Source · Select Committees · Public Accounts Committee
Recommendation 3
3
Accepted
Mandate Cabinet Office to outline support for accounting officers to strengthen cyber accountability and culture.
Recommendation
Departments have not done enough to prioritise cyber security, meaning that government’s cyber resilience is far from where it needs to be. Accounting officers are responsible for protecting the security of their organisations. Until recently, the Cabinet Office had not given departments a clear picture of the cyber threat and what they should do about it. Departments have underestimated the severity of the threat, and their funding and prioritisation decisions have not reflected the urgency of the issue. All departments must ensure their senior management and decision–making boards include senior and expert digital and security leaders. The Cabinet Office has mandated that its own board has at least one digital expert and it now expects all other departments to do the same. The British Library has set a good example by sharing the lessons it learned from the ransomware attack it suffered. However, there is not a good enough culture across government whereby departments openly share learning and information from cyber incidents with each other. The Cabinet Office assured us that the new Government Cyber Coordination Centre is increasing the flow of data across government and helping it to better ‘defend as one’. recommendation The Cabinet Office should set out how it is supporting accounting officers to: improve accountability by appointing an appropriately experienced and expert Chief Information Officer and Chief Security Officer at senior management and board–level; include cyber resilience in departmental plans and activities; and create a strong cyber security culture in their organisations. 4
Government Response Summary
The government reiterates the requirement for public sector organizations to have a digital leader on their executive committee and board by 2026. DSIT will further set expectations for departments to appoint board members with cyber security expertise, mandate regular board reporting, define roles, and specify mandatory risk management actions in a new Target Operating Model.
Government Response
Accepted
HM Government
Accepted
The government agrees with the Committee’s recommendation. heart of departmental decision making. There is a clear need for board-level expertise to ensure that digital and procurement considerations are fully factored into governance, investment and risk decisions. Government’s intent for this is stated in the Blueprint where all public sector organisations will be required to have a digital leader on their executive committee and a digital non-executive director on their board by 2026. Building on this, DSIT will set expectations for departments to appoint a board member with expertise in cyber security and digital resilience, ensure that boards receive regular reporting on cyber security and digital resilience risks, define roles and responsibilities and specify mandatory risk management and governance actions in a Target Operating Model for Government Cyber and Digital Resilience.