In Focus

• Improving Data Handling
• UK National Security Strategy
• UK Cyber Security Strategy
• Information Superiority
• Information Sharing
• Information Exploitation
• Olympic Security Strategy
• Managing Efficiency
  • ICT Service Excellence
  • Balancing Risk Management
• Secure Government Networks
• Acquisition Reform
• TLCM
• Business Continuity Management
• Addressing Sustainability

Balancing Risk Management and Budgets

The 2010 Comprehensive Spending Review promises only severe cuts to departmental budgets and the cancellation of all on-essential services.

Although those departments identified as key to UK Security and Resilience are less likely to be subject to these cuts, the question that remains is: How do the majority of departments and agencies fund critical Information Assurance functions that are either mandated through policy, or are required to securely meet the technology-enabled aspiration of doing more for less?

By way of example, despite local authorities likely to be among the hardest hit, all 43 UK Police services have been asked to adopt new security policies aligned with the new CESG Information Assurance Maturity Model (IAMM).

The issue of risk vs. affordability therefore cannot be ignored. Despite the Coalition Government’s focus on reducing the national budget deficit, data breaches and failures in information sharing are still the headlines that every organisation fears and none can afford.

The information Commissioners new powers to impose fines would be the least of a department’s concerns. The loss of reputation and confidence, the associated effort of introducing additional training, and the implementation of new process and procedures after the proverbial horse has bolted, all represent substantial hidden costs that will have a short to mid term affect on any organisation’s ability to deliver the services expected of it.

How such risks are addressed within such a harsh fiscal reality, therefore, is likely to remain a major headache for any CEO/CIO/SITO. Already, 25% of Local Authorities have admitted to experiencing a security breach in the past 12 months. This figure is only likely to rise should the search for savings mean corners are cut and information chains fail to be robustly managed.

With most analysts predicting staff cuts, it is unlikely that most organisations will be able to justify dedicated in-house information assurance expertise. Likewise, the current, virtual moratorium on consultants appears to make it impossible to buy-in expertise.

So, is there a way that departments can afford to effectively deliver information assurance or are they just waiting for the evitable consequences of an information Tsunami to hit?

A different approach

A possible happy medium that should be considered is the development of information assurance managed services. This approach can provide security expertise as and when required, and provide a consistent framework of an organisation’s security requirement, thereby providing value-for-money over an extended period.

Identification of the truly effectual countermeasures and their domain comes with experience. With a bought in managed service, clients can benefit from a deep understanding of prioritised risks, level of security maturity, and the threat exposure of an organisation that internal resource may not be able to provide.

Whilst the up front cost of external advice may seem high, the through-life cost associated with devolving the process security domain can be manifestly low, particularly where operational savings can be made without security compromise.

Help is at hand

Fortunately, the UK can be rightly proud of an information security industry that is universally viewed as a world leader. Independent professional services companies such as VEGA are able to offer a portfolio of managed services that can deliver best practice, bespoke solutions.

VEGA’s credentials alone incorporate membership of the CESG Listed Advisor Scheme, CLAS, which aims to satisfy the increased demand for authoritative Information Assurance advice and guidance. The company is also a registered service provider under CHECK, the UK Government’s accredited IT Health Check Service. Additionally, VEGA’s membership to the UK’s Centre for the Protection of National Infrastructure Risk Management Develop Group is an acknowledgement that companies such as VEGA are trusted to provide protective security advice to the UK’s Critical National Infrastructure community.

What’s more, VEGA and its contemporaries already have approved supplier status for providing quality assured and value for money information security services through Government framework catalogues such as Buying Solutions and the UK MOD’s ICS Catalogue.

By managing this resource as they would any other services framework, government departments would have access to specialist expertise and Government prescribed quality and accreditation support.

Making it work

It is clear that even at a time of such dire financial constraints, the public services on which we rely will continue to be increasingly dependent on information-based technology in order to improve the quality of service and be run more efficiently (do more for less). This reliance on information has to warrant a level of risk management that mirrors the potential damage, should such information be denied, lost or used for malicious intent.

It is imperative therefore for industry and those departments with most to lose, that they are able to demonstrate not only how a service management approach to information assurance can deliver required protection, but also clearly articulate a business case as to how and why such investment must be afforded thorough the coming austere years.

As UK tax payers face up to the cost of higher taxes, no excuses will be accepted should data breaches mean that services and, more importantly, personal details are compromised.

It is then that the real cost risk will become all too apparent.

Contact VEGA for more information about balancing risk management and budgets