Mike Thomas, managing director at public services network trade body PSNGB, welcomes the principles behind new security proposals for the G-Cloud framework, but warns they could change buyer behaviour.
PSNGB has been asked by Andy Beale, director of common technology services at the Government Digital Service (GDS), for its views on a new security approach prior to submissions for G-Cloud 6 opening.
Essentially, GDS proposes that responsibility for assertion of capability will be by the supplier as opposed to external accreditation through the pan government accreditation run by Communications-Electronics Security Group (CESG).
In principle, we think this is a good idea – but there are several caveats.
Clearly, the questions posed of suppliers and the matching capability assertions need to be the right ones, with some degree of sample audit in place to verify returns.
With this done effectively, the movement away from formal accreditation could uncork a bottleneck preventing very many commercial services reaching public sector buyers.
We wold also add that in relation to PSN, users require a community of trust – meaning that accreditation is necessary to guard against vulnerabilities that could impact all users and critical public services.
However, the move may benefit some sectors of the market more than others.
The changes to the government security classifications mean that there is more onus on the customer to own risk and select services that meets their needs in terms of security, quality and reliability.
This is a good thing; however, it requires the public sector to be clear about user needs and assess the suitability of the solution.
Buyers tend to purchase on the basis of experience, trust, accredited capability and price.
If you have an existing relationship with a supplier, you are more likely to trust their assertions – if they are well established and have gained a reputation for reliability, you are more likely to trust that they will not let you down.
If a supplier or service has received a quality or industry award, you can trust that they have undergone some investigation or accreditation.
On the other hand, if you don’t know the supplier, have no experience of them and there is no “badge of honour”, then the price needs to be low and the scope for failure limited to balance the perceived risk.
From the supplier side, accreditation is expensive and time consuming.
It’s worth it only if it adds measurably to the market attractiveness and value of your services. In some cases, it’s the essential ‘table stake’ to enter the market.
If it’s not formally required, then attributes like track record, experience, trust and an element of brand value can make the difference in buyer perception.
The suppliers least well differentiated by these attributes are likely to be those smaller, new suppliers that G-Cloud is trying to attract.
PSNGB believes that there are many benefits to self-assertion and suggests that it is implemented, but monitored.
Buying behaviour will need to be reviewed to see if there is gravitation to those companies with existing accreditations, established contracts and customer references due to this change.
Mike Thomas, is managing director at PSNGB, the trade association for suppliers of PSN services to the public sector