Government can learn from private sector cyber security, says EY

UK government could learn from the private sector’s approach to cyber security, says EY

UK government could learn from the private sector’s approach to cyber security, says Mark Brown, UK & Ireland cyber security assurance leader, Ernst & Young (EY).

“Government does not understand the concept of ‘key data’ and still follows the legacy approach of securing all data,” he told civil servants at the Westminster Briefing Cyber Security Summit in London.

According to EY, leading private sector companies are focusing instead on the most important 5% of their data assets and rationalising security controls to reduce the burden on business.

“There is usually a huge cost benefit in doing so, rather than trying to secure everything and deliver 100% security 100% of the time,” said Brown.

This shift in strategy and focus to enable a rapid and agile response requires a cultural break, which he believes many in government have yet to make.

“There is a growing culture of security awareness in government, but there is still apathy when it comes to the importance of cyber security,” said Brown.

“Government cannot move to digital services unless this issue is addressed,” he said.

Leading private sector companies are focusing on the most important 5% of their data assets and rationalising security controls to reduce the burden on business

Leading private sector firms are also recognising that while security fundamentals are important, it is impossible to keep up with the pace of change in the threat landscape.

“These organisations have accepted that breaches will occur, and are consequently building cyber security resilience that is focused on supporting the business,” said Brown.

“In the event of a cyber breach, they want to be able to detect it and respond to it quickly to provide the assurance that key data assets and key business processes will not be affected,” he said.

Key to the cyber security resilience approach, said Brown, is for organisations to understand what data is sensitive and how this changes.

“For example, merger and acquisition data is highly sensitive ahead of the announcement, but once it is public, it ceases to be sensitive and no longer requires the highest level of protection,” he said.

Cyber security resilience, said Brown, should focus on optimising financial performance while minimising financial risk, and protecting organisations from emerging risks while enabling the business to deploy new ways of working.

Government also has to learn that technological controls do not provide the whole answer. “Cyber security has to be addressed in terms of business risk through good governance,” said Brown.

more on cyber security risk management

Like government, most private sector companies are reactive (60%) to what they know about or are trying to be proactive (30%) by forecasting beyond what they know.

Only 10% of companies are truly innovative in their approach to security, according to EY.

“These leading companies take security so seriously that they have ripped up the rule book and are drawing up their own rules, which is where the government has to move to,” said Brown.

“In the past, security has been about risk avoidance, but leading firms realise that cyber security now has to be about risk management,” he said.

The private sector is increasingly turning to risk management professionals to manage security, said Brown, because they understand the business and what makes business sense.

This approach moves away from looking to “big solutions” and focuses instead on what is needed to secure business processes, and how this can be done using existing security systems.

“Again, government could learn from business by ‘sweating the assets’ to get as much as possible out of the security systems that have already been deployed,” said Brown.

Finally, he said government needs to follow the top 10% of private sector companies in becoming more proactive and innovative in its approach to cyber security.

“Government needs to look at where it wants to be and what it wants to deliver in three to five years’ time and identify what it needs to do now to create that capability,” said Brown.

Read more on IT risk management