A strategic approach to IT purchasing

Paul Heath, Regional Director, UK&I Public Sector at McAfee, discusses why it’s crucial for public sector leaders to review their approach to security purchasing and sponsor a more strategic method

There are many hundreds of security technology companies in the market, each with their own security solution meeting a different cyber security challenge.

Given that every component of IT infrastructure and every new digital process introduces a new security risk, it may all be true. From tools enabling secure application development, network management to spot malicious activity, threat intelligence that feeds in information on the constantly evolving malware strains, to solutions that keep your cloud data secure - each offering has its role to play in securing organisations against the increasingly diverse threat landscape.

However, even with the best of the best of the market’s security solutions, organisations may still find themselves vulnerable to attack. Many IT and business leaders are increasingly finding that technology itself isn’t the solution.

When technology is purchased tactically to meet a specific requirement, without strategic planning and senior sponsorship, it won't deliver the business outcomes that the organisation needs. And, as we see increased ferocity in the cyber attacks targeting the public sector – whether that's WannaCry causing massive disruption to NHS services, or the megabreach of the American Office of Personnel Management, in which approximately 21.5 million personal records were stolen – it is clear that achieving a positive outcome for cybersecurity is critical to both citizens' privacy and safety.

Hurdles for strategic purchasing
While true of the private sector, strategic planning for IT and security resources is something that many public sector organisations struggle with.

This is down to two main reasons. Firstly, many public sector organisations are operating on very tight purse strings. On one hand, the government is driving them to invest in digital to provide a more seamless 'consumer' experience of public services. On the other, the public sector is facing a climate of cuts and increased costs. As a result, IT purchasing often happens in the moment when they need something, rather than being a long-term, strategically planned process.

Secondly, many public sector organisations have very formulaic purchasing structures that only allow for tactical purchases. As a result, IT leaders aren't permitted to deliver the strategic cybersecurity solutions that deliver the defences and business outcomes that the organisation truly needs.

For example, as one IT buyer at a large city council recently explained to me, as the council can only review cyber security elements on a point-by-point basis when the contracts are up for renewal, they are unable to deliver a holistic plan to secure the organisation against modern, evolving threats. They also can’t take advantage of the changing supplier landscape, with its greater vendor integrations and partnerships to ensure there’s no gaps of coverage.

The missed opportunity
But why is it important to take a strategic approach to IT purchasing?

As mentioned, there are a massive number of diverse threats that organisations need to defend against. And with no silver bullet to mitigate these numerous threats, IT teams have to purchase a series of different solutions. While an essential and natural part of security purchasing, new technologies are often bolted on to existing defences as the need arises. However, this approach can leave gaps between technologies that a determined cyber criminal could exploit.

To combat this issue, many cyber security vendors are now forming partnerships that enable disparate solutions to integrate and provide that required cover. However, when building cybersecurity defences piece-by-piece, it is hard for the IT office to take advantage of the collaboration between security vendors to buy a package that will deliver comprehensive cover.

Another impact on the IT office and security professionals in particular, is the time and effort that goes into managing a number of disparate solutions. With the UK facing a significant cybersecurity skills shortage, the price of security talent is booming. In fact, last year, it was reported that cyber security workers won pay rises of more than 10 per cent on average due to the skills deficit. With limited resources to spend on talent, it is therefore essential that those with cyber security skills within an organisation are best deployed to deal with the more complicated threats. With seamless security defences, talent is freed up to better concentrate their time on the work that will add greater value.

Finally, there is immense digital disruption going on across the public sector. Unfortunately, however, the drive to 'go digital' isn't always accompanied by a holistic review of the new challenges that these approaches might introduce to securing organisations and their data.

In central and local government, for example, there is a big drive to adopt digital, cloud-based processes that will enable them to take advantage of the agility and flexibility the cloud offers, as well as to deliver a better user experience. A great deal of government departments, for example, are moving towards cloud services, with rapid investment in Office 365, as well as Microsoft Azure and Amazon Web Services. However, in many cases, the rush to adopt a cloud-first model hasn't been matched with an overarching organisation-wide strategy that accounts for the new security and privacy risks that this approach introduces.

Similarly, NHS trusts are currently preparing to move entirely to electronic patient records. At the same time, the massive boom in connected medical devices, many of which have been shown to have serious security flaws, is introducing a vast number of vulnerable endpoints to hospital networks.

Commenting on the challenge, Tony McGivern, ICT technical security manager at the County Durham and Darlington NHS Foundation Trust, said: “Ultimately, all these changes and potential changes, from both inside and outside the organisation, demand a higher level of security, with greater visibility, control, and adaptability. For instance, in the future, with increased exchange of information with other healthcare organisations, we need to be even better at knowing exactly what is entering and exiting our network, and blocking anything that shouldn’t enter or depart and ensuring it is secure at all times of transfer.”

Alongside such significant digital disruption to core processes and operations, it is crucial that organisations think about whether similar disruption to cybersecurity strategies and procurement structure is required to secure a digitalised public sector. But, to achieve this, the IT office cannot act alone.

The role of the senior sponsor
With the structural challenges that IT teams face when purchasing technology, it is crucial that senior business leaders review existing processes and sponsor a more strategic approach to cybersecurity.

Such a significant shift can only be achieved with the support of senior leaders, as the changes to the organisation to bring them in line with the required defences for today’s evolving threat landscape may require a significant investment. This will be from both a monetary perspective, in purchasing new solutions, as well as investing time to plan and implement these changes from a technological and cultural perspective.

Of course, convincing the board of making the necessary structural changes and investment at a time when there is already great digital disruption to services and when resources are tight will be no mean feat, even with a senior sponsor. At one government office, a project to restructure its cyber security processes and resources was the culmination of a three year project and after working with external penetration testing teams to demonstrate the extent of the threat. Only once the IT office and senior sponsor were able to demonstrate that the security rationalisation project was a key part of the overall IT modernisation programme did it garner the board level interest and support, which resulted in it being allocated funding to achieve the desired project business outcomes.

IT leaders need to work with the senior sponsor to highlight the risk and demonstrate the clear benefits to the organisation of taking a more strategic approach to security purchasing. By highlighting the key strategic benefits, financial benefits and organisational benefits of the board taking responsibility for the cyber hygiene of the organisation, will IT leaders have the opportunity to show the value of having a clear strategy that is fit for purpose in today's cyber threat landscape.

Change of perspective
We need to stop thinking of cyber security technologies as the solution to modern cyber threats. The best technology can only become a solution when strategically planned and deployed, with buy-in from the entire organisation. And while I know many IT leaders that would love to do just that, it is crucial that business leaders also put it on their own and their board’s agenda to make sure that it happens.

Business leaders need to understand that they not only have a responsibility to ensure that technology purchasing is as productive and cost-effective as possible, but that the security team has the opportunity to purchase and deliver the defences that assure the both the security of sensitive information and undisrupted delivery of essential services.

In the evolving threat landscape, cyber security can't be 'business as usual'. It is time for public sector organisations to make the leap and reject legacy purchasing models in favour of more agile, effective purchasing structures that will enable them to provide the comprehensive defences they need to weather this ferocious environment.

Please register to comment on this article