It’s one of the constant criticisms levied at security functions: that they exist to say “no”. With the pace of change underway across the industry and, more pertinently, across government, this perception is not helpful when striving to deliver digital and service transformation, against a back-drop of efficiency challenges and an ever-evolving threat landscape.
"We are now moving from a traditional asset-based approach to a controls assurance approach"
At DWP, changes are underway with security moving from a traditional technology-driven approach to a risk-driven one, bringing a more integrated approach.
If we see ourselves as the last line of defence of the organisation, we are already set up to fail. It doesn’t recognise how we can best support our organisation in a co-operative and strategic way. It doesn’t allow for the business to make well-informed risk decisions.
Under a programme of work called One Security, DWP is putting in place a supporting Governance, Risk and Compliance (GRC) framework, that is helping leaders across the department take accountability for security in their areas, supported by expert and collaborative security functions. Our Enterprise Security and Risk Management team have been recognised recently for our work in this area, winning the prestigious ‘GRC Journey’ award at the 2019 UK GRC Summit.
We have matured our security risk process significantly over recent years, recruiting and developing expert capability. We are now moving from a traditional asset-based approach to a controls assurance approach. Large scale organisations, such as DWP, have many assets both tangible and non-tangible and you can lose sight of your focus. Moving to security controls assurance will allow us to concentrate on what is key to delivering and support business objectives. It will provide greater context and remove subjectivity enabling us to target key areas.
The department has moved away from a “you can’t do that because” approach to a “you can do that if” one, particularly in the digital space –supporting the ‘build fast, fail fast’ agile approach. The new approach sees collaboration from the outset with secure by design, a foundational element, and accountability for security and risk management sitting with the product manager.
Our digital teams are supportive of the changes. As developers at heart, they want to get applications built and into service. Under our old way of working, they could make a great tool, then spend months going through approvals before going live. If we build in security from the outset, then we are aligned in our delivery.
It’s not just in digital that we are changing though. We are helping the organisation move to a more mature view of how it sees and manages security risk. It might not sound the most stretching challenge, but ensuring visibility and accountability in risk decision-making is a significant culture shift.
We are integrating our security capability and removing silos to ensure we can safely and reliably deliver objectives while addressing uncertainty. Over time, I’m confident that DWP will become not only more secure, but all areas will be aligned in delivering our core purpose of helping the most vulnerable people in society.