In this podcast, Todd Revell is joined by CGI cyber specialist Gary Fildes to discuss the Government Cyber Action Plan and what it means for organisations across the UK. Drawing on his expertise in cyber resilience, governance and assurance, Gary explores how the plan is shaping expectations around operational risk, cyber maturity and organisational accountability.
Together, they discuss:
- How the Government Cyber Action Plan is shaping cyber resilience expectations across public and private sector organisations.
- The role of the Government Cyber Unit (GCU) in monitoring cyber risk, driving consistency and improving assurance.
- How organisations can approach the Cyber Assessment Framework (CAF), secure by design principles and supply chain assurance.
- Why organisations need to move beyond a tick box approach to cyber security and focus on measurable resilience outcomes.
- How businesses can prepare for future cyber regulation, evolving threats and increasing scrutiny across legacy systems and managed service providers.
- Transcript
-
Todd Revel: Welcome to this 10-minute podcast on the Government Cyber Action Plan from myself, Todd Revel, and Gary Fildes, Cyber Specialist at CGI. Thank you very much for coming in, Gary.
Gary Fildes: Yes, thanks, Todd. Thank you.
Todd: Okay. We'll start off with question one. What is the Government Cyber Action Plan? What does it mean for my organization in practice?
Gary: The Government Cyber Action Plan is a cross-government delivery framework that builds on the cyber security strategy. It's setting clear expectation departments. It's an investment of roughly 200 million from there. It's covering a lot of the government arms, legs, bodies. The key change in this one is that it's formed the creation of the government's cyber unit, which is called the GCU.
Todd: Yes, that's correct. Quite a heavy investment from the government in this respect, then. How will cyber resilience be measured and assured under this plan?
Gary: It'll be measured essentially by the GCU. Ultimately, measurement is done by evidence, and it's the context that those organizations provide. The main thing of what the government is looking towards is ensuring that resilience will be measured by those outcomes and not just a control presence and a tick box exercise. It's to demonstrate that they've actually can achieve good resilience for their organization there.
Todd: That absolutely makes sense. We've spoken about the GCU already, but what role will the GCU play, government cyber unit, in overseeing cyber risk?
Gary: What the GCU will provide is they will monitor that cyber risk across government. They will track improvement against the action plan for sure. That's what we want to see in cybersecurity, improvement against the action plan, and that continual improvement there. What they're trying to do is obviously drive consistency and standards and assurance within government, and obviously escalate that systemic risk forward to boards and to government so it can be dealt with adequately.
Todd: Yes, a very useful answer there, an insightful answer. Thank you, Gary. If we look towards more senior leaders and board members of organization, what does treating cyber as an operational risk mean for these people?
Gary: Well, operational could be seen as day-to-day. I think what the aims of this are is to get greater accountability up to the board, and a strong expectation of that is to improve cyber literacy at board level. It's about understanding the ownership of those risk decisions and particularly risk within that operational environment, which obviously, one of those elements, legacy, is one of the key risks up there with supply chain and probably a few others we could mention on this chat.
Todd: Yes, absolutely. If we dive into that a little bit more then, Gary, so if we look at that cyber assessment framework side of things, so CAF. What level of cyber assessment framework maturity will be expected from these people at the top in organizations going forwards and even across organization as a whole? I know there are two separate questions there, but could you try and narrow in on that a little bit more?
Gary: The NCC CAF developed originally in 2018 which coincides obviously with the NIS regulations, and we'll cover that later, I'm sure, has been developed. We're currently at version 4 of the CAF. There are four key areas, CAF A, managing risk, CAF B, protecting against cyber-attacks, C is detecting that cyber-attack or cyber events and CAF D is the impacts of those cybersecurity events there. There are two profiles, one being basic, which is to defend against in an appropriate and proportionate way, those are the key terms there, of a low-skilled threat actor.
The enhanced profile, which sits more with critical national infrastructure, CNI, will be coming more into play as of the next year, and the enhancements for more of the moderate-skilled threat actor will cause disruption. I think that's more aimed towards the effects of ransomware and those threat actors in organized crime looking to generate disruptions to some core businesses.
