Top tips for Government Security Leads – Part 3

This is the final part in a three-part series of Top Tips for Government Security Leads. It is intended to provide a brief overview of the most important aspects of fulfilling the Security Lead role and what pitfalls to avoid. In Part 2, we covered the importance of establishing and communicating with the right stakeholders, including the Accreditor and Information Asset Owners. The series concludes with three more top tips.

Tip 5: Have an escalation path

The Terms of Reference (ToRs) for the Security Working Group (SWG) should determine the escalation path, however experience has shown that it is often only a paper exercise until needed to resolve a critical issue. The Security Lead should have confidence that any issues that may impact the overall security of the project can be quickly and effectively escalate so there is minimal impact or delay.

Tip 6: Record all decisions

Decisions made at the SWG must be recorded in the minutes and widely distributed. Any decisions made outside of the SWG should be raised at the SWG for awareness, endorsement and recording. The Security Lead must be able to track decisions back to where they were agreed and be able to articulate when and why a particular decision was made and who made it. It is inevitable that during the lifecycle of a major project, the same questions will come up time and time again, and the Security Lead is there to avoid nugatory effort or conflicting decisions arising.

Tip 7: Plan, plan and more planning

All Project Managers love a good plan and spend most of their time doing it. This should be no exception for a Security Lead who is really the PM for security-related activities. Key planning requirements are:

  • Accreditation Plan. Following on from the accreditation strategy agreed with the Accreditor and endorsed by the SWG, the Accreditation Plan should provide the detailed breakdown of what security activities are to take place, over what time frame, to what standard and by whom.
  • Assurance Planning. The requirement for assurance planning is worth a special mention. The specialist resources needed to conduct IT Health Checks (ITHC), Vulnerability Assessments, CESG Tailored Assurance Service (CTAS) tests and a plethora of others all take time, effort and cost to put in place. If these factors have not been identified in formal security activity planning they are likely to be overlooked or rushed, which may impact on the overall accreditation outcome.
  • Alignment. The Security Lead needs to ensure that security plans align with the wider project plans and they don’t conflict. It is often the case that a lack of adequate security engagement throughout the project lifecycle has significant impacts on other project deliverables as security requirements seep into the project consciousness. Trying to shoehorn security controls into designs at the end rather than building in at the start generally increases cost, adds a time delay and are unlikely to be as effective.

In summary, the role of a Security Lead can be complex, time-consuming and stressful, however, with a bit of planning, preparation and a determination to get involved the role can be very rewarding and add real benefit to any project.

Article by Paddy Keating, Director/Government Service Manager at Ascentor.

If you found this article useful, take a look at Part 1 and Part 2 of this three-part series.

Written by


Receive the latest Cyber Security News and Content

Fields marked with an * are required


Ascentor Ltd is committed to protecting and respecting your privacy, and we'll only use your personal information to administer your account and to provide the products and services you requested from us. From time to time, we would like to contact you about our products and services, as well as other content that may be of interest to you. If you consent to us contacting you for this purpose, please tick below to say how you would like us to contact you:

You can unsubscribe from these communications at any time. For more information on how to unsubscribe, our privacy practices, and how we are committed to protecting and respecting your privacy, please review our Privacy Policy.

By clicking submit below, you consent to allow Ascentor Ltd to store and process the personal information submitted above to provide you the content requested.

Green Bird - White top right

Contact Us

Your cyber security challenges and our pragmatic approach – we could be the perfect fit.
Contact the team at Ascentor for an informal chat.

Get in Touch