Securing resilient public services

Capita’s Chief Information Security Officer sees a fine balance between collaboration, risk, controls and operational effectiveness


A global rise in cyber incidents fuelled by the coronavirus pandemic has once again forced security to the top of the agenda for public sector digital leaders. As public bodies move to sup- port an increasingly distributed workforce, one of the “primary priorities” for 2021 in a recent report from Socitm – the local government IT association – was identified as cybersecurity. Such concerns were brought

vividly to life in a ransomware attack on the Scottish Environ- ment Protection Agency (Sepa) on Christmas Eve, from which the or- ganisation is still recovering. Even though its chief executive Terry A’Hearn was praised for his “moral courage” in denying payment to the hackers behind the devastating attack, which is currently under investigation by Police Scotland and the National Cyber Security Centre (NCSC), the incident was a timely reminder that exploit tools are increasingly crippling midsize public agencies as part of a so- called “big game hunting” trend. As public sector Chief Informa- tion Security Officers (CISOs)

have upped their vigilance – and internal security protocols – the wider supply chain has also moved to respond to the changing threat landscape. At Capita, the last year has seen

the creation of several “centres of excellence” as part of its digital offer, one of which is cyber. Previ- ously separate units within a large security function have merged to provide a single cyber entity com- prising two security operations centres (SOCs) and over 250 staff, spanning operational security, service delivery, consultancy and network “PEN” testing. “Te centres of excellence came

together to have the right level of focus to ensure our customers get the right outcomes, and that they become more cyber-resilient or- ganisations,” says Paul Key, group CISO, Capita. “Tree or four years ago, the

SOC was the eyes and the ears of what’s happening within your organisation. If it was set up correctly, they should have a view of everything that was traversing your infrastructure, including data flows. However, we’re now moving to a more automated footing. In practice,


that means deploying tools such as, SOAR (Security Orchestration and Automated Response), AI and digital, which is a more proactive and less labour-intensive way of monitoring your infrastructure.” On a technical level, Capita

utilises market-leading SIEM (Security Information and Event Management) software, which scans the infrastructure looking for known threats and unusual activ- ity, such as log-ins from malicious devices, or overseas domains.

But how do you keep up with the malicious botnets that are driving the surge in ransomware attacks? Key says: “Good question. In

our security testing team, we have a number of penetration testers and ethical hackers who we utilise for additional security and threat information. If we want to analyse data and alerts more deeply, we utilise senior SOC analysts and the testing expertise. Te organisa- tion’s security function can help, however, to be more proactive, but we need more sharing of data, whereby security is seen as more of a community. Simply, if we are seeing something in one organisa- tion, we need to encourage that

community spirit to share, so that others can benefit and be more proactive around blocking, so we’re not too late.” Key credits the CISP (Cyber

Security Information Sharing Partnership) programme devel- oped by the NCSC but believes more needs to be done to ensure information sharing across all sectors. Te recent CyberScot- land Partnership – announced during CyberScotland Week last month – involving ten “strategic organisations” providing a unified cybersecurity stance is perhaps a step in the right direction. But does threat monitoring need to go much deeper, to be able to see what kind of threats are emerging – such as new variants of mali- cious code, particularly ransom- ware – on the dark web? Key says: “It is a concern. I’ve

previously worked on a pro- gramme analysing dark web threat intelligence and put it into context, by asking what it means for cer- tain sectors. We are going through a similar piece of work in Capita to bolster our operational security, testing, assurance and the SOC to build threat intelligence into the model. We are doing that inter-

Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20  |  Page 21  |  Page 22  |  Page 23  |  Page 24  |  Page 25  |  Page 26  |  Page 27  |  Page 28  |  Page 29  |  Page 30  |  Page 31  |  Page 32  |  Page 33  |  Page 34  |  Page 35  |  Page 36  |  Page 37  |  Page 38  |  Page 39  |  Page 40  |  Page 41  |  Page 42  |  Page 43  |  Page 44