This is a guest blog by Graeme Stewart, director of public sector strategy and relations, at McAfee
Earlier this year, the Department for Business and Innovation (BIS) launched Cyber Essentials, to accredit businesses which meet certain minimum cyber security requirements. The programme makes good sense, but the way it was developed is typical of the government’s ad hoc and uncoordinated approach to cyber skills.
Cyber Essentials, as a BIS initiative, is aimed at helping businesses. But the obvious advantage of a government-led scheme is it can require its own suppliers to meet those standards – guaranteeing uptake and improving government security. So why was this not a whole government initiative?
This kind of approach is replicated everywhere. The Department for Education has promoted cyber skills for children through e-skills’ Secure Futures schools campaign. The Home Office also recently launched a £4m information security awareness campaign about rising threat of hacking. The Cabinet Office’s Cyber Security Challenge is working to get people interested in cyber security careers.
Whilst these programmes are welcome and admirable, the government has fallen into its usual trap of creating multiple programmes in silos- duplicating resources, using its time and money poorly. Moreover, the government is missing a trick. Many cyber security companies have resources they’d love to share with government, schools and industry. The lack of coordination means this is largely overlooked.
Rather than doling out small amounts of money to each department, government should promote collaboration between departments on cyber security.
Fans of the status quo may argue this would result in a ‘one-size-fits-all’ approach. That’s not true – different departments would still have the right to tailor programmes. But much of the underlying information is the same.
Most departments have similar basic security requirements, so why not work together on a cyber essentials style scheme for all government suppliers? This could then have various add-ons for different department’s requirements.
And the DfE should lead on school level cyber security education, but it should run one programme for schools which coordinates the various resources available from different departments and companies.
Developing such a programme could invite cyber security companies of all sizes to offer their services and resources.
Someone needs to get representatives from different departments providing cyber skills programmes, and all the vendors, in a room together and join the dots.
The government has a duty to provide public sector organisations, business, and society at large with comprehensive cyber skills programmes. But it also has a duty to spend taxpayers money efficiently.
A unified scheme is within the reach of the government if someone would be willing to take the reins. Aside from saving time and money, it will promote the idea that cyber security should be at the core of every organisation, not an add on. Imagine a major company gave its marketing, finance, legal and HR departments separate cyber security budgets. It would make no sense, yet this is what government is doling on a much larger scale.
Cyber security companies have evangelised that organisations need security by default. But only the government has the power and resources to implement national programmes, and it can only do that through a coordinated approach. It is time for the government to stand up and lead the example.