Technology and Cyber Security Assurance – Where are we?

By Andrew Jones, Strategy Director, The Cyber Scheme Limited

The UK has been at the forefront of technology research/development and is in the frontline of growing cyber security risk.  In 2021 National Cyber Security Centre (NCSC) produced a white paper on the future of Technology Assurance in the UK (The future of Technology Assurance in the UK – NCSC.GOV.UK).  This set out a strategic view on the UK’s approach to assurance but more fundamentally reflects that “It’s all about confidence and whilst we need technology that is suitably resilient to cyber-attack, we also want confidence that literally does what it says on the tin”.

Even with all the resources at our disposal and very talented people trying to protect the UK the NCSC issued a warning in November 2023 of enduring and significant threat to the UK’s critical infrastructure and by default every business. NCSC warns of enduring and significant threat to UK’s… – NCSC.GOV.UK

Our understanding and dependency on the quality of assurance is fundamental to any business in the digitally enabled services and economy we rely on. This is a fundamental part of the Governance and Risk management strategy for your business.

There are significant areas of commodity and bespoke technology that have no structured assurance schemes in place and there is a reliance on consumers and customers of services to undertake their own due diligence and make business risk decisions.   This can be challenging for many companies given their dependency on 3rd party supply chains and business support services.

With some 1.4 million companies in the UK with 1-49 employees and a further 36000+ companies with 50-249 employees that make up the SME community the challenge of ensuring they have access to, or ability to employ, high quality Cyber Security skills and services is significant.

The UK National Cyber Strategy has identified the UK Cyber Ecosystem as critical to its prosperity and a key objective to enhance and expand the nation’s cyber skills at every level including through a world class and diverse cyber security profession to support business development, growth, and the economic well-being of the UK. The NCSC as the National Technical Authority on Cyber Security has supported the move to improve the professionalisation of the Cyber Security sector.

Managed Services and Managed Security Services (MSP/MSSP)

We all touch managed services in our daily lives. Such services are essential to business function and more broadly that of society (your personal bank account is a managed service after all!). We make assumptions about security in all aspects of our lives, but the pace of technology change means the way we calculate the probability of a risk occurring this year, month, week can suddenly change so we must re-think how we quantify risk and resilience.

Predicting events that may have adverse impacts on your business or the strategy you had for your business has changed. Growing competition, new challenges and unpredictable factors amplify the Volatility, Uncertainty, Complexity and Ambiguity you and your business face. The ambiguity around security can make decisions hard and using a Managed Security Services provider can help you in making the right choices.

MSPs and MSSPs invest heavily in monitoring and detection as well as maintaining a detailed understanding of the technologies you have selected/contracted to support your business. Cyber is a business risk like many business risks.

Many organisations turn to managed security services given the challenges of operating in-house IT security teams. Dedicated MSSP’s will have a wider view of cyber security risk beyond your company and have expertise in services like Cloud and M365.  But it is important to remember that you can not transfer risk to a supplier, they are there to help you manage and mitigate/avoid risks, but you still own them.   You should ‘Trust but Verify’ all commercial relationships and services that are critical to your business success and future.

When appointing an MSP/MSSP you should apply appropriate due diligence and your commercial team should ensure that you have clarity in terms of roles, responsibilities, ability to deliver/maintain regulatory/legal compliance and most importantly the resilience plans that will in place should you be a victim of a cyber security incident.

The fundamentals that underpin a good MSP/MSSP

Its People, their experience, and their professional standing. But remember you need to look internally as well to ensure you have the right skills to manage such relationships and hold your suppliers and business partners to account. Trusted vulnerability management and assurance testing are key to understanding your risks.

The creation of a Chartered body for the cyber security profession (The UK Cyber Security Council – UKCSC) and the appointment of Licensee bodies – The Cyber Scheme Ltd (TCS) and The Chartered Institute of Information Security (CIISEC) provide a platform for professionals you can trust in much the same way you see in regulated sectors (Healthcare, Legal, Education, Social care, transport etc).

Having confidence that the competence of people providing services to your business have been validated and verified is important.

The UKCSC defines Competence as a professional’s ability to carry out cyber security activities successfully. This includes possessing the underpinning knowledge, understanding and experience; knowledge and understanding of wider cyber security; the ability to communicate effectively at all levels; personal behaviour and approach; and the ability to lead yet also know the limits of one’s own abilities and when to request assistance.

What being a licencing body for the UK Cyber Profession means?

The UK Cyber Security Council was introduced in March 2021 to be an independent body that sets standards and defines career and learning paths for the cyber security industry. It was established by His Majesty’s Government (HMG) to define the professional standard needed to ensure the UK is a safe and secure place to live and work online.

The UK Cyber Security Council provides a “single governing voice for the industry to establish the knowledge, skills and experience required for a range of cyber security jobs, bringing it in line with other professions such as law, medicine, and engineering.

The Cyber Scheme have been instrumental in developing Chartership pathways for cyber security professionals with the UK Cyber Security Council, and worked closely with the UK Cyber Security Council on the creation of  the professional registration titles for the Security Testing specialism, which is now live along with specialisms offered by our strategic partner The Chartered Institute of Information Security (CIISec).

Andrew Jones – Strategy Director, The Cyber Scheme

Focused on Cyber security futures (defensive & Active engagement), intelligence and professional development, Andy has worked on cyber security design verification and validation across a wide range of engineering implementation and research areas.

He has 31 years’ experience in Central Government and foreign Government collaboration covering a wide range of roles involving policy development, operational delivery, planning, financial and business change in the topic areas of Cyber Security and Information Assurance, assured services, technical operations, communications technology, crisis management, complex project and programme delivery.

He is currently Strategy Director of The Cyber Scheme Ltd where he works on professional standards for the Penetration Testing community as well as being the Chair of the Professional Standards Working group at the UK Cyber Security Council.

About The Cyber Scheme:

The Cyber Scheme is a leading assessment body and an NCSC Certified Delivery Partner for technical training and exams. The assessments they offer are simply the best available; consultants who pass them demonstrate competence and skill at the highest level defined by the UK’s National Technical Authority for Cyber Security (NCSC).

They also offer training and mentoring to complement the assessments, from entry to expert level, meeting the growing needs of industry as threats evolve.

Hot Topics

Related Articles