One of the most frustrating things we both hear is "you can't do [insert IT thing here] for security reasons." These mysterious “security reasons” often stem from the misconception “CESG guidance says we can’t…”
We know we’re not alone - it’s clear from the workshops on making Government IT better that our colleagues elsewhere in the public sector are also used to hearing this. Computers that take an age to boot up due to multiple security applications; internet access that blocks vast numbers of sites; restrictive lockdowns on smartphones that sometimes makes them more like bricks than the productive devices we have at home. All because of “security”.
We don't want security to be seen in this way, or to have this impact on how we use technology in the UK public sector. A smarter approach to security helps us all. It means we're not trying to work around confusing rules, or struggling with complex security systems on our computers when we're trying to work. It also means we can work in different ways, using social media for example, or building innovative apps to deliver our services.
We want to challenge the dangerous misconception that good security practice is at odds with technology innovation.
It’s all about balance
CESG and GDS have been working closely on this. We want the right security in the right places - living up to our duty of care to look after the data citizens trust us with doesn’t mean we have to have unusable technology!
We want to get the balance right, and allow informed risk management to occur around the use of technology, particularly at ‘OFFICIAL’ level. Security at OFFICIAL is achieved through following good commercial practices, using well configured commodity technologies, and by people taking personal responsibility and using their judgement to look after information.
For example, we knew our previous approach to End User Device security wasn’t right. Certifying a limited number of devices was time-consuming and meant a very restricted set of options with barely usable configurations.
So we published the Platform Security Guidance covering common devices such as laptops, desktops, tablets and smartphones for use at OFFICIAL. Rather than turning all the security dials up to “11” we’ve tried to focus on the minimum set of configurations needed to make these devices suitably secure but still usable.
We have also released guidance for System Administrators considering their password policies; a reminder that making passwords increasingly complex and hard to remember doesn’t necessarily increase your overall security.
A default ‘no’ doesn’t equal good security
We think that many of the problems we observe as a result of "security" are actually symptoms of ineffective risk management processes within organisations, which default to saying "no". We want to help organisations to get better at thinking about security and technology and have better results for the end user.
We want to ensure that security guidance evolves in-step with technology advances, so that as new technology becomes available, the UK public sector is ready and able to quickly take advantage of it, with good knowledge of any security risks and benefits it brings.
Security needs to be about helping organisations and individuals achieve what they need to get done, as safely as possible, not about stopping things from happening. We both know there's a lot to do. Along with our colleagues at CESG and GDS, we’re committed to making things better.
Don't forget to sign up for email alerts from this blog.