Defence Cyber Protection Partnership

Daniel Selman Cyber Industry Deputy Head

ISS DAIS

CDE Innovation Network event: 30 September 2014, Glasgow

The Latest Trends in Cyber Security Information Security Breaches Survey (2014) – Trends

Small Businesses (< 50 Staff)

% of respondents that had a breach

Average number of breaches in year

Cost of worst breach of the year

Overall cost of security breaches

2013 2014

£65k £115k

“The average cost of the worst breach suffered has gone up significantly particularly for small businesses – it’s nearly

doubled over the last year.”

3

DCPP ENABLING WORK

Information Sharing • Reducing adversaries’ window of opportunity by:-

• Timely sharing of information across industry and government – some of it sensitive

Measurements & Standards

• Providing clarity in terms of where we are and where we need to get to by:

• Defining the proportionate and practical cyber security standards required in all defence contracts

Supply Chain Awareness • Raising awareness of cyber security by:

• Briefing a common message and surveying readiness

Proportionate Security into the Procurement Lifecycle

The DCPP Cyber Security Model’s (CSM’s) principles involved are:

To mandate Cyber Security Risk Management To bring about a cultural change – top-down, policy change

(primarily affecting all new contracts placed)

To risk-assess all supplies (including services) so that a proportionate level of security is routinely requested by acquirers

To ensure that all contracts include clear, appropriate cyber security requirements

To ensure that acquirers assess their aggregated risk through active monitoring of their own and suppliers’ on-going compliance to contracted security requirements

Cyber Security Risk Management in Procurement

DCPP CSM Key Points:

It mandates organisational Security Risk Management Security Risk Assessments (by default)

Contracts include proportionate security requirements

Suppliers’ security reporting evidence routinely assessed

Based on ISO27001:2013 and HMG requirements and controls

Based on a maturity model, not a pass/fail test

Incorporates Cyber Essential Scheme (CES) requirements

Has been developed in collaboration (MOD, Industry, Advisory)

Has been tested by Pilots involving both Primes and SMEs

DCPP CSM Pilots - Criteria

Confirm the process is simple to follow and identify any areas of concern

Confirm the questions are clear and easily understood and identify any areas of concern

Confirm hypothesis that CES is subset of DCPP CSM (identify gaps/overlaps)

Understand level of effort, skills required and identify commercial issues

Determine level of automation / tool support required

Pilots Feedback

• Good engagement from all projects • Broad support for the aims of the Cyber Security

Model • Useful comments on both the approach and

specific questions • Feedback being collated and analysed to

understand what changes are needed • Initial conclusions – tweaks needed to the

question sets, bit more thinking required on how to manage the burden on supply chain and MOD alike

FURTHER ADVICE

General Cyber Security Advice and Guidance: Check your organisation and your IT service provider(s) against HMG’s

“10 Steps to Cyber Security” (search www.cesg.gov.uk or www.gov.uk)

BIS Cyber Essentials Scheme (search www.gov.uk)

Ask your information security staff to join Cyber Security Information Sharing Partnership (CISP) to access threat information (www.cisp.org.uk)

Access Technology Strategy Board’s voucher scheme for funding to improve cyber security (Search https://vouchers.innovateuk.org, closing date: 23 July 2014)

CERT UK (www.cert.gov.uk)

CPNI (www.cpni.gov.uk/advice/cyber)

CESG (www.cesg.gov.uk)

Defence Sector Specific Advice Ask for advice: ADS, techUK, Primes, trade associations