Cyber security, national security and the CSR

Well, it's certainly been an interesting week. Firstly we discover that cyberattack ranks right up at the top of the risk list for the UK alongside more familiar terrorist activities. We also discover that there's an extra £650m worth of public funds being set aside to improve our cyberdefences. Setting aside some fairly natural cynicism that pushing the (relatively) cheaper option of boosting our cyberdefences (compared to a fully functional aircraft carrier for example) is nothing more that a nifty political sidestep, I must admit to some interest in seeing where this extra cash is going to go. I can't help feeling a little fear that this money could be wasted in a couple of ways:

i) Supporting the numerous organisations that we already have dealing with cybersecurity in the UK, e.g. CESG (and CSOC), the Cabinet Office (and the OCS), etc and increasing the overall bureaucracy

ii) Purchasing more firewalls and intrusion prevention systems and other easily packaged and easily procured technologies.

The core problems facing HMG and the wider CNI relate to a lack of understanding of the true threats and likely attack vectors together with an unfortunate lack of effective governance for cybersecurity issues. I'm fairly sure that the risk appetites of any number of organisations would shrink dramatically should individuals of the correct seniority be held personally accountable for any security incidents. Of course, in order to get to this position there needs to be the appropriate will and desire to enforce such individuals to take on this responsibility and then money spent on the education of these newly willing volunteers to ensure that they can actually make informed decisions. In the interests of fairness, I think there's also a case to be made for educating many security professionals so that they can discuss threats, vulnerabilities and risks in a manner that can be understood by senior business types - technologies don't really matter so much as the potential business impact. We need to understand the technologies to minimise risk, they need to understand the business impacts so that they can tell us which risks we should be concentrating upon. None of this is news to most of you, and it's been tried before (particularly post Hannigan), but there's still a lot more to be done.

Fingers crossed that this money finds it's way to those who know what needs to be done and not simply thrown at technology - I know it's lot easier to procure a firewall than it is to procure a well-informed Senior Information Risk Owner but I also know which has the most beneficial effect in the long term...