An Integrated Approach to Security
Govciooutlook

An Integrated Approach to Security

By Campbell McCafferty, Chief Security Officer, DWP Digital

Campbell McCafferty, Chief Security Officer, DWP Digital

It’s one of the constant criticisms levied at security functions: that they exist to say “no”. With the pace of change underway across the industry and, more pertinently, across government, this perception is not helpful when striving to deliver digital and service transformation, against a back-drop of efficiency challenges and an ever-evolving threat landscape.

"We are now moving from a traditional asset-based approach to a controls assurance approach"

At DWP, changes are underway with security moving from a traditional technology-driven approach to a risk-driven one, bringing a more integrated approach.

If we see ourselves as the last line of defence of the organisation, we are already set up to fail. It doesn’t recognise how we can best support our organisation in a co-operative and strategic way. It doesn’t allow for the business to make well-informed risk decisions.

Under a programme of work called One Security, DWP is putting in place a supporting Governance, Risk and Compliance (GRC) framework, that is helping leaders across the department take accountability for security in their areas, supported by expert and collaborative security functions. Our Enterprise Security and Risk Management team have been recognised recently for our work in this area, winning the prestigious ‘GRC Journey’ award at the 2019 UK GRC Summit.

We have matured our security risk process significantly over recent years, recruiting and developing expert capability. We are now moving from a traditional asset-based approach to a controls assurance approach. Large scale organisations, such as DWP, have many assets both tangible and non-tangible and you can lose sight of your focus. Moving to security controls assurance will allow us to concentrate on what is key to delivering and support business objectives. It will provide greater context and remove subjectivity enabling us to target key areas.

The department has moved away from a “you can’t do that because” approach to a “you can do that if” one, particularly in the digital space –supporting the ‘build fast, fail fast’ agile approach. The new approach sees collaboration from the outset with secure by design, a foundational element, and accountability for security and risk management sitting with the product manager.

Our digital teams are supportive of the changes. As developers at heart, they want to get applications built and into service. Under our old way of working, they could make a great tool, then spend months going through approvals before going live. If we build in security from the outset, then we are aligned in our delivery.

It’s not just in digital that we are changing though. We are helping the organisation move to a more mature view of how it sees and manages security risk. It might not sound the most stretching challenge, but ensuring visibility and accountability in risk decision-making is a significant culture shift.

We are integrating our security capability and removing silos to ensure we can safely and reliably deliver objectives while addressing uncertainty. Over time, I’m confident that DWP will become not only more secure, but all areas will be aligned in delivering our core purpose of helping the most vulnerable people in society.

Weekly Brief

Top 10 Security Companies in Europe - 2020
Top 5 Security Consulting/Services Companies in UK - 2020

Read Also

Bridging the Generational Gap in E-Governance

Bridging the Generational Gap in E-Governance

Inez J. Rodenburg, GISP, CGCIO, MBA, Chief Information Officer (CIO), City of Danville
Adapting to New Challenges with Adults in Custody

Adapting to New Challenges with Adults in Custody

Derrick Peterson, President of the NW Chapter of the National Organization of Black Law Enforcement Executives (NOBLE) & Captain of Auxiliary Services Unit, Multnomah County Sheriff’s Office
The Jail Officer and CIT

The Jail Officer and CIT

Major Charles E. Armstrong, Director of Operations, Riverside Regional Jail
Guiding Individuals with Community Corrections

Guiding Individuals with Community Corrections

Maureen Anderson, Probation/Pretrial Manager, Prince William County Government
Leveraging Data to Design More Effective Transportation Programs and Drive Project Productivity

Leveraging Data to Design More Effective Transportation Programs and Drive Project Productivity

Rob Tieman, PE, PMP, Director, Project Management Office, Virginia Department of Transportation
Getting Smarter about Running an Agile Government: AI and the Next Wave of American Innovation

Getting Smarter about Running an Agile Government: AI and the Next Wave of American Innovation

Tim Persons, Chief Scientist and Managing Director, Science, Technology Assessment, and Analytics, United States Government Accountability Office