Capita has created a centre of excellence for cybersecurity to provide greater focus on resilience for its customers

function, for example, from being infected by malware introduced into the network via an email phishing attack to the finance department. He says: “Tat to me is the fun-

damental principle about how you do security by default and design, but it’s a challenge. Tese organisa- tions and infrastructures have been created over a number of years; and the principles around security by default have really started to come about over the last five to six years; for many organisations their infrastructures have grown organi- cally over the last 10 to 15 years. So, it’s really hard for an organisation to go back and look at the level of segregation because of the cost, time and the impact that is going to have on that organisation. It’s risk versus cost.” Key says a consequence of too

Paul Key, Group CISO, Capita

nally at the moment, but there is a need to start to share that with other organisations; that’s why I mentioned about the importance of community, it’s all part of it.” He says: “However, I’d caution

that the dark web is a hive of il- legal information, it’s not an area where you want a normal user to go to. And as an organisation – as a legal entity – we’ve got to be very careful about what we do, in terms of the data that we extract and how we use it.” Tere are many ongoing con-

versations in cybersecurity that predate the arrival of Covid-19.

Cloud adoption is one of them. According to Socitm, public sector CIOs have reported that they are often under pressure to embrace a “cloud first” approach – in order to deliver greater cost efficiency, scalability of service and innova- tion. However, that approach has led to a piecemeal acquisition of cloud services, without necessar- ily the appreciation of security and compliance risk. Additionally, without the involvement of busi- ness transformation colleagues at the heart of a cohesive digital strategy across the organisation, the security downsides can be magnified, and the benefits of cloud end up either being unre- alised or poorly expressed. When it comes to maintaining

on-premises legacy systems ver- sus migrating data to the public cloud, Key’s advice is clear. “Whether it’s a Capita data

centre or a Microsoft data centre, as a customer I would expect the cloud provider to have the same levels of due diligence and governance in that organisation to make sure they’ve got the right level of controls and processes in place to secure my data,” he says. He added: “Is it any more chal-

lenging? Potentially, yes, because you’re dealing with multiple third parties, but that is how as an organisation you need to make sure that your controls and processes around IT management, cloud management and security management looks at the supplier aspect and their assurance, as well as the IT part. Te IT infrastructure is only as good as the people that are managing and monitoring it.” Another issue which has risen to

prominence in recent years is net- work design. Many public sector agencies are constrained by legacy systems that have either been developed in-house, outsourced or added to over time. Key points to the IT risk of relying on “flat infra- structures” whereby organisations house all of their services on one active directory domain, which can lead to malicious code travel- ling laterally across the network in a blink, a major vulnerability among many ransomware victims.

In an ideal world, organisations should be following the principle of “security by design” using stage gates, firewalls or segrega- tions between sections of the business – protecting the HR

much emphasis on risk can be the lack of functionality from a user perspective, which is an age- old struggle between IT managers and the wider workforce, particu- larly as ‘shadow IT’ creeps into an organisation. He says: “At the heart of this you

have a fine balance between col- laboration, risk, security and the operational effectiveness for an or- ganisation. For me the discussion centres around people, process and technology. You have to find the right security controls, aligned with good governance and man- agement in order to build a secure and functional organisation.” And as we emerge from the

challenges of Covid-19, what would his advice to a public sec- tor CIO or CISO be in the next 12 months, which will hopefully be less frenetic? He says: “If you can do two or

three things, alongside educating your staff, the first I would say is to make sure your systems are patched; basic but critical. Ten, I would create a level of security testing to ensure that your patch- ing is appropriate and complete. And then do a red team and purple team test of your people and processes around responding to a cyber incident.” l security


Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20  |  Page 21  |  Page 22  |  Page 23  |  Page 24  |  Page 25  |  Page 26  |  Page 27  |  Page 28  |  Page 29  |  Page 30  |  Page 31  |  Page 32  |  Page 33  |  Page 34  |  Page 35  |  Page 36  |  Page 37  |  Page 38  |  Page 39  |  Page 40  |  Page 41  |  Page 42  |  Page 43  |  Page 44