Why ‘One Team’ is so important in fighting cyber threats.
Historically, cyber security in MOD was outsourced to delivery partners or given to a cyber specialist, who was often a contractor. They had expertise on following a checklist to “prove” that they were following good cyber practices. But they often worked in isolation from the rest of the team.
As the UK MOD abolishes accreditation across programmes, replacing it with continual risk-based assurance or Secure By Design, the way teams do cyber security will need to change. This is where the ‘One Team’ approach comes in.
The whole team must be involved in cyber security in a programme because it touches everything the team does. They must approach cyber security like they do capability questions as well as resourcing and budgeting.
The NCSC recommend using a risk management framework. The MOD have chosen NIST 800 37 Rev 2. This provides a structure framework that facilitates teams working together, staring with a Prepare Step (planning phase). Evidence from the Prepare step will guide decisions made in the programme. This should in turn provide team management and Senior Responsible Officers with confidence that risks are being well managed.
Many topics need open discussion and agreement across the team which is best captured by running workshops. Once you gather this detail, revisit assumptions and agreements often. MOD recommends doing this every 3 month or when anything significant changes. We also recommend that you get expert consultants to help you get started as much of the language and concepts will be difficult to start with.
If you want further guidance on how to start to develop your Prepare Step within your programme or want an independent evaluation of your evidence, using the MOD self-assessment tool, then come and speak to bee-net. We were the team that developed Secure by Design (risk management approach) on behalf of the MOD.