Few organisations, if any, can be self-sufficient in their internal cyber resources. Apart from relying on specialist external services, such as penetration testing and virus filtering, councils are likely increasingly to be using other service providers for a wide range of cyber activities, from independent testing to routine monitoring software. In addition to internal auditors, external cyber specialist advisors can bring a level of knowledge and current expertise that it is hard to retain in-house, to check on the robustness and appropriateness of cyber resilience planning and implementation.
Not all of these services need be costly. Many, such as the advice and support from local WARPs and the NCSC are freely available. There is also a variety of basic network and systems tools that can be acquired at no or low cost and that can be used to target particular cyber risks, perhaps complementing, if not replacing, the more sophisticated technologies required to protect digital infrastructures.
Other services come at a price, especially the more sophisticated managed security services and tools. Methods too take resources to implement and to sustain them, and there is a need to consider the internal cyber roles necessary to oversee good practice.
Councils need to make adequate provision in their plans, processes and practices for the insurance and protection demanded in this modern digital age, since skimping on cyber protection can have serious consequences for the organisation and for citizens.
This requires the necessary prioritisation of cyber investment, with the CIO or Head of IT working with colleagues, including the CFO and emergency planners, to ensure an understanding of its value and importance in digital developments and in ensuring resilience of legacy IT services. A cyber strategy should harness the skills, tools and processes needed to anticipate changing cyber risks and should ensure strong governance to manage and mitigate them.
This is also an area where there is justification for sharing and pooling resources, best practices and methodology across public services. Benefits lie not only in economies of scale in staff and technologies, but also in sharing best practice and intelligence, and in protecting mutual interests.
This third in our series of cyber investigative reports looks at some of the common cyber standards, methods, technologies, and resources that are available to public service organisations as they plan their cyber strategies.
To access the rest of the report:
Part 1: https://socitm.net/publications/inform-report-cyber-risk-the-local-government-context-part-1
Part 2: https://socitm.net/publications/inform-report-cyber-risk-people-teams-and-cyber-roles-part-2
Part 4: https://socitm.net/publications/inform-report-cyber-risk-where-to-start-cyber-planning-part-4
Part 5: https://socitm.net/publications/inform-report-cyber-risk-cyber-risk-futures-part-5
This publication requires Socitm membership to download