Pawel Pajor -

The Conservatives are laughing at cyber security pros

If causing a security breach is a resigning matter, then you shouldn’t expect to get your old job back a week later. Unless you’re a Conservative home secretary, apparently

If causing a cyber security breach is a matter over which one should resign, then to be able to waltz back into the same job barely seven days later is utterly unacceptable, and yet this is exactly what our erstwhile, and now current, home secretary Suella Braverman has done.

On Wednesday 19 October, the day before former prime minister Liz Truss was forced to resign following possibly the most disastrous, and certainly the shortest, premiership in British history, Suella Braverman suddenly resigned from her post as home secretary after being caught breaching the ministerial code by sending official, restricted documents from her personal email account to a fellow MP.

This MP is now known to be veteran right-wing backbencher John Hayes, but he was not the only recipient, as it now appears Braverman also copied in someone who she thought was Hayes’ wife, but was in fact an assistant to another MP, Andrew Percy.

In a pointed resignation letter to Truss, Braverman wrote: “Pretending we haven’t made mistakes, carrying on as if everyone can’t see that we have made them, and hoping that things will magically come right is not serious politics. I have made a mistake; I accept responsibility; I resign.”

This was widely taken as a dig at Truss, the consequences of whose “mistakes” will be felt by ordinary people for years to come, and a call for her to quit. It may not have been the straw that broke the camel’s back, but it won’t have helped.

Yet just six days later, on Tuesday 25 October, with Truss consigned to history and Rishi Sunak elevated to the post of prime minister, Braverman was promptly reappointed to the same post again, and in reappointing the supposedly disgraced home secretary, Sunak and Braverman have made a joke out of the security profession that the government claims to value so much.

In letting this slide, they make it harder for security professionals to justify doing their jobs well, and make it more likely that they will receive pushback from their organisations when they have to make a tough call: “The home secretary used her personal email account to send government documents – so why shouldn’t I use mine to send that invoice?”

Apart from the divers who fix broken undersea network cables, security professionals probably do one of the most demanding jobs in IT, and are frequently ignored and overlooked by their organisational leadership and belittled by those they are supposed to protect.

Too often when speaking to people in the industry, I hear security practitioners complain that they are seen as “that person who says no to everything”. It’s a disheartening statistic, but frustrations over a lack of support and recognition for the job they do were cited by almost a third of those planning to leave the security profession in a recent study conducted by Trellix.

But perhaps more worryingly for British society as a whole, Sunak and Braverman have also risked making it harder for the UK’s intelligence agencies to perform their duties.

GCHQ and hence the National Cyber Security Centre (NCSC) report to the foreign secretary, not the home secretary, but MI5, which carries its own cyber security brief, does report to Braverman.

Although protecting critical systems from cyber threats both foreign and domestic is a far cry from a carelessly sent email to a colleague, any security professional will tell you that the most apparently benign of security slip-ups will let in a nation-state threat actor as easily as it will a financially motivated ransomware gang.

As such, those in charge of defending Britain’s national cyber security must be held to a higher standard.

At the very least, Sunak and Braverman owe the thousands of cyber security professionals, who actually do keep organisations across the UK safe from an unrelenting barrage of threats daily, an apology.

Read more about security professionals

Read more on Data breach incident management and recovery

Data Center
Data Management