by Graeme McDonald, managing director, Society of Local Authority Chief Executives
In Judith Rodin’s excellent book 'The Resilience Dividend’, she outlines not just that resilience is important in terms of survival, but that whatever crises might come our way we can emerge from them stronger: “We can create and lead lives less shadowed by threat, develop communities and organisations that are more productive and innovative, and strengthen societies such that they are brimming with greater opportunities and prosperity.”
When I think of resilience my thoughts turn immediately to accidents, terrorism and most prominently perhaps, the impact of climate change. But it is cyber security that is rapidly rising up our consciousness, our organisations’ risk registers and feeding into major £1.9bn announcements by the Government.
Only recently local government was reminded by the case in Lincolnshire of the impact that malicious attacks on our IT systems can have on frontline services. Indeed, I can remember only too acutely the impact of a wayward memory stick at my own council which had a number of important service systems out of action for a number of days. It not only impacted on service provision – it also rocked the reputation of the organisation and our ability to modernise safely.
These examples have led to cyber security becoming an increasing concern, but it still remains shrouded in a little mystery with many of us non-experts unsure of what role to play and whether we form part of the problem, let alone solution. Impenetrable problems often leave us persuading ourselves that they are rightly the preserve of the expert, and ignoring the critical role we all play.
Need for action
There is no doubt that cyber security requires action right across an organisation. In a local authority where information comes in and out in so many channels and from a variety of partners, and where we seek to be as open and transparent as possible, this presents a real challenge.
We do rely on our specialists in some areas. We need them to build digital infrastructure that creates secure environments in which we can work, and applications that enable us to work with efficiency and effectively. But we won’t escape the cyber threat by only relying on those experts.
The business as a whole needs to set the agenda on cyber security by identifying the risks that are most important. Choices should be made so that we balance the risks identified, and the cost and business impact of mitigation. And finally, perhaps most importantly, non-specialists play a key role in driving behaviour change.
The whole organisation needs to use data thoughtfully, and to ensure that security is integrated into our business processes. For example, our procurement teams need to ensure our contracts are secure with intelligence terms and conditions that strengthen our cyber resilience. Security should be designed in at the outset.
However, as is so often the case, this type of cultural change is driven and modelled at the top. And it is important that the senior managers and their chief executives regularly give sufficient time to cyber security and its potential impact on the business of local government.
It is tempting to ask the specialists to go away and develop a plan – and to see the top team’s role as simply monitoring the progress of that plan and pushing when required. But there are a number of key questions that senior management teams can start to ask which ensure that the plan is real, measured and grounded:
- Which are our most important risks, and which are less important?
- What is the current level of capability focused on these important risks?
- How are trade-offs between risk and business need being made, and are they the right ones?
- Is the organisation engaged across all of its functions?
- Have we got the resource allocation right?
Asking these simple questions can help ensure that your organisation’s response is both adequate and balanced. We have learnt that finance should not be just the preserve of the accountants, or communications the preserve of the comms team.
Similarly, our response to cyber threats should not be the preserve of IT. It requires a range of responses from across organisations – not least a change in all our behaviour to ensure that our data is used safely and is protected.
Top teams need to set this agenda, balance the risks and lead.
This article was first published in Local Leadership in a Cyber Society: Understanding the Challenges by the DCLG led National Cyber Security Programme - Local and iNetwork. Read the other featured articles.