attention to less visible future threats, such as a shortage of energy.
I’d go further and suggest that future cyber security risks are more likely to be based on modification and manipulation of data, rather than espionage or denial of service. That’s something very low on our agenda. I’d also argue for more focus on safeguarding flows of information, including transactions and relationships, rather than static stocks of historical data.
Of course it’s easy for outsiders like me to be critical. It’s hard to innovate when you’re at the centre of public policy, constrained by politics, media coverage and a serious lack of resources. But this is the time to be creative, forward-looking and bold. National security needs a boost and a change. So let’s start with a heated debate.