Securing Information
Strengthening Business

Top Tips for Government Security Leads – Part 2

This is the second in a three part series of Top Tips for Government Security Leads. It is intended to provide a brief overview of the most important aspects of fulfilling the role and what pitfalls to avoid.

In Part 1 we covered the importance of being a team player and understanding the overall security requirement for the role. The series continues with two more top tips.

Tip 3: Establish the stakeholders

The Security Lead is a co-ordinator and must ensure they know who to co-ordinate with. The information owner(s) has already been mentioned in Part 1 but there are many others:

  • Accreditor. The Security Lead is going to have to plan security activities, resources and time frames. There is no point planning any of this without having worked it through with the appointed Accreditor who may have a different idea about how security should be managed within the task. The relationship between the Security Lead and the Accreditor is key to the success of any security activity. Once engaged and content with any initial plans the Security Lead can move forward in the knowledge that the plans will not be scuppered by the Accreditor at a later date.
  • Project Managers (PMs) or Work Package Managers (WPMs). There are normally many in a task where a Security Lead is appointed however they rarely understand security requirements. They may be part of a MoD Delivery Team or appointed by the supplier(s) to deliver a particular work package. In addition, the PMs or WPMs may be tasked directly by the Security Lead to deliver a piece of security work, such as a risk assessment or accreditation plan. Either way, the Security Lead must engage with all of them to ensure security activities are identified and delivered in an agreed manner.
  • Data Owners, Information Asset Owners (IAO) or Information Risk Owners (IRO). It is essential that the Security Lead knows where to go to discuss the risks that may be associated with the information. It is likely that there will be more than one involved as information sharing across organisations or projects becomes more prevalent. They may have different risk appetites for similar information strands or have a requirement for higher levels of assurance that security controls are in place and acting as intended.
  • Supplier security personnel or technical staff. The Security Lead must understand the constraints under which the supplier personnel are operating. It is all too often the case that the Security Lead takes an ivory tower approach and fails to realise that security controls cannot be implemented as required without having significant side effects or unintended business consequences. The sooner the Security Lead engages with the suppliers the better the overall outcome is likely to be.

Tip 4: Establish lines of communication

How the Security Lead remains in contact with all the stakeholders must be addressed early in the project lifecycle so that everyone knows where to go for security related advice.

The Security Lead must establish a Security Working Group (SWG) and have the Terms of Reference (ToRs) agreed. The SWG must have oversight of all security activities and is the body that provides security governance. The Accreditor will be an essential attendee at the SWG. Any lack of attendance will undermine the authority of the SWG and may lead to problems in the future due to a lack of oversight.

In the final part of this three part series, Top Tips for Government Security Leads, we will look at defining an escalation path so that security concerns can be raised at the appropriate level, keeping a record of important security decisions and finally plan, plan and more planning!

Article by Paddy Keating ,Director/Government Service Manager

If you found this article useful, take a look at Part 1 of this three part series.

Other articles you might like:

For Further Information

If you have any questions about the topics we've covered, or would like to have a chat about any aspect of your own cyber security strategy, please get in touch with the team at Ascentor.

Please use the contact details below - also found on our Contact Us page.


Fields marked with an * are required
Share this:

You may also be interested in:

Building business resilience - through Information Security, Business Continuity and Disaster Recovery

How would you recover if something went drastically wrong with some, or all of your business operations? When we think of worst case scenarios,

Less rules, more goals. How recent changes in regulatory approaches can enable innovation in information security

Regulated sectors such as the civil nuclear industry and financial institutions have seen a recent shift towards outcome-focused regulation which is

How to pass Cyber Essentials PLUS first time

As anyone who’s ever run a race will know, it’s all about the preparation. As the saying goes, ‘if you fail to plan – you plan to fail’. The