The Expert View: Building national cyber-security resilience

Andy Kilbey, Area Vice President Sales for UK&I Public Sector at Splunk, opened the discussion by noting that “vendors and customers have to work together” to build more resilient organisations. “We can’t afford to work in siloes,” he said.

 

Scott Hamilton, Leader for UK Central Government at AWS, agreed: “The cyber landscape is changing rapidly. There’s a real opportunity to do more through collaboration, especially with a shared responsibility model like AWS’s, where AWS secures the physical infrastructure and customers build layers of security on top with the help of our AWS Partners.”

 

From mops to Crown Jewels

Asked why cyber threats to central government are increasing, attendees pointed to growing complexity, new technologies and a widening attack surface. But whatever the nature of the threat, the first task remains the same: identifying and protecting the “Crown Jewels”.

 

One attendee said: “You start with what matters most and work out from there.” That includes understanding which systems are connected and how to prevent lateral movement in the event of a breach.

 

But the conversation also underscored that those critical assets might not be obvious. A participant explained the “mop problem”: in a hospital, a mop and some bleach may be more essential for maintaining operations than an MRI machine or even the patient database, but they are easily overlooked when planning resilience.

 

Many central government systems also fall under the definition of critical national infrastructure, leading to a more conservative resilience approach than in most private organisations.

 

Beyond protection: planning for recovery

True resilience, the group agreed, is not just about prevention. It’s also about recovery. “The recent M&S attack was a timely reminder,” said one speaker. “Recovery can take a long time.”

 

Supply chain risks remain a major concern. Government departments are increasingly reliant on complex webs of external suppliers, making it difficult to monitor indirect vulnerabilities. As one participant said: “If a supplier of a supplier of a supplier is hit, how confident are we that we can survive?”

 

That challenge is compounded by legacy systems and technical debt. “Many public sector bodies are carrying more technical debt than any business would tolerate,” said one delegate. “It makes them a target but fixing it will take years – and the funding process doesn’t help.” Even mapping existing infrastructure can be a major hurdle and many public sector organisations don’t know exactly how much legacy technology they are dealing with.

 

The solution, some suggested, lies in better communication and transparency. Sharing lessons from cyber incidents, even near-misses, can help organisations prepare more effectively. However, public sector organisations don’t often talk to each other.

 

Building skills amid budget constraints

Attendees also discussed how to strengthen resilience in the face of skills shortages and spending pressures. The UK Government’s G-Cloud provides pre-vetted solutions, but public bodies must still do due diligence to ensure the product is appropriate.

 

Regular testing of resilience processes was cited as essential, but should be done in stages, not as a single large-scale exercise. Table-top simulations were praised as a valuable tool for building internal expertise, especially when senior leaders are directly involved.

 

However, the government’s long-term capability gap may require more than internal training. “You can train people,” one speaker observed, “but without real-world experience, they’ll still struggle. And we can’t compete on salaries for experienced cyber experts.”

 

The role of vendors

This is where vendor partnerships can make a difference. Vendors can provide valuable insight from incidents elsewhere, but only if customers give them permission to share that information. “If you want to benefit from others’ lessons, think about whether you’re willing to share your own, too,” Mr Kilbey urged.

 

And as Mr Hamilton explained, AWS spends significant time advising senior leaders in government on best practices and emerging risks. . He added that platforms such as the AWS Marketplace offer opportunities to test security vendor services without committing long-term.

 

But better tools alone are not enough. The group acknowledged that digital literacy at the most senior levels remains a significant issue. “Civil servants are recruited for the same skills they would have needed 100 years ago,” said one attendee. One suggested solution to the lack of digital expertise was to frame risk in ways that resonate with senior leaders: “If they understand financial risk, explain cyber risk in financial terms.”

 

There was agreement that security must be a shared responsibility. “It’s everyone’s job, not just the IT team’s,” one speaker said. “We need to communicate that clearly.”

 

In closing, Hamilton said AWS would take away a clear message: “We want to help customers make security more pervasive. Maybe we can do more to bring the right cyber expertise together.” Kilbey agreed, praising the open exchange of ideas. “There’s real value in sharing experience. This evening has shown that.”

---

To learn more, please visit: www.aws.amazon.com & www.splunk.com