Government security initiatives: is the message getting through?

We need to see all results of government initiatives - both positive and negative - if industry, and especially SMEs are to act on them says Alan Carter.

Waking Shark II results lack bite
Waking Shark II results lack bite

CERT UK, Cyber Streetwise, Operation Waking Shark II, Cyber Essentials Scheme: there's been a real focus on security from the Government in recent times, and rightly so given the increased risk to which businesses are now exposed.

With cyber-security now high on the political agenda and breaches a regular feature in the mainstream media, we can only expect the attention our industry receives to intensify. As part of this, we'll see more initiatives, programmes and campaigns emerge to help raise awareness in the enterprise about the increasing number of threats posed and just how much damage they can do to a business.

But in an election year in which cyber-security policies will be outlined to influence voters, we only really have personal opinions to draw upon to measure how some of these large-scale initiatives have been received by the IT community.

The good, the bad and the unpublished

While we're seeing an increasing number of these initiatives launched and given outlines of what they're expected to achieve, we seldom hear anything about results. We have often seen programmes make a big splash in the media and quickly go off the radar, with outcomes released in a more surreptitious manner.

In a bid to understand how IT professionals have interpreted them, we commissioned some market research to try and summarise what end user organisations have made of Government initiatives and what impact, if any, they've had.

One of the standout statistics to emerge from the study was that 45 percent of IT professionals feel Government initiatives have actively helped them raise awareness of cyber-security to senior management. Moreover, nearly half 47 percent reported that these had helped them communicate the importance of security across their organisation.

Over a third (39 percent) also said they'd used the insights to help define IT security standards and policies, and a quarter (24 percent) have used the information to set strategies, so end user organisations are clearly seeing some benefit to these initiatives.

It's very encouraging to see taxpayer money going to good use and some launches have evidently had a positive impact, but other statistics tell us there's still a way to go before these are widely acknowledged and acted upon.

When the research was broken down by company size, it reveals smaller organisations (1,000 to 3,000 employees) are seeing less benefit. Almost a third (28 percent) said initiatives had gone largely unnoticed in their organisation, while 34 percent said they hadn't used the insights generated in any way.

This seems to suggest one of three things: either these results aren't being advertised to the right audience, they aren't published frequently enough, or more likely, these smaller companies have a ‘head in the sand' type attitude to security. There is certainly a stubborn ‘it won't affect us' attitude still reverberating around some sectors, and the lack of resource to act on these insights and expertise to make sense of them means there's still a big hurdle for Government initiatives to help overcome.

Trusted source?

The research also asked respondents about their primary source of security insight, and whether Government initiatives were a go-to resource when it came to setting policies and security strategies. 35 percent said they still see professional bodies like the IISC or ISC2 as the main source of insight, with a quarter (25 percent) relying on vendor/service providers for expert input – only 13 percent said they'd sought the results of Government initiatives.

This seems to suggest an uncertainty around the likes of CERT-UK and Waking Shark; does the IT professional trust them? Will their influence grow as they become more established? Only time will tell. But if it transpires to be a trust issue, the Government really needs to resolve this problem because businesses, large or small, really can't have enough free, independent and impartial information to help to increase security awareness. 

While Government initiatives have clearly had a positive impact on IT security, there's still plenty of room for improvement. Although initiatives are clearly grabbing c-level attention in major enterprises, they are far less effective at raising awareness in smaller organisations or amongst individual employees.

To solve this, perhaps we need to look beyond some of the one-off stress-testing exercises for example, and place more of emphasis on a complete approach to security. If there is an onus is on responding to attacks for example, it detracts the attention from other important areas like assessing risk, proactively monitoring for threats and protecting assets before an attack. If these are all implemented into Government initiatives, they will surely become more central to IT professionals rather than a source of valuable strategic advice.

If we want security insights to resonate outside of the IT department, up to the boardroom and across organisations, we need Government initiatives to take a more rounded approach to security and also publish failures as well as successes to ensure adoption across the entire spectrum of the enterprise

Contributed by Alan Carter, cloud services director, SecureData