The Cabinet Office is at the heart of an ambitious plan to address security concerns in Whitehall by pooling scarce resources and creating security clusters.
It is understood that a pilot cluster, expected to launch soon, will incorporate a series of functions, including finance, staff working, roles and responsibilities and standards and performance.
Government officials are currently discussing membership of the pilot cluster with between four and six departments, as well as the initial security services to be offered when it launches.
Officials are further understood to be working closely with the National Cyber Security Centre and Centre for the Protection of National Infrastructure to ensure that they will be able to integrate their advice and expertise with the cluster model. It is understood that the first cluster is likely to enter the pilot phase this month.
The issue of protecting information across government was addressed in a recent National Audit Office (NAO) report which argued that the Cabinet Office has not yet established a clear role for itself in coordinating and leading departments’ efforts to protect their information. Furthermore, its evolving ambition to undertake such a role is weakened by the limited information it has on departmental costs, performance and risks, the NAO said.
According to the NAO report, until recently, the centre of government recognised that there was a need to build a community of senior information risk owner (SIRO) professionals, but had made only limited progress in achieving the objective. Central government support was largely focused on SIROs in the main Whitehall departments, with no direct assistance to their counterparts in local government. Similarly, SIROs in arms-length bodies often received little support. In May 2016, the NAO said, the Cabinet Office began planning the formal withdrawal within central government of the SIRO role, and the development of chief security officers, which are intended to be full-time posts.
The NAO report discussed the early moves towards the Cabinet Office’s examination of clusters, saying that to address skills shortages and other challenges, the Cabinet Office’s March 2016 review proposed pooling the government’s 73 existing security teams. The report suggested that central government will now adopt four security clusters across all departments to deliver vetting, cyber and physical security services and to communicate best practice and education for staff and boards.
The NAO does point out that ultimately, departments themselves remain responsible for their own information, and are best placed to manage risks and be accountable to parliament for information breaches. So managing the risks within a cluster governance structure will need further explanation, the report argued.
The NAO suggested that protecting information while re-designing public services and introducing new technology to support them is a complex challenge for government. To achieve this, the centre of government requires departments to risk manage their information, but few departments have the skills and expertise to achieve this by themselves.
Responding to the NAO report in a blog, the Securestorm security consultancy argued that while the proposed security pilot would counter the lack of skills and expertise in departments in the short term, it doesn’t support the wider public sector. It argued that the only effective solution is to reduce the complexity and effort required to pragmatically manage information risks, as longer term plans such as increasing the security talent pool via education, take time to bear fruit.