This article is the first in a three-part series of tips for Government Security Leads. It is intended to provide a brief overview of the most important aspects of fulfilling the role and what pitfalls to avoid.
In our recent blog post, What Every Government Supplier needs to know about the UK Cyber Strategy, we highlighted the need for Government suppliers to be prepared for a raise in security standards. Government projects will not be immune. Projects will need to concentrate more and more on getting security right from the outset. The job of championing security, co-ordinating activities and engaging with the Government accreditation authority will fall to the Security Lead.
The importance of Security Leads to the success of any Government project seeking formal security accreditation is often overlooked or underplayed. Some see it as having responsibility for getting all the boring paperwork needed for accreditation out of the way or just dealing with the Accreditor so he/she does not become a problem at a later stage. The truth is that the Security Lead should be an integral member of any project team, leading the development of security solutions that best balance the requirement with the underlying risks.
The role can be complex, with multiple customers to satisfy; technical solution engineers, project managers and accreditors to name just a few. Here at Ascentor, we have a lot of experience in performing the duties of a Government Security Lead, including the Security Assurance Co-ordinator (Security Lead) role in MoD, and thought it may be useful to jot down some top tips for those wishing to successfully carry out this role.
Tip 1: Be a team
It doesn’t have to be a single person that delivers everything.
At Ascentor, we believe the Security Lead is primarily a facilitator that brings the right skills to the table when they are needed. The Security Lead does not have to be a gifted technical security architect, but they do need to know where to get hold of one when required, assign a task and manage that task to resolution. Equally, they may be very technically capable but not have experience in putting together complex accreditation strategies; they should not be afraid to seek advice where necessary.
Above all, the Security Lead is a member of a team that is pulling together to achieve the same goal.
Tip 2: Understand the requirement
The first thing a Security Lead should do is understand what needs to be protected and why?
This should not be diving straight into a technical risk assessment but should be about getting to understand where the requirement came from, how it is intended to be used and who will be involved.
One of the most important aspects is getting to know who owns the information that needs protecting and why it is being given a particular value. It is often the case that the value of the asset has either been grossly over or under-assessed – it is rarely right first time and often changes tack after some searching questions. The Security Lead must have a complete understanding of the information protection requirements for all three of the security pillars; confidentiality, integrity and availability.
In Part 2 of Top Tips for Government Security Leads we look at the importance of establishing key stakeholders and planning activities with clear lines of communication.
Article by Paddy Keating, Director/Government Service Manager at Ascentor.