Editorial

Public sector needs to see Cyber Assessment Framework as more than box-ticking

Many organisations’ delivery outcomes don’t meet their original needs as they fail to a transformational process, says Pionen MD

Posted 10 May 2023 by Christine Horton


More public sector organisations should embrace The Cyber Assessment Framework (CAF) to improve their cybersecurity posture and better understand their cyber objectives and resources, according to Nigel Wakefield, managing director of public sector-focused cybersecurity consultancy, Pionen.

The framework was first developed by NCSC in 2018 to improve the cyber resilience of the UK’s critical national infrastructure. It was rolled out to all government departments in 2022 as part of the Government Cyber Security Strategy. The goal is that departments use it to assess their resilience across a range of objectives and indicators – however, many departments are not leveraging its value and instead still view it as a tick-boxing exercise.

“The CAF is not about just about box ticking. It’s a tool for constant learning and improvement. And an effective assurance process is as much about understanding the department’s objectives and culture as it is about technical controls,” said Wakefield.

He was speaking at the recent Think Cybersecurity for Government event (pictured). He said many organisations find their delivery outcomes don’t meet their original needs for several reasons, and they typically stem from not following a transformational process.

“The problems I see occurring regularly are because the right amount of time and diligence has not been spent on capturing the problem statement, defining requirements, and doing a solution-agnostic capability design. If you do those things, then you’re much more likely to get the results you’re looking for,” explained Wakefield.

“We’re hired as experts in our subject. When we engage with somebody, they already know the solution. They only not only know the solution, but they are also partway through procurement or have already procured the solution. But they haven’t actually defined the problem yet.”

This can often lead to a lack of integration with other services or hardware, or a failure to even solve the initial problem.

Not a box-ticking exercise

Instead, Pionen helps organisations understand their problems and requirements from the beginning. “I help them write their problem statement: What’s keeping you up at night? What’s concerning you?” said Wakefield.

“Once you’ve framed that problem statement, you make sure that’s agreed with the stakeholders. [They] write down the functional [and] non-functional requirements. If it leads to a technology, what we typically do is a capability design, which is solution agnostic. And that really frames what they’re looking for to meet those requirements and solve that problem.”

Wakefield advocated for organisations to use the CAF to help them maintain an outcome-focused approach.

“Once you’ve looked at CAF and done the initial assessment and have a good understanding of where you are as an organisation, you can use that to trigger investment funding and a programme of work to increase your resilience,” he said.

“If you talk about audit or compliance or even assurance, people typically think that’s a tick box exercise. [But] the focus should be on assessing where you are right now, and ‘how do I improve?’ It shouldn’t be a pass or a fail. If you look at your threat landscape, and your current posture and security, then this is just benchmarking at a point in time where you are, and then you should do use that to drive improvements across the organisation.”