Todd: That's a really informative answer there, Gary. That's a really good one. Thank you. In particular, explaining how that CAF is broken down and the different threat actors within that. That's a really useful answer. Thank you. If we look to a little bit on a broader scale now, coming away from the honing in on that CAF framework, how does the National Cyber Security Center, NCSC, secure by design affect new services and legacy systems? Legacy systems, absolutely huge, I know, but if you could explain a little bit more into that that would be great.
Gary: Is this at the point where I should say I'm a bit of a fan boy of secure by design? Yes. Secure by design, NCSC have released really good guidance over the past certain weeks, obviously over several years. I'm going to evade the legacy question, by the way, at the moment. I'll come back to that later. Systems ideally should be architected so that they are secure by default, resilient by design, which obviously is a challenge there, and should minimize the impacts of compromise.
Now, that's great on new systems and new services going into the environment and to the business. However, the challenge is, is how you secure by design legacy infrastructure, which is obviously a challenge. I will use the word challenge there rather than difficult, but it is a challenge.
Todd: Yes, another really useful answer. I guess if we come away from the legacy system side of things, what impact will the new plan have on suppliers and delivery partners?
Gary: Well, the plan brings in a few elements where managed service providers come into scope now and under the cybersecurity resilience bill. We'll probably touch on that later, I'm sure. Supply chain, as we've seen in recent cyber-attacks, we won't mention any names at this moment, but obviously, that's a large concern just as legacy.
Suppliers supporting public services will obviously face stronger expectations, more assurance expectations with that one. Increasing scrutiny under those flow-down contracts and to assure that third-party cyber posture is, as it should be, in alignment with the CAF profile of that organization under that scrutiny.
Todd: Yes, I know that. That absolutely makes sense. In terms of this enhanced focus that you speak about that needs to be looked into, does GovAssure fit within existing audit and assurance regimes currently? Can you explain what GovAssure actually is and whether it overlaps with any current audit systems organizations may have in place?
Gary: GovAssure is essentially an assurance mechanism for government and arms-like bodies. There's four stages there. Understand the scope of your essential service within your business. It then requires you to conduct some internal assurance activities, which is then supported by external assurance activities. I guess that's where my role as CGI kicks in is that I assist in providing those services. I think this is where the shameless plug comes in, is how CGI can assist you with that internal and assurance activity that you may need.
Todd: I guess if we look at-- well, some of our listeners here are probably thinking, how does this affect me? What should I be doing differently in my organization? Or being part of an organization, what should I be doing? How should they be prioritizing the cyber investment across legacy risks, skills, and capability? What does that look like?
Gary: I wouldn't be so bold to tell people of how to handle their business, to be fair. I think it's about doing the adequate assurance inside your organization, understanding the key risk, the key scope of the business, and the risk that you need to address and prioritize accordingly. There are obviously challenges. Legacy is something that needs to be addressed. Skills are a challenge. AI will always be a conversation, a win at the moment in cybersecurity. The upcoming conversation topic will be post-quantum cryptography, which is a bit of a mouthful. I'm quite happy with the acronym of that, of PQC, to be fair. Times are changing, technology moves on, and that's where we're at.
Todd: Yes, absolutely. It's almost a case of analyzing your risks internally first and then decide the best course of action with multiple solutions to target this risk instead of the one solution fits all. That doesn't work in this case.
Gary: There are obviously quick wins that you can take care of, but I don't think this ever. If it's a one situation and one quick fix, fixes all, I don't think we'd all have a job.
Todd: That's an excellent point. I guess we looked a lot at the current situation and how organizations, what they should be doing in terms of managing the cyber risk. If we look more to the future, how does this government action plan prepare organizations for future cyber regulation? What should they be looking out for here?
Gary: I don't think it prepares organizations so much. I think it gives, dare I say, a line in the sand or a direction to follow. I'll probably go as far as that one. I think, obviously, all organizations need to plan a strategy for how to address and reduce risk. What this lines up with is a change of upcoming regulations, such as the Cybersecurity Resilience Bill, which will then strengthen the regulatory framework. It gives regulators more power. It will reduce the incident framework. It puts more oversight on supply chains and managed service providers. The scope expands to different sectors. It's just an evolution of the Network Information Systems Regulation of 2018.
Todd: That's a lovely response. Thank you very much, Gary. That's been really insightful having you today. Thank you very much for taking the time to come in. If you would like to find out more about our CGI cybersecurity offerings, please visit our cybersecurity website.
[END OF AUDIO]
