An Integrated Approach to Security
Govciooutlook

An Integrated Approach to Security

By Campbell McCafferty, Chief Security Officer, DWP Digital

Campbell McCafferty, Chief Security Officer, DWP Digital

It’s one of the constant criticisms levied at security functions: that they exist to say “no”. With the pace of change underway across the industry and, more pertinently, across government, this perception is not helpful when striving to deliver digital and service transformation, against a back-drop of efficiency challenges and an ever-evolving threat landscape.

"We are now moving from a traditional asset-based approach to a controls assurance approach"

At DWP, changes are underway with security moving from a traditional technology-driven approach to a risk-driven one, bringing a more integrated approach.

If we see ourselves as the last line of defence of the organisation, we are already set up to fail. It doesn’t recognise how we can best support our organisation in a co-operative and strategic way. It doesn’t allow for the business to make well-informed risk decisions.

Under a programme of work called One Security, DWP is putting in place a supporting Governance, Risk and Compliance (GRC) framework, that is helping leaders across the department take accountability for security in their areas, supported by expert and collaborative security functions. Our Enterprise Security and Risk Management team have been recognised recently for our work in this area, winning the prestigious ‘GRC Journey’ award at the 2019 UK GRC Summit.

We have matured our security risk process significantly over recent years, recruiting and developing expert capability. We are now moving from a traditional asset-based approach to a controls assurance approach. Large scale organisations, such as DWP, have many assets both tangible and non-tangible and you can lose sight of your focus. Moving to security controls assurance will allow us to concentrate on what is key to delivering and support business objectives. It will provide greater context and remove subjectivity enabling us to target key areas.

The department has moved away from a “you can’t do that because” approach to a “you can do that if” one, particularly in the digital space –supporting the ‘build fast, fail fast’ agile approach. The new approach sees collaboration from the outset with secure by design, a foundational element, and accountability for security and risk management sitting with the product manager.

Our digital teams are supportive of the changes. As developers at heart, they want to get applications built and into service. Under our old way of working, they could make a great tool, then spend months going through approvals before going live. If we build in security from the outset, then we are aligned in our delivery.

It’s not just in digital that we are changing though. We are helping the organisation move to a more mature view of how it sees and manages security risk. It might not sound the most stretching challenge, but ensuring visibility and accountability in risk decision-making is a significant culture shift.

We are integrating our security capability and removing silos to ensure we can safely and reliably deliver objectives while addressing uncertainty. Over time, I’m confident that DWP will become not only more secure, but all areas will be aligned in delivering our core purpose of helping the most vulnerable people in society.

Weekly Brief

Top 10 Security Companies in Europe - 2020
Top 5 Security Consulting/Services Companies in UK - 2020

Read Also

Digital Accessibility in e-Government Projects

Digital Accessibility in e-Government Projects

Jim Loter, Director of Frontline Digital Services, City of Seattle
Some Key Points for an Effective Cyber Risks Management

Some Key Points for an Effective Cyber Risks Management

Manuele Cavallari, Head of IT Risk Management, Banca Monte Dei Paschi Di Siena [BIT: BMPS]
The surprisingly wide reach of GDPR

The surprisingly wide reach of GDPR

Sarah Laws, Data Protection Officer, London Borough of Camden
Security in the Golden Era of AI and IoT

Security in the Golden Era of AI and IoT

Carlos Sousa, CISO & IT Risk Manager, Affidea
Trust: The key to Achieving Security Goals

Trust: The key to Achieving Security Goals

Erik Blomberg, Senior Vice President, CISO, Handelsbanken [STO: SHB-A]
An Integrated Approach to Security

An Integrated Approach to Security

Campbell McCafferty, Chief Security Officer, DWP Digital