As PublicTechnology launches a new hub gathering together a range of content on specially focused on the security sector, editor Sam Trendall considers the perpetual balancing act facing cyber professionals
Not so long ago, it seemed to be a commonly aired belief that ‘humans are the weakest link’ in any organisation’s security network.
More recently, however, cyber professionals have tended to take a different – and less censorious – approach. The focus these days is often on empowering employees to embrace their security responsibilities, rather than simply scolding those who get it wrong.
The change of tack is understandable; relying on rebuke and reprimand is liable to create a culture of fear, blame, and – most damagingly of all – secrecy.
But maybe just a little fear is not a bad thing.
It is, after all, one of the key evolutionary advantages that has sustained and perpetuated the human race up to now. And, while public servants may be advised not to take too much inspiration from Niccolò Machiavelli, government CISOs could perhaps learn from the 16th century diplomat and author’s suggestion that it is “best to be both loved and feared”.
Certainly, it often seems that the scale of our fears about cyberthreats is often dwarfed by the size of the threats themselves. The most recent annual report from the National Cyber Security Centre revealed that the agency responded to about two “nationally significant” incidents every week of the year.
How many of these made headlines in even a specialist title like this – much less in the national and international press?
All the while, government statistics show that, of all the digital crimes reported in the most recent year – a number which, in itself, is probably only a proportion of a potentially much higher figure – only one in every 1,000 was ultimately charged.
If this 0.1% rate was replicated across all crimes – especially the most violent offences – there would, quite rightly, be national outcry.
As it is, we all seem pretty relaxed about the situation. Are cyber incidents in danger of becoming background noise, indistinguishable from the general hum of day-to-day life?
Getting the balance right
Striking the balance between blind panic and blissful ignorance is a constant challenge for public sector security leaders – and for the wider cyber world beyond that.
If we spent too much time or rigour thinking about the bombardment of potentially catastrophic attacks being waged on government and big business – not to mention the constant pepper of lower-level assaults that might not take down a country, but could certainly wipe out a bank balance – many of us might chuck all our devices out the window, cut up our credit cards, and go and live off-grid somewhere in Highlands. (And, personally, I haven’t ruled it out.)
On the other hand, if we fail to take the threats seriously enough, we create another major risks: that cyber aggression and injury becomes normalised.
Getting the tone right to ensure a workforce that is calm and confident about their cyber responsibilities – but sober and serious about the need to undertake them – is a near-impossible job. But it is one that thousands of public servants tackle each day.
In the run-up to the PublicTechnology Cyber Security Conference in London on 15 October – which is free to attend for all public sector professionals – we will be focusing on this work, and the opportunities and challenges that currently define it. Look out on our website from Monday for a new dedicated cyber hub, where all the latest content – including breaking news, analysis, features, and interviews – will be published.
It is, now more than ever, important to understand and recognise the work of the cyber specialists in our audience and across public service. Because humans are, perhaps, the strongest asset we have in tackling cyberthreats.
