Government security has a fearsome reputation by tradition - just think of the Manual of Protective Security, ISO27001, IS1 / 2, onerous and labyrinthine assurance requirements and the confusing shadowy presence of CESG and GCHQ in the background.
All of this made it feel like an episode from Yes Minister crossed with The Da Vinci Code. Not surprisingly, many companies decided that it was just too hard to work with government. SMEs, in particular, found it almost impossible to win government work, unless they were able to subcontract through large suppliers who could afford the overhead of engaging with security.
But although it might not always quite feel like it, things are definitely changing.
One of the key drivers for change is the call to deliver services that meet customer needs. Digital service delivery promises better and more responsive services, much greater speed and efficiency, and lower cost. The challenge is how to enable innovation and quick delivery securely.
The proliferation of digital services both increases the attack surface and the size of the ‘prize’ an attacker may hope to gain if successful. Networks are becoming increasingly complex, with multiple access points, management platforms and attack vectors, making it more difficult to monitor and manage security.
High-profile incidents have brought the security issue to the attention of the general public and led to a wide debate on balancing the need to protect with the need to enable. Building and maintaining citizens’ trust in the security of government digital services is a critical factor in being able to exploit the opportunities on offer.
Government Protective Marking Scheme
The most prominent change must surely be the demise of the Government Protective Marking Scheme. Earlier this year, the old scheme with its six classification levels was replaced by the much simpler and clearer Government Security Classifications with only three classifications - OFFICIAL, SECRET and TOP SECRET; and the vast majority of information will be at OFFICIAL level.
The need to protect information has not changed, but an overly complex and highly directive system developed for paper processes has been replaced by a simpler and easier to understand model more appropriate for modern working practices.
Moving to the new scheme has not been without its challenges. There is no direct mapping between the old and the new model; the handy shortcut of ‘IL3 means RESTRICTED, RESTRICTED means IL3’no longer works; and processes and systems take longer to change than policy.
There is also a culture change that still needs to happen - seasoned security professionals have been overheard muttering ‘...there will always be a CONFIDENTIAL...’ -, and risk aversion leads many to over mark their information ‘just in case’. But it is a critical step that sends an important message, namely that security policy’s role is to provide guidance and direction, so that staff and suppliers can make sensible and appropriate decisions based on informed judgement.
It also sends another important message to industry and potential suppliers, namely that government’s doors are open for business. Security, too often perceived as a ‘keep out’ sign, has resulted in stopping business from happening rather than making it happen securely.
In time, new classifications will make it simpler for government departments to procure from a variety of suppliers and enable suppliers of all sizes to bid for government work. All of this will lead to more innovative solutions, different and more flexible commercial partnerships, better use of commercial off the shelf (COTS) solutions and more interoperability across government departments and third parties.
Not so long ago, a government security professional was seen as someone who defended the old ways of working and entrenched government security more and more into a ‘closed club’ where debate was not welcome.
But here, too, a culture change is taking place. Key to it is the recognition of security as a profession in government, providing focus for recruitment, training and continuous personal and professional development for all working in security in the civil service.
This new government security profession is about a group of people who are well informed and knowledgeable, but whose primary concern is making the world of information security accessible to business.
There is a world-wide and growing shortage of security skills; estimates are that the industry may be short of as many as one million security professionals worldwide. The establishment of the security profession is a recognition across government of the critical importance of security, and that in order to get security right, the people who do it must be up to the task.
The lack of cyber skills is a particular area of concern. Civil service cyber apprenticeships are only one of a number of initiatives intended to address this. This scheme is aimed at school leavers with at least two A-levels and allows the apprentices to acquire up-to-date technical expertise, whilst also gaining critical workplace skills
Bringing security upstream
Another noticeable change in government security culture is driven by the speed of digital delivery and the use of agile methods. In the Waterfall model, security requirements would be defined by a team of experts at key points and then built and tested before go live. In an agile delivery, security needs to be considered and built into processes as they are being developed.
Security requirements must be considered as user stories develop, and checked against the high-level security design so that any security risks can be managed alongside other risks such as cost, quality and usability.
Agile methods lend themselves very effectively to secure development; for example, pair programming, peer reviews, change tracking and ‘test-first’. This approach means that all team members and stakeholders understand and identify risks, and ensures that appropriate mitigation (through technology, process or policy) becomes an integral part of a digital service.
Implemented well, all this helps to bridge the traditional gap between security and development and deliver business code quickly and securely.
In many government departments, accountability for different elements of security is distributed across a number of business areas; and, notably, the various roles and responsibilities also differ from department to department. The need to be more responsive to a rapidly changing threat landscape and the need to provide flexible, appropriate and proactive responses is driving ever closer cooperation within departments and across government.
Another interesting aspect of this development is that in the past the security community has focused mostly, and sometimes almost exclusively, on the confidentiality part of the CIA model. Now integrity and availability are becoming equally important factors in managing the overall risk to the organisation. The focus is on ensuring that security’s role is to enable the government’s businesses and service to be delivered to citizens safely and securely.
To coin a phrase, government security is on a journey. There is still some way to go - culture cannot be changed as quickly as policy and standards; closing the skills gap will take time. We have started, but there is a lot more to do. Establishing effective, lasting partnerships between government security and the IT industry are on the critical path.