1.
Defence Cyber Protection Partnership
Daniel Selman
Cyber Industry Deputy Head
ISS DAIS
CDE Innovation Network event:
30 September 2014, Glasgow

2.
The Latest Trends in Cyber Security
Information Security Breaches Survey (2014) – Trends

Small Businesses (< 50 Staff)

% of respondents that had a breach

Average number of breaches in year

Cost of worst breach of the year

Overall cost of security breaches
2013
2014
£65k
£115k
“The average cost of the worst breach suffered has gone up significantly particularly for small businesses – it’s nearly doubled over the last year.”

3.
3

4.
DCPP ENABLING WORK
Information Sharing
•
Reducing adversaries’ window of opportunity by:-
•
Timely sharing of information across industry and government – some of it sensitive
Measurements & Standards
•
Providing clarity in terms of where we are and where we need to get to by:
•
Defining the proportionate and practical cyber security standards required in all defence contracts
Supply Chain Awareness
•
Raising awareness of cyber security by:
•
Briefing a common message and surveying readiness

5.
Proportionate Security into the Procurement Lifecycle
The DCPP Cyber Security Model’s (CSM’s) principles involved are:

To mandate Cyber Security Risk Management

To bring about a cultural change – top-down, policy change (primarily affecting all new contracts placed)

To risk-assess all supplies (including services) so that a proportionate level of security is routinely requested by acquirers

To ensure that all contracts include clear, appropriate cyber security requirements

To ensure that acquirers assess their aggregated risk through active monitoring of their own and suppliers’ on-going compliance to contracted security requirements

6.
Cyber Security Risk Management in Procurement
DCPP CSM Key Points:

It mandates organisational Security Risk Management

Security Risk Assessments (by default)

Contracts include proportionate security requirements

Suppliers’ security reporting evidence routinely assessed

Based on ISO27001:2013 and HMG requirements and controls

Based on a maturity model, not a pass/fail test

Incorporates Cyber Essential Scheme (CES) requirements

Has been developed in collaboration (MOD, Industry, Advisory)

Has been tested by Pilots involving both Primes and SMEs

7.
DCPP CSM Pilots - Criteria
Confirm the process is simple to follow and identify any areas of concern
Confirm the questions are clear and easily understood and identify any areas of concern
Confirm hypothesis that CES is subset of DCPP CSM (identify gaps/overlaps)
Understand level of effort, skills required and identify commercial issues
Determine level of automation / tool support required

8.
Pilots Feedback
•
Good engagement from all projects
•
Broad support for the aims of the Cyber Security Model
•
Useful comments on both the approach and specific questions
•
Feedback being collated and analysed to understand what changes are needed
•
Initial conclusions – tweaks needed to the question sets, bit more thinking required on how to manage the burden on supply chain and MOD alike

9.
FURTHER ADVICE
General Cyber Security Advice and Guidance:

Check your organisation and your IT service provider(s) against HMG’s “10 Steps to Cyber Security” (search www.cesg.gov.uk or www.gov.uk)

BIS Cyber Essentials Scheme (search www.gov.uk)

Ask your information security staff to join Cyber Security Information Sharing Partnership (CISP) to access threat information (www.cisp.org.uk)

Access Technology Strategy Board’s voucher scheme for funding to improve cyber security (Search https://vouchers.innovateuk.org, closing date: 23 July 2014)

CERT UK (www.cert.gov.uk)

CPNI (www.cpni.gov.uk/advice/cyber)

CESG (www.cesg.gov.uk)
Defence Sector Specific Advice

Ask for advice: ADS, techUK, Primes, trade associations