tashatuvango - Fotolia

Government is quietly asking suppliers to pick up the tab for cyber security

The government's new approach to working with cyber security suppliers is bringing a shift in responsibility and risk to the private sector

Theresa May’s government has a habit of doing things quietly, which is a step away from the kind of rule-by-press-release we have seen in the past. While the new regime might be frustrating for Westminster journalists, it means you have to look a bit harder to see where policy changes are coming from. This is true for the government’s cyber security strategy and procurement policy, as much as for anything else.

Recently, for example, the government set out its views on cyber issues in the energy sector and their relevance to defending the national infrastructure, with the Department for Business, Energy and Industrial Strategy (BEIS) publishing its Civil nuclear cyber security strategy. Ostensibly, the new strategy has a narrow focus on a unique industry, but in fact precedents are being set for every company that works with the public sector – and even for all of the companies in the supply chains of those firms.

These precedents herald three important changes: first, a shift to give private companies more responsibility for national cyber security; second, a more interventionist approach by government to ensure companies are meeting that responsibility; and third, the creation of a new set of commercial opportunities for those companies that move first.

To some extent, everyone already shares responsibility for countering the national cyber security threat – even if that just means resisting the temptation to help that stranded foreign millionaire who emailed you and needs your bank account details to rescue all their cash. But the government wants private companies to go much further. In fact, Whitehall increasingly sees it as part of a supplier’s contractual duty to keep up to speed with cyber security technologies and ensure they are constantly enhancing their own best practice.

The traditionally steady evolution of cyber security measures is becoming less and less acceptable. To give you a taste of the rate at which government expectations are changing, even in the nuclear energy sector – which, together with financial services, is not normally shy of highly developed cyber security measures – the government now expects to see a “transformation” in approach to cyber security, not just incremental improvement.

Also, where the government feels companies are not up to scratch, regulations will be constantly “reviewed and strengthened” to force firms to up their game. More strikingly, the government is also explicit in its demand that any extra investment required to deliver cyber security changes that it deems necessary must be paid for by “additional industry resources” and not out of the public purse.

The traditionally steady evolution of cyber security measures is becoming less and less acceptable
Greig Baker, Guide Consultancy

The government also wants to see measurable evidence that action is being taken by suppliers to boost cyber security measures, with the threat of even more active intervention by the authorities if it does not happen.

The government has started to give examples of what it wants to see, encouraging suppliers to appoint board-level representatives to promote cyber security interests in all strategic commercial decisions as well as ensuring there is a qualified chief information security officer (CISO) operating below the top executives, and – perhaps more interestingly – asking that suppliers provide their public sector clients with a “list of all of [the supplier’s] critical digital assets and vulnerabilities across the organisation and supply chain”, both when pitching for a contact and after it has been awarded.

While the government’s strategy clearly focuses on its demands of suppliers, there are also hints at new commercial opportunities being created. For instance, companies that excel in demonstrating their cyber security prowess will not only enhance their own bids for public sector contracts, but could also develop a “cyber specialist consultancy capability” that can be sold to other private companies looking to work with central or local government, while taking steps to protect the parent company’s intellectual property.

Read more about government cyber security

Whitehall also seems keen to funnel more public money to private companies that can use existing initiatives, such as the Apprenticeships Scheme, to increase investment in the UK’s future cyber security workforce. This is part of a wider trend that we call “public policy by procurement”.

It is true that the government might not be shouting from the rooftops about the new demands being put on its private sector partners, but that should not be seen as a measure of how important these changes are. In fact, quite the reverse is true. They say you shouldn’t believe everything you read in the newspapers – but in the era of quiet government, on cyber security at least, the tabloids could be missing the big story altogether.

Read more on Security policy and user awareness