Securing Information
Strengthening Business

Top Tips for Government Security Leads – Part 3

This is the final part in a three part series of Top Tips for Government Security Leads. It is intended to provide a brief overview of the most important aspects of fulfilling the Security Lead role and what pitfalls to avoid. In Part 2 we covered the importance of establishing and communicating with the right stakeholders including the Accreditor and Information Asset Owners. The series concludes with three more top tips.

Tip 5: Have an escalation path

The Terms of Reference (ToRs) for the Security Working Group (SWG) should determine the escalation path, however experience has shown that it is often only a paper exercise until needed to resolve a critical issue. The Security Lead should have confidence that any issues that may impact the overall security of the project can be quickly and effectively escalate so there is minimal impact or delay.

Tip 6: Record all decisions

Decisions made at the SWG must be recorded in the minutes and widely distributed. Any decisions made outside of the SWG should be raised at the SWG for awareness, endorsement and recording. The Security Lead must be able to track decisions back to where they were agreed and be able to articulate when and why a particular decision was made and who made it. It is inevitable that during the lifecycle of a major project the same questions will come up time and time again and the Security Lead is there to avoid nugatory effort or conflicting decisions arising.

Tip 7: Plan, plan and more planning

All Project Managers love a good plan and spend most of their time doing it. This should be no exception for a Security Lead who is really the PM for security related activities. Key planning requirements are:

  • Accreditation Plan. Following on from the accreditation strategy agreed with the Accreditor and endorsed by the SWG, the Accreditation Plan should provide the detailed breakdown of what security activities are to take place, over what time frame, to what standard and by whom.
  • Assurance Planning. The requirement for assurance planning is worth a special mention. The specialist resources needed to conduct IT Health Checks (ITHC), Vulnerability Assessments, CESG Tailored Assurance Service (CTAS) tests and a plethora of others all take time, effort and cost to put in place. If these factors have not been identified in formal security activity planning they are likely to be overlooked or rushed which may impact on the overall accreditation outcome.
  • Alignment. The Security Lead needs to ensure that security plans align with the wider project plans and they don’t conflict. It is often the case that a lack of adequate security engagement throughout the project lifecycle has significant impacts on other project deliverables as security requirements seep into the project consciousness. Trying to shoehorn security controls into designs at the end rather than building in at the start generally increases cost, adds a time delay and are unlikely to be as effective.

In summary, the role of a Security Lead can be complex, time consuming and stressful, however, with a bit of planning, preparation and a determination to get involved the role can be very rewarding and add real benefit to any project.

Article by Paddy Keating ,Director/Government Service Manager at Ascentor.

If you found this article useful, take a look at Part 1 and Part 2 of this three part series.

Other articles you might like:

For Further Information

If you have any questions about the topics we've covered, or would like to have a chat about any aspect of your own cyber security strategy, please get in touch with the team at Ascentor.

Please use the contact details below - also found on our Contact Us page.


Fields marked with an * are required
Share this:

You may also be interested in:

Less rules, more goals. How recent changes in regulatory approaches can enable innovation in information security

Regulated sectors such as the civil nuclear industry and financial institutions have seen a recent shift towards outcome-focused regulation which is

How to pass Cyber Essentials PLUS first time

As anyone who’s ever run a race will know, it’s all about the preparation. As the saying goes, ‘if you fail to plan – you plan to fail’. The

The NIS Directive explained – compliance and guidance

Originally published in May 2018 just before it entered UK law, this article covers the NIS Directive, also known as NIS (D). We look at what it is,