2018 will be a big year for dxw.
In June, we’ll be ten years old. We’ve learned a lot about how to get things done in the public sector in that time. We want to improve users’ experience of government, and help government teams work differently. But building great digital services is only part of the puzzle.
So, over the next year, we’ll be reorganising. dxw is becoming a family. While the existing team continues its work delivering brilliant digital services for our clients, we’ll also form new teams to help organisations solve other, related problems: starting with security.
We think it’s time to change the way services are secured in the public sector. At the moment, compliance-led approaches rule the roost. Often, these add little value. Especially when they are delivered adversarially and forced upon teams with different professional cultures. As agile delivery methods have become widespread, this culture clash has become more profound, making the problem more acute. And when processes don’t work for people, they get worked around.
dxw and security
We see this all the time: the security risk assessment or accreditation document set that’s written without any technical staff in the room. Years of development carried out with no security input at all, followed by a disastrous penetration test and months of remedial work. The annual IT Healthcheck that costs little, doesn’t find anything wrong and doesn’t lead to anything being fixed but is nonetheless mandatory. These problems are frustrating, expensive and — most of all — avoidable.
There’s no one way to “do security”, no one product that can make something secure, and no one approach or methodology that can transform an insecure service into a secure one. In a very real sense, there’s no such thing as a “secure service”: security is a matter of degree, not a binary state, and this is reflected in the nature of the work that helps make services more secure. Risk assessments and management systems won’t get the job done, but they can be useful parts of a process that includes a greater variety of approaches.
The waterfall-style process of checkbox-driven assessment needs to give way to a blended, more nuanced style of working. Teams need to set clear objectives around the security of the services they run, based on the threats they face.
Security-focussed work should be designed and prioritised based on the current needs of the team and the users of the service. Some risk management here. A little threat modelling there. Improvements to toolchains and monitoring. Documentation of systems and process. Agile penetration testing as part of a team, as well as formal penetration testing with a report. Security-focussed development work, based on learning from penetration testing and actual incidents.
None of this works if it’s done as a one-off, or in the midst of a crisis, or bolted on by a uninterested team who have been ordered to do it. It has to happen as part of the normal work of the team. It has to be prioritised and valued by leaders. It needs to arise because of a strong security culture in the team, and the wider organisation.
We want to help more people work this way, so we’re starting dxw cyber. It’s a new venture, co-founded by Harry Metcalfe and Glