Cyber security: an impossible sell?

4 Jul 19

John Thornton looks at whether it is fair for the Public Accounts Committee to strongly criticised the Cabinet Office over the evidence base and lack of a business case for the National Cyber Security Programme 2016-2021. 


I must admit that I have some sympathy with the Cabinet Office on this one.

The government introduced a coordinated approach to cyber security in 2010 and has published two five-year strategies. The first covered 2011-2016, including establishing the National Cyber Security Centre in October 2016.

The plans post-2021 have not yet been released.

The current strategy is designed to achieve three objectives.

  • To defend the UK against evolving cyber threats and incidents
  • To deter, by making the UK a harder target for cyber attacks
  • To develop an innovative, growing cyber security industry with world-leading research and a pipeline of skills.

The traditional business case says that if we invest ‘x’ we achieve ‘y‘ benefits. The business case for information security is always more challenging, though, as you are investing to prevent potential losses and future problems. Plus, the real costs and losses only become apparent when we have failed to invest sufficiently, or we have invested in poor or incomplete levels of protection.

You might recall when HMRC ‘lost’ data for 25 million child benefit claimants on two CDs. This could have been prevented by a relatively modest amount of training in the basics of information security. Instead, it raised concerns about poor information management practices across government, had a damaging effect on its reputation for handling confidential data and cost money to put right. Ultimately, it was a wake-up call.

At the organisational level, the business case is a bit like buying insurance. You need a strong understanding of the risks, a clear security posture and must align the risks with the investment. Potential risks could include Information Commissioner fines and reputational risk, as well as the impact of attacks on your operations. You will almost certainly find that you can’t afford to completely mitigate all of the risks, so will need to prioritise.

At national level, the considerations are similar but more complex. Investing in information security provides a secure environment for government, citizens and industry to communicate, transact business and build a digital economy. This makes the UK an attractive place in which to invest and do business. As there is a global shortage of cyber skills, investing in training and technology should help to stimulate and support UK businesses that want to specialise in information security.

The business case for information security is a hard one to pin down, as the real cost of insufficient investment is only apparent when it’s too late 

The cost of cyber crime globally is now estimated at 0.8% of GDP or $600bn a year. Additionally, the UK has a high level of exposure to, and potential impact from, cyber attacks, as it is one of only five permanent members of the United Nations Security Council, a key member of NATO and other international bodies, and has recently publicly named countries it suspects of involvement in cyber or other attacks against the UK and its citizens.

What an interesting business case to work on. 

  • John Thornton
    John Thornton

    John Thornton is the Director of e-ssential Resources and an independent adviser on business transformation, financial management and innovation.

Did you enjoy this article?