Public sector organisations need to ask how their cybersecurity functions can enable delivery of new products and services, says Alan Curran of Registers of Scotland
I see cybersecurity as a business enabler, but what exactly do I mean by that?
Our ambition at Registers of Scotland (RoS) is to be a digital registration and information business trusted for our integrity. We face unique challenges on our journey to transform some of the world’s oldest land registers into reliable, secure data sources that support our customers today, and meet the challenges of the future.
I am mindful that we must not only protect the organisation and our data from the growing threat of cybercrime and technical attacks, such as ransomware. We also need to deliver increasing value to the citizens of Scotland through new and innovative use of accessible land and property data. We also wish to enhance our existing processes via digitisation and automation, which is part of our Corporate Plan.
The objectives of having effective security controls and assurable protection levels, while enabling innovative data use, ongoing digitisation, and increased automation, may appear to compete against one another. However, I believe they are not mutually exclusive.
To have a competitive advantage, organisations (including those in the public sector) need to ask how their security functions can enable the delivery of new products and services, while simultaneously providing the required security assurances.
So, how do we achieve this at RoS?
Firstly, we manage our security risk at all levels. It would be easy to lock away our data, making it easier to protect, but that would hinder our ability to deliver our other business objectives. We, therefore, take an approach based on rigorous risk assessment. We analyse the impact of each process that will interact with our data and align it to the business’s appetite for risk. This way, we can ensure appropriate levels of varying protection across our organisation. It also ensures we don’t fall into the trap of “one size fits all” security. We are free to innovate safely while also ensuring robust, effective protection is in place.
Secondly, we make intelligent choices on how we drive the highest value from our security investments. We don’t just implement a security tool and forget about it; we actively seek ways to provide maximum value to the organisation. For example, by integrating our malware scanning and automation tooling into our award-winning digital submissions service; or using our network access control (NAC) technology to enable secure networking for third parties in a new shared occupancy building model. Using this approach, our investments do much more than just protect; they enable new ways of working.
Alan Curran was a guest speaker at Cyber Security 2023 in Glasgow on Monday