Government Cyber Security Strategy

UK Government Initiatives For Cyber Growth

In response to the unprecedented globalisation of the last two decades and the shift to a digital online existence emerging post-COVID19, the UK government has instituted new strategies to tackle the insecure state of the nation’s cyber security. These strategies have big implications for government suppliers.

This blog post will summarise the key initatives supporting UK’s cyber strategy so cyber security suppliers who work with the government can anticipate future opportunities.

The National Cyber Security Strategy

In January, the new National Cyber Strategy was published, taking over from the previous National Cyber Strategy of 2016, which laid out the UK’s aim to be a global leader in cyber.

The strategy sets out the three-year plan to “ensure the UK remains confident, capable and resilient”, and that government organisations “continue to adapt, innovate and invest” in protecting the nation’s cyber space.

The following section of this blog explores how the UK’s National Strategy impacts the Public Sector cyber security needs.

Government Cyber Security Strategy

On January 25th 2022, the government launched its first cyber strategy report, named ‘Government Cyber Security Strategy - Building a Cyber Resilient Public Sector’. The report outlines the UK public sector’s plans to successfully combat and thrive against growing cyber threats over the next 8 years, or until 2030.

The strategy outlines the vision to:

“Ensure that core government functions are resilient to cyber-attack by 2025, with all government organisations across the whole public sector being resilient to known vulnerabilities and attack methods no later than 2030.”

Two key pillars emerge from the strategy:

Pillar 1: Build a strong foundation of organisational cyber security resilience

This pillar calls upon every government organisation to build a resilient and impenetrable cyber security system. In other words, organisations must have complete visibility over their entire cyber ecosystem — from IT assets held, to the handling, storage and sharing of data. The pillar implies that improved cyber visibility enables sufficient risk assessment at any given time.

As part of this pillar, government organisations must adopt the National Cyber Security Centre’s (NCSC) Cyber Assessment Framework (CAF).

The CAF aligns government organisations under a set of industry-standard cyber-resilience protocols. These protocols are underpinned by 39 contributing outcomes, each with a set of indicators and good practice (IGPs) attached that are used to create sector-specific CAF profiles, which provide appropriate and proportionate cyber security measures.

Organisations’ assessments of cyber-resilience within the CAF will be verified by independent auditors, ensuring each government body is deemed secure by a third party.

💡 The opportunity for suppliers to get involved is listed in the third column of this table.

Pillar 2: Defend as one

The second pillar aims to better connect government organisations - enabling more effective sharing of data, expertise and capabilities. A key component of this pillar is the creation of the Government Cyber Coordination Centre (GCCC). The purpose of the GCCC is to:

“Foster partnerships and share cyber security data and threat intelligence rapidly to identify, investigate and coordinate the response to incidents on public sector systems.”

The government states a legitimate belief that without robust visibility across every government IT, digital and data asset, cyber security risks go unmanaged on a broad scale.

Five objectives of action:

Under the two strategic pillars, the Government Cyber Security Strategy outlines five main objectives. These objectives outline the five pathways government organisations must follow to ensure the aims of the strategy are met by 2030.

1. Government will manage cyber security risks

Organisations will need to uphold effective risk management processes, governance and accountability to identify cyber threats at organisational and cross-government levels.

Cyber security assurance will provide organisations with the visibility necessary over their entire cybersphere to allow for effective decision making.

This objective also calls out the importance of long-standing private sector partnerships to enhance to longevity of cyber initiatives.

💡 Stotles tip: Suppliers whose services include data visualisation, data transformation and secure digitisation of IT infrastructure will be called upon in Objective 1.

2. Government will protect against cyber attacks

Organisations will need to adopt proportionate security measures, with centrally developed systems that can protect at scale.

Accordingly, organisations must be ‘secure by design’ and ensure cyber security measures are embedded and appropriately configured across the tech-stack used, and ensure they are continuously developed and updated.

💡 Stotles tip: We predict the need for artificial intelligence and quantum computing solutions being necessary for Objective 2.

3. Government will detect cyber security events

Organisations will need to ensure there is comprehensive monitoring of systems, networks and services to foresee cyber threats before they become incidents.

Cross-collaboration and visibility across government organisations will be necessary to ensure a shared detection capability.

💡 Stotles tip: Objective 3 will require suppliers who provide SOC and Managed Detection and Response MDR Solutions.

4. Government will minimise the impact of cyber security incidents

Organisations must respond to cyber security incidents swiftly and enable rapid responsiveness at scale.

Systems and assets affected by cyber incidents need to be assessed as soon as possible, and business as usual must resume as quickly as possible, with minimal disruption.

Cyber Incident Response Providers will be called upon in these situations. The NCSC recommends government organisations work with Cyber Incident Response (CIR) certified companies.

💡 Stotles tip: To ensure you are in the running for Objective 4 opportunities, you must certify your company as CIR by submitting this application form.

5. Government will develop the right cyber security skills, knowledge and culture

Government must continue to develop the country’s cyber security workforce, not just in the form of technical cyber security experts, but also in all professions that must effectively incorporate cyber security as part of their practices.

💡 Stotles tip: Suppliers who provide cyber security training, education and development will be necessary to achieve Objective 5.

This blog aims to help suppliers understand how the UK’s National Strategy impacts the Public Sector cyber security needs. In August 2022, we released a free report on the £billions in public sector cyber security funding. The aim of this report is to showcase the monumental opportunities emerging for cyber security suppliers to get involved with. To download your free copy, visit this page.