At our annual security gathering, experts from across the sector shone a light on the crucial work, and major challenges faced, by those charged with protecting public servants and services
On Tuesday of last week, the new chief executive of the National Cyber Security Centre, Richard Horne, gave his first major speech in post.
As he unveiled the NCSC’s 2024 report – which showed that the volume of the most severe incidents handled by the organisation rose 44% year on year – he warned that the UK and its citizens are in a fundamental battle.
“We find ourselves now in a contest for cyberspace… between those of us who are using technology to conduct and improve our lives and prosperity and those people who seek to use our digital dependency against us,” he said. “Malicious actors in cyberspace… are increasingly using [that] dependence… to cause maximum disruption and destruction.”
Three miles across London, those appearing at another annual gathering – the PublicTechnology Cyber Security Conference – may have made fewer headlines than the NCSC boss. But the event, attended by more than 140 public sector experts, was no less clear in demonstrating the importance of cybersecurity to government and the citizens in serves.
Here are some of the highlights.
There are now ‘more techies than policy pros’ in government
Government’s careers website states that “policy professionals work at the heart of the civil service”.
This characterisation is reinforced by a study published earlier this year by the Institute for Government which found that policy is “numerically and culturally dominant in the civil service’s top tier”. The specialism accounts for 43% of Whitehall’s 148 most senior officials – despite representing less than 7% of the overall cross-government headcount.
But, in sheer volume at least, technologists can now claim the upper hand on their policy partners, according to Thomas Beautyman (pictured below right), deputy director for government digital capability – a role which sits within the Central Digital and Data Office.
He said: “In UK government there are now about 40,000 digital, data and cyber professionals – that is more than all of our policy professionals put together. So, digital, data and cyber is now a core skill and a core responsibility of civil servants.”
This figure has doubled in the past five years, which the digital skills chief calls “a big win for us”.
But Beautyman, taking part in an onstage Q&A with PublicTechnology, said that “increasingly, we also see the boundaries – between what is technical and not technical – dispersing”.
“So that means we need to think about CISOs, security architects – and everybody else,” he added, citing a particular need to grow expertise among senior managers.
“We know that there is insufficient understanding about some of the risks we’ve heard about today,” Beautyman said. “There is maybe a lack of confidence from many of our business leaders; if you were to compare the skills and the experience of government COOs, service owners and operational directors to some of their peers in leading private organisations, then we probably see quite a [wider] mix in some of those skills. A lot of the work we’re trying to do – probably three quarters of my week – is spent advocating with our most senior decision makers to invest more time in understanding the risks – and opportunities.”
With a potential candidate pool of 40,000, PublicTechnology suggested that it might be beneficial to see technologists occasionally being preferred to their policy colleagues for permanent secretary and chief executive appointments.
Beautyman responded: “I can’t comment on that!”
Why is cybersecurity like slime?
The need for cybersecurity to spread throughout an organisation – including right up to its highest levels – is further endorsed by Amie Alekna, chief security officer of the Ministry of Justice.
She revealed to attendees that she often tells her team that cyber should operate like “slime”, permeating the department. (Perhaps unsurprisingly, Alekna’s colleagues have suggested that the example of ‘oxygen’ could serve just as well.)
Regardless of the substance involved, the security leader invokes the analogy when an audience member asks about the ministry’s “approach to making security everyone’s responsibility”.
“We try to provide training for lots of different levels and abilities across the organisation,” Alekna (pictured left) says. “So, there’s different training for seniors who are leading in cybersecurity, and there’s different training for everyday users. It was Cyber Security Awareness month in October, and so we put on nine events – we had to increase the number due to popular demand… We are really trying to make it fun for people, make it accessible for people, and make people want to come on board because, invariably, nobody’s interested in cyber until something happens – and then they want to get all your courses and they want to know you. But it’s about trying to tap into people in that state of calm. So we just try to be in everyone’s faces!”
Would a senior police officer hire a convicted cybercriminal?
The National Cyber Resilience Centre Group (NCRCG) – funded by the Home Office – oversees a network of nine regional centres across England and Wales. Each of these brings together expertise from government, industry, academia, and the police – with serving senior officers serving as leaders for many of the centres.
At a national level, detective superintendent Ian Kirby leads the NCRCG as its chief executive. Speaking at the event, Kirby said that the group – chiefly through its Cyber PATH programme – works with young people to offer routes into the security industry, and help establish a pipeline of talent for UK public bodies and businesses, particularly SMEs.
Given the widespread chronic need for IT security skills, Kirby (pictured right) was asked by the audience about the potential merits of hiring convicted cybercriminals. While stressing that such a decision would always depend on the particular circumstances and would be a matter for organisation in question, the NCRCG head – a career police officer who has held senior roles focused on drugs and firearms trafficking, as well as cyber – confirmed that he would be more than happy to do so.
Elsewhere, the chief executive of the Cyber Resilience Centre for London, Sapna Chadha, cited the value of the work her organisation does with City and Birkbeck universities to ensure tech experts are ready for the workforce.
“We take on masters students as part of our team, and we train them to go around and speak to businesses,” she said. “We’re taking them from [an environment] where they’ve been very technical and academic, and they’re suddenly learning soft skills and working with people and understanding how to actually demystify their work in the language to business.”
Chadha also cited the importance of cyber experts speaking the same literal language as those they are trying to reach.
“We’ve got a very diverse workforce, because we have to go to areas… with very different demographics in London, and we are using their languages to speak with them – for example we have Arabic-speaking, or Portuguese-speaking staff – and that’s been really helpful in interacting with the different communities in London.”
Why a local GDS could be a ‘force multiplier’ for councils’ cyber credentials
The Loal Government Association is currently engaged in a project to develop plans for a ‘Local Government Centre for Digital Technology’ (LGCDT).
It is understood that the proposed facility would be backed – both financially and operationally – by central government departments. A white paper released by the LGA this summer said that the LGCDT would have a remit of “usingtechnological innovation to deliver reform and promote inclusive economic growth across councils”.
Alex Coley (pictured left, with Chadha on the right), a councillor at Epsom and Ewell Borough Council and deputy chair of the LGA’s Improvement and Innovation Board , said that the initiative can be seen as a large-scale exercise in creating in a “matrix team” – wherein stakeholders with differing skills and responsibilities are brought together into a single cohesive entity.
He added: “If you think about what the NCSC has done for cyber nationally, [we want] to do something for the local government sector where there is a place you can go – and do what we’re already doing – but to escalate that, to be a force multiplier, and to have more good people giving more advice out to more recipients in the sector. And it’s a priority that we’re doing this [by direct contact] with people; it’s not something we’re doing by press release or something that we’re doing by issuing new technical guidance or procedures. We’re expanding the footprint of professional capability across the public sector, and that’s crucial.”