If there’s one thing we’ve learned about the infosec scene, it’s that there’s no single path great professionals take. For example, Rosie Jessop, the Head of Security for the Office of the CTO in the English government, started her working life as a neuroscientist.
Jessop has lead a project that has transformed the UK’s security so that the entire organisation has been able to innovate. Through an ambitious program, she led changes that have made it possible for the government to deliver new and more efficient services.
One of the challenges Jessop faced was the old record keeping rules and security levels were based on 1950s thinking. The processes and procedures the government was mired in were founded on the principle that information was primarily stored on physical media such as paper with six different clearance levels.
Following extensive consultation in government, industry and overseas Jessop and her team settled on a three-level system: official, secret and top secret. The classification of documents was based on threat with the vast majority of documents considered “Official” – the lowest level of classification.
Official documents can be managed using commercial solutions and commodity IT with bespoke solutions only required for secret and top secret. This has lead to some significant operation changes.
“Security can enable something genuinely transformative," Jessop told delegates at the recent Technology in Government forum held in Canberra.
In the past security assessments had become a series of prescriptive checkboxes that limited the technologies that could be used for different types of data for. For example, online storage services were problematic as old procedures, tied to document classification, required a physical address and location to be retained for each document. But this doesn’t make sense for electronic systems.
"It has enabled us to have much more sensible discussions about offshoring,” says Jessop. That new approach to security has also opened the doors to more device types in user’s hands. A new CYOD – Choose your own Device – policy is in place allowing personnel to choose the equipment they want to use from a selection of approved devices.
The transition has not been without challenges.
"There have been enormous challenges. One is a change in the expectations in our security professionals,” according to Jessop.
Before, there was a separation between security, technology and business people. Security teams were incentivised to be risk averse so they needed to be refocused and reskilled.
Also, a sub-category of the Official document level was established, called Official – Sensitive. Staff accustomed to keeping document circulation limited to small groups over-used this classification resulting in an unexpected operational complexity. That mess has taken many months to resolve, both from a data management point of view and with retraining of people.
Also, the old data classification system and system security categorisation had become a form of operational shorthand for data exchange. The shift to the new classification meant old ways of communicating and exchanging data were no longer relevant. Again, this was a people issue that required time and effort to resolve.
Significantly, Jessop saw this as a trust issue between the people using the system, the technology that was in place and changes to the operational procedures that we in place. Over time, by addressing all of these parts of the solution, Jessop and her team have been able to transform operations through better and simplified security.
Want to know more?
Why not become a CSO member and subscribe to CSO's mailing list.
Get newsletters, updates, events and more right here