The UK government brought together security representatives to discuss the current challenges in cybersecurity and how digital transformation and the AI opportunity action plan offer the UK an opportunity to evolve at pace security fit for the 21st Century.
Nick Coleman, CIISec Board Member and Chair of the Risk Committee attended the Government Cyber Security Conference held at the Design Museum in January. It was an extremely well-run event, bringing together more than 800 representatives from Government departments and security professionals from both the private and public sectors to take part in more than 30 sessions.
The overarching message from ministers and delegates was that the Government needs to go further and act faster when it comes to cybersecurity. But it’s a message everyone in the profession needs to heed. Most of the challenges Government faces are hardly unique and ultimately it is collaboration and cooperation that will help us as a profession address new threats.
Two reports released in the run up to the conference highlighted the urgency of the issue. The National Audit Office’s (NAO) Government Cyber Resilience report and Department for Science, Innovation and Technology’s (DSIT) State of Digital Government review both show that the impact and threat of cyberattacks on UK public services – and citizens – is growing.
Echoing this sentiment during his speech at the conference, Richard Horne, CEO of the National Cyber Security Centre (NCSC), said:
“As we transform our society, and especially Government services, we are making ourselves more dependent on technology, and therefore more exposed to the impact of cyberattacks. And so the stakes are being raised constantly.”
The findings of the NAO report were particularly sobering:
- 58 critical Government IT systems independently assessed in 2024 had significant gaps in cyber resilience, and the Government does not know how vulnerable at least 228 ‘legacy’ IT systems are to cyber attack.
- Departments did not have fully funded plans to remediate more than half (53%) of the Government’s legacy IT assets.
- Skills gaps are the biggest risk to building cyber resilience, with one in three cyber security roles in Government vacant or filled by temporary staff in 2023-24.
- More than 50% of cyber roles in several departments were vacant.
- Almost three-quarters (70%) of specialist security architects in post were temporary staff.
These stats surprised few in the room, with legacy systems being a persistent thorn in the Government’s side from both a security and innovation perspective. Commenting on these findings, the head of the NAO, Gareth Davies, laid bare the effects on the nation’s security:
“The Government will continue to find it difficult to catch up until it successfully addresses the longstanding shortage of cyber skills; strengthens accountability for cyber risk; and better manages the risks posed by legacy IT.”
There needs to be plenty of experienced professionals that can pass on their wisdom and expertise, blended with new recruits that can be moulded and nurtured. These can either be early-stage cybersecurity professionals, or existing public sector staff that can bring their skills from outside of the profession to a new discipline.
At the same time the digital transformation agenda that the government is developing offers an opportunity for security to be transformed. Getting access to the skills and resources can be a challenge, as the NAO identified.
Too often the lure of higher salaries in the private sector prevents talented individuals from staying in the civil service. Here, the public sector has an ace up its sleeve. Roles in the Government are renowned for training and progression pathways, offering better opportunities for development than many private sector organisations if people stay in their roles. The public sector must do more to capitalise on this point of difference, with the mapping of career paths, varied and interesting projects, on the job training and sponsored qualifications all offered.
Professional bodies like CIISec can help the public sector to map out paths to progression, providing skills training and the pathway to become a chartered professional, working with talented individuals and Government departments to ensure retention.
Finally, public sector bodies must be realistic. The task of overhauling the security of huge legacy systems that date back decades is vast. Incremental, achievable targets as well as using the opportunities of digital transformation will assist. This will help to prevent staff from feeling overwhelmed, and lead to a more secure Government over time.
