Building Back Stronger – Security as the Foundation for the UK’s Digital Transformation

We have been experiencing ‘a perfect storm’ when it comes to accelerated change and accelerated cybersecurity risks.

In the opening plenary to CYBERUK 2021, the National Cyber Security Centre’s flagship annual event, John Lambert, General Manager at the Microsoft Threat Intelligence Centre commented that ‘resilience is created by being tested, and this last year it was tested!’ – a reflection and experience I think we can all relate to. This set the stage for a deep dive webinar session on how Cyber Security is the foundation for the UK’s Digital Transformation.

It explores exactly what has changed, what we have learnt and the challenges we face to move beyond the pandemic and catalyse sustainable digital transformation success, supporting economic recovery, and accelerating digital government. This was a timely discussion hosted by Andy Trotman, Head of News at Microsoft UK with contributions from Chris Perkins, Public Sector Lead also at Microsoft UK, and Pete Cooper, the Deputy Director of Cyber Defence, at the Government Security Group (GSG).

With the National Cyber Security Centre (NCSC) announcing that it had observed a record number of cybersecurity incidents in 2020, with attacks targeting different business sectors and COVID-19 vaccine research groups alike, this discussion session firstly provided key context on the challenges faced. Chris Perkins from Microsoft UK described these as:

·      Rapidly securing access and identity across remote then hybrid working environments, without compromising on productivity or user experience

·      Increasing sophistication and frequency of cyberattacks with a 300% increase in identity attacks in 2020, with motifs and methods evolving and automating

·      Navigating skills gaps - 43% of organisations find it hard to fill vacancies and 30% of businesses report critical skill gaps including security, architecture and testing

In many ways this combination of factors coming together has created the perfect storm:

‘It's that perfect storm of the financial challenges, the multiple risks, the cacophony of noise and pressures on all of the teams that go across all that. And in the middle of all of this, we've got to be maintaining the cybersecurity postures that that we know keeps the organisation secure’. Pete Cooper, Deputy Director of Cyber Defence, GSG.

So how do we address this? In combination, this means the need to secure an ever expanding security perimeter and this starts by implementing a zero trust approach that assumes breach, verifies explicitly and uses least privileged access. And this is not only about the technology, this a cybersecurity mindset embedded across leadership and culture too, and with benefits that move beyond embedding security to enabling organisational agility, innovation capacity, trust building and sustainable competitive advantage.

‘It's our vision mission at Microsoft to empower everyone at every organisation to achieve more. As we reflect on the past year or so, what we want to do is support our customers and partners in building back better. We as organisational leaders have to take the learnings and build an integrated inclusive strategy’. Chris Perkins, Public Sector Lead, Microsoft UK. 

And positive learnings can indeed be taken! Despite the pressures of urgency, rapid change and complexity placed on IT estates and cybersecurity teams in particular, organisations have responded. Pete Cooper stresses that now is the moment to reposition defences as we move into hybrid working models. Wherever you are in your security posture development, it is critical now to go back and re-examine it, to re-check all assumptions and to do this on a continual basis. This is an imperative to stay ahead of always evolving threats and to ensure that security posture is fully linked to what organisations are doing from a business perspective too. I believe this is key to moving beyond business resiliency, that by its nature is often reactive, to a more proactive agility to change.

Supporting this, investment in training and awareness is crucial. Security is a shared responsibility that must be understood at every single level of the organisation, and an organisations’ sphere of influence in this regard can be applied across the stakeholder ecosystem too. This is something that takes time and dedicated effort by everybody, every day. With the right information flows in place, this will enable a shared appreciation of what risk really means – the capacity to talk about it, understand it, escalate it, manage it and prioritise it. 

‘Now you've got one perspective of the risk that you're facing. And actually, one understanding of how you're tackling it and the pathway that you're on’. Pete Cooper, Deputy Director of Cyber Defence, GSG.

And as a final thought from this discussion, the power of partnership also comes to the fore. Firstly, from the perspective of democratising access to learning of sector relevant skills, especially to address gaps across security, architecture, testing and beyond. A great example of this here. And secondly regards co-creating solutions and fostering knowledge sharing. As bad actors continue to collaborate for mal intent, we must do the same both within and across organisations, industries and research communities to negate that threat. And from the UK’s perspective, it is clear that Cyber Security is now a strategic issue that needs a united approach to optimise the benefits of technology for business and for wider society too.