Better security leads to simplification

If there’s one thing we’ve learned about the infosec scene, it’s that there’s no single path great professionals take. For example, Rosie Jessop, the Head of Security for the Office of the CTO in the English government, started her working life as a neuroscientist.

Jessop has lead a project that has transformed the UK’s security so that the entire organisation has been able to innovate. Through an ambitious program, she led changes that have made it possible for the government to deliver new and more efficient services.

One of the challenges Jessop faced was the old record keeping rules and security levels were based on 1950s thinking. The processes and procedures the government was mired in were founded on the principle that information was primarily stored on physical media such as paper with six different clearance levels.

Following extensive consultation in government, industry and overseas Jessop and her team settled on a three-level system: official, secret and top secret. The classification of documents was based on threat with the vast majority of documents considered “Official” – the lowest level of classification.

Official documents can be managed using commercial solutions and commodity IT with bespoke solutions only required for secret and top secret. This has lead to some significant operation changes.

“Security can enable something genuinely transformative," Jessop told delegates at the recent Technology in Government forum held in Canberra.

In the past security assessments had become a series of prescriptive checkboxes that limited the technologies that could be used for different types of data for. For example, online storage services were problematic as old procedures, tied to document classification, required a physical address and location to be retained for each document. But this doesn’t make sense for electronic systems.

"It has enabled us to have much more sensible discussions about offshoring,” says Jessop. That new approach to security has also opened the doors to more device types in user’s hands. A new CYOD – Choose your own Device – policy is in place allowing personnel to choose the equipment they want to use from a selection of approved devices.

The transition has not been without challenges.

"There have been enormous challenges. One is a change in the expectations in our security professionals,” according to Jessop.

Before, there was a separation between security, technology and business people. Security teams were incentivised to be risk averse so they needed to be refocused and reskilled.

Also, a sub-category of the Official document level was established, called Official – Sensitive. Staff accustomed to keeping document circulation limited to small groups over-used this classification resulting in an unexpected operational complexity. That mess has taken many months to resolve, both from a data management point of view and with retraining of people.

Also, the old data classification system and system security categorisation had become a form of operational shorthand for data exchange. The shift to the new classification meant old ways of communicating and exchanging data were no longer relevant. Again, this was a people issue that required time and effort to resolve.

Read more: Security skills deficit even hits ACCS as momentum builds industry, research collaborations

Significantly, Jessop saw this as a trust issue between the people using the system, the technology that was in place and changes to the operational procedures that we in place. Over time, by addressing all of these parts of the solution, Jessop and her team have been able to transform operations through better and simplified security.

Want to know more?

Why not become a CSO member and subscribe to CSO's mailing list. 

Get newsletters, updates, events and more right here

Join the CSO newsletter!

Error: Please check your email address.

Tags #techingovauinfosecsimplificationTechnology In GovernmentIT SecuritySecurity for the Office of the CTORosie JessopSecurity Watch

More about CSOTechnology

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Anthony Caruana

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts