Interview: government chief security officer Campbell McCafferty on his mission to make government ‘the hardest target it can be’
First-ever holder of GCSO post discusses how to remove barriers, break down siloes, and ‘deliver much more consistency’ in security strategy
Campbell McCafferty was appointed as the first Government Chief Security Officer (GCSO) in July 2016, a role which sees him heading up the government security function, and reporting directly to the chief executive of the civil service.
In addition to his role as GCSO, Campbell is the Director of Cyber and Government Security in the Cabinet Office, and is responsible for delivery of the National Cyber Security Strategy and National Cyber Security Programme. Prior to this appointment, Campbell led the Civil Contingencies Secretariat and has held a number of defence roles, including Head of Counter Terrorism and UK Operational Policy.
What are the biggest security challenges we face in government, and how are we tackling them?
The biggest challenges we, and I believe the UK as a whole, face in security is staying ahead of the rapid pace of change. By this I mean the speed at which technology is evolving; fewer government buildings and the shift from office-based to a far more mobile workforce; the migration of critical public services to the web; and changes in the wider society we recruit from.
Set alongside this is an equally fast-moving threat picture.
Reconciling the pace of change with the threat is the biggest challenge. For example, how can we safely maximise the huge opportunities provided by technology while appreciating that cyber offers the lowest-cost, lowest-risk way to steal from or disrupt government business?
A recent review of government security found too much duplicated effort across departments, and over-complicated practices. Government security has been delivered in a broadly similar way for the last 30 years.
To tackle this, the Cabinet Office has established a transformation programme to deliver a step change in government security.
The programme will create a security system that delivers a higher quality and more efficient service, one that is focused on enabling civil servants to work in a way that is secure. At the same time, it will allow cross-departmental working and the use of modern technology.
What are your priorities as Government Chief Security Officer?
I see my top priorities as: delivering a government security transformation programme that ensures HM Government can rely upon a world-class security operation now and into the future; building a government security profession that develops, attracts and keeps the best talent and is seen as a key enabler for government business; and raising the level of ambition across all areas of security, with higher standards in cyber, personnel and physical security – to make HM Government the hardest target it can be.
What are the biggest barriers to understanding the requirements of security in government?
The perception is often that ‘security says no’ and is a blocker, where it should be an enabler of new technology and ways of working. Civil servants I speak to often see security as opaque or confusing and a hurdle they have to cross before things can get done.
We’re now working much more closely with the cross-government HR, Digital and Commercial functions, so that we understand their needs and they have a clearer understanding about what we do, and why.
There’s a phrase I like that says, ‘security just needs to be good enough’. Even done properly, security can add cost and reduce functionality, so it is incumbent on the security profession to focus on the things that really matter. There is also no such thing as absolute security: risk management is critical, as is expressing security risks in language the business can understand. We constantly have to take risk decisions on how to balance security and business need. For example, the trade-offs between keeping a digital service up and available, versus taking it down in order to patch and secure it. Those decisions also need to be reviewed regularly as the needs, the threat and the context change. And to make help departments understand what secure enough looks like, we are introducing minimum security standards for staff, buildings and technology. Creating this transparency is vital to reducing barriers.
How important are civil servants in keeping government safe?
People are our strongest defence when it comes to security, and almost all security incidents have a decisive human factor, such as clicking on a malicious link or leaving documents on the train.
While government is responsible for keeping its staff and information safe, civil servants also have an important role to play. This may sound daunting, and many people are put off or confused by complicated security rules, but there are a number of simple things you can do to keep yourself safe at home and at work. Most of this is just common sense and good judgement. Staff should refer to the Government Security Principles and Behaviours. You should also make sure you’re aware of your department’s security policies and who to notify if there’s a problem.
Given the focus in the media and elsewhere on the threat of cyber attacks, is there a risk that we lose a holistic approach to security?
Yes, I think there is a danger that we lose our holistic approach. We've been doing personnel and physical security for so many years we sometimes see the cyber threat as something so new and different that it almost becomes a domain unto itself. In many cases, the people on the other end of the keyboard who want to do us harm have exactly the same intent as those who might try to steal public money or sensitive government information using more traditional means.
We must also be very aware that not all security threats fit into a neat box. There is a lot of crossover between cyber, physical and personnel security. A good example would be: an improperly vetted contractor (personnel) gaining access to a government data centre that was poorly secured (physical), and plugging in a USB containing malware to enable an attacker to gain a foothold on the network (cyber). A system that is not joined up doesn't recognise this multi-pronged threat and leaves us more vulnerable as result.
What I’m trying to say is that our attackers don’t think in silos of cyber, personnel or physical, and neither should we.
How joined up is government security?
The changes we are making over the next two years will deliver much more consistency, with security services being delivered by centralised units rather than separate services within each department. These bigger and more capable teams will ensure that scarce skills and resources can be more evenly distributed across government and enable greater sharing of best practice, less duplication and more opportunities for security practitioners to develop and progress within the profession.
We will also be introducing baseline standards and clear compliance processes across government. We recognise that, at the moment, security policies and standards are not applied consistently across government, which makes it hard to assess the risks that we face. The changes we will be introducing will result in more effective performance monitoring and a clearer picture of how we are dealing with security threats.
Security is also becoming a cross-government function, alongside Digital, HR, Commercial and Finance. This is allowing us to create much greater integration and collaboration between the different functions and helps us learn from each other.
How closely do you work with other government security and intelligence agencies?
We work very closely with the intelligence agencies and other organisations to keep government safe. In particular, the National Cyber Security Centre (within GCHQ) and the Centre for Protecting National Infrastructure (MI5), which are the UK National Technical Authorities for, respectively, cyber and personnel, and physical security. This means they provide the advice and guidance that we base our policies and standards on. The intelligence agencies also provide crucial information on the threats to government, which helps our team and departments work out how best to protect ourselves.
How are we making sure we are recruiting and developing the best talent to counter the increasing sophistication of cyber and other threats?
We want to build the next generation of security professionals to include a diverse range of talent. Our recruitment approach will be to attract people from a wide variety of backgrounds, including bringing more women into the profession and those from groups of protected characteristics. We need people with a wide range of skills, such as commercial, technology, HR, communications and risk management, to name but a few.
A more diverse workforce will provide fresh perspectives, innovation and better reflect the businesses we support.
Why should people want to work in government security, compared with a role in a big private sector company?
Government can offer a scale and scope of challenge that far exceeds that found in the commercial sector. Government business involves dealing with millions of people and with billions of pounds – experience that can’t be matched commercially. It also offers an opportunity to tackle the most severe threats and build deep relationships with the security and intelligence agencies and the wider national security community both in the UK and abroad.
What is your vision of how government security will look in the future?
Our vision is to have a thriving security profession made up of subject matter experts who provide high-quality, dynamic security services that protect and enable government to deliver.
We want to empower our staff and we are committed to their development, so that they can have clear and exciting careers within government security. And we want to ensure that government security is a brilliant area to work in to attract and retain the very best talent.
We must transform our security systems to modernise and protect against an ever-evolving range of threats. We want to bring together departments and security teams, and foster cross-government sharing of security services, best practice and expertise.
We will create a new culture where security is seen as an integral part of everyone’s role, enabling them to do their job effectively. And we will create a new structure for government security with expert professionals.
Security is an essential part of good government – we need to protect to enable.
This article originally appeared in Civil Service Quarterly. You can read more Civil Service Quarterly articles here, or read the latest edition below.
Steve Barclay urges greater reporting of attacks
Report claims that department requires a ‘cultural shift’
New ‘Gov Assure’ process aims to provide a government-wide overview of risk, minister tells PublicTechnology Cyber Security Summit
Ben Wallace is said to be ‘very cross’ after speaking to someone posing as Ukrainian PM for almost 10 minutes