Today’s IT services within public sector organisations are not adequate for their intended purpose anymore. Security breaches frequently make headlines. Downtime disrupts services and productivity. There is excessive overspending across the UK too. What is worse, all these factors broadly result in an inability to offer the public the essential service innovation that has the potential to truly improve the citizen experience – all while reducing costs and the overspend that is currently being experienced.
Alongside this, worldwide, there is an increase in cyberattacks. The UK’s public sector, unfortunately, stands first in line to receive many of these attacks. While this is a problem for any organisation to overcome, the challenge for the public sector here is the sheer volume of breaches that are resulting in service disruption, data loss and cost to rebuild and restore systems is unacceptable, and uncalled for. A shortage of knowhow, not enough procurement due diligence and groupthink have resulted in an over-dependence on a small number vendors, infrastructure models that are pervasive across the sector, and matching security vulnerabilities that are rapidly taken advantage of with ease.
The budgets available to organisations are sufficient though to combat these challenges. Technology available in the marketplace is effective and secure, further they are proven and mature. With that in mind, Mark Grindey, CEO, Zeus Cloud, explains that a major problem responsible for undermining innovation and exposing the public sector to devastating security risks is the broken tender process.
Bracing for escalating cybersecurity threats
There is no question that the UK’s public sector organisations are facing an increase in security threats. Alongside public bodies in every developed country, state-sponsored attacks are developed and executed to undermine the delivery of essential services. And the cost to recover from these cyberattacks is damaging and shocking, with councils spending millions to recover from ransomware attacks in recent years.
The constantly rising threat level is, however, just one part of the story. While public sector bodies are key targets due to the level of sensitive data stored, the impact of attacking critical infrastructure, and the appeal of targeting a high-profile organisation, not all public bodies are experiencing repeated downtime as a consequence of breaches.
Nor does a single hack automatically affect every part of the organisation, leading to a disruption of vital services for days, even weeks. So, what differentiates those organisations, such as Bexley Council and Bedford Council, that have a good cyber security track record, from the rest? And, importantly, what is the best way to generate best practice throughout the public sector to mitigate risk?
The Flawed Tendering Process Is The Issue
Budget is not the problem. The public sector might constantly claim a lack of funding; but money is not the root cause of inadequate security or inconsistent service delivery. The issue is how that money is spent. Despite attempts to improve the due diligence of public sector IT investment, the current tendering process is fuelling misdirected and excessive spend.
In theory, an open tender model should ensure that money is well spent. It should guarantee the service is delivered by the best provider. In reality, the vast majority of contracts are allocated to the same handful of large organisations. This would be fine, if the services delivered were top quality, highly secure and fairly priced. They are not. The public sector is routinely charged three times as much as the private sector for equivalent IT deployments. Three times as much.
In addition to rife overspending, the reliance on a small number of vendors dramatically increases the security threat due to the ubiquity of infrastructure models. When the majority of public sector organisations have relocated to the same public cloud hyperscaler and adopted identical security postures, it is inevitable that a breach at one organisation will be rapidly taken advantage of and repeated elsewhere.
Unsatisfactory due diligence
The current tender process lacks proper due diligence. Given the continued security breaches, why are these vendors not being held to account? Why are they still being awarded new contracts? Why are they winning the business to rebuild and recover the systems damaged by a security breach that occurred on their watch? Other Managed Services Providers and cloud platforms can offer better pricing and security track records. Something is going very wrong in public sector procurement.
The public sector is part of this this overspending. Any vendor attempting to come in and charge a lower (fair) amount is automatically discounted from the tender process. Why? This is because the public sector has been ‘trained’ by the IT industry to expect inflated costs, and also there is a reliance on dedicated Procurement Officers who lack essential sector expertise. Why, for example, is every single system used by Leicester City Council located on the same public cloud platform? It should be impossible for a system breach to extend and expand across every single part of the organisation. Yet by failing to understand basic security principles, the council set itself up for expensive failure.
Conclusion
This entire broken IT system is frustrating for the public and public sector organisations – additionally, it is enormously frustrating for IT vendors with the expertise to deliver lower cost, secure systems.
Given the rising pressures confronting all public sector organisations, change is necessary. In-house expertise must be rebuilt to ensure sector experts are involved in the procurement process. Additionally, pricing expectations must be immediately updated: avaricious IT vendors will continue to over charge unless challenged. One idea and possibility is to appoint an outsourced CTO with broad public and private sector expertise – someone with the knowledge and experience to call out the problematic and pervasive over charging. Someone who could sanity check the procurement process.
It is also important to move away from the herd mentality. Would, for example, an on-premise private cloud solution be a better choice instead of a public cloud hyperscaler?
What is the cost comparison of adding in-house security expertise rather than relying on a third party – considering, of course, the value of fast response if a problem occurs.
It is unsurprising that the handful of local authorities with a good security track record have not adopted the same big vendor, public cloud approach; but have applied more effective due diligence to the procurement process, to achieve a more secure and cost-effective approach. Others could and should learn from these organisations in order to succeed.
