This is the second in a three-part series of Top Tips for Government Security Leads. It is intended to provide a brief overview of the most important aspects of fulfilling the role and what pitfalls to avoid.
In Part 1 we covered the importance of being a team player and understanding the overall security requirement for the role. The series continues with two more top tips.
Tip 3: Establish the stakeholders
The Security Lead is a co-ordinator and must ensure they know who to co-ordinate with. The information owner(s) has already been mentioned in Part 1 but there are many others:
- Accreditor. The Security Lead is going to have to plan security activities, resources and time frames. There is no point planning any of this without having worked it through with the appointed Accreditor who may have a different idea about how security should be managed within the task. The relationship between the Security Lead and the Accreditor is key to the success of any security activity. Once engaged and content with any initial plans the Security Lead can move forward in the knowledge that the plans will not be scuppered by the Accreditor at a later date.
- Project Managers (PMs) or Work Package Managers (WPMs). There are normally many in a task where a Security Lead is appointed however, they rarely understand security requirements. They may be part of an MoD Delivery Team or appointed by the supplier(s) to deliver a particular work package. In addition, the PMs or WPMs may be tasked directly by the Security Lead to deliver a piece of security work, such as a risk assessment or accreditation plan. Either way, the Security Lead must engage with all of them to ensure security activities are identified and delivered in an agreed manner.
- Data Owners, Information Asset Owners (IAO) or Information Risk Owners (IRO). It is essential that the Security Lead knows where to go to discuss the risks that may be associated with the information. It is likely that there will be more than one involved as information sharing across organisations or projects becomes more prevalent. They may have different risk appetites for similar information strands or have a requirement for higher levels of assurance that security controls are in place and acting as intended.
- Supplier security personnel or technical staff. The Security Lead must understand the constraints under which the supplier personnel are operating. It is all too often the case that the Security Lead takes an ivory tower approach and fails to realise that security controls cannot be implemented as required without having significant side effects or unintended business consequences. The sooner the Security Lead engages with the suppliers the better the overall outcome is likely to be.
Tip 4: Establish lines of communication
How the Security Lead remains in contact with all the stakeholders must be addressed early in the project lifecycle so that everyone knows where to go for security-related advice.
The Security Lead must establish a Security Working Group (SWG) and have the Terms of Reference (ToRs) agreed. The SWG must have oversight of all security activities and is the body that provides security governance. The Accreditor will be an essential attendee at the SWG. Any lack of attendance will undermine the authority of the SWG and may lead to problems in the future due to a lack of oversight.
In the final part of this three-part series, Top Tips for Government Security Leads, we will look at defining an escalation path so that security concerns can be raised at the appropriate level, keeping a record of important security decisions and finally plan, plan and more planning!
Article by Paddy Keating, Director/Government Service Manager
If you found this article useful, take a look at Part 1 of this three-part series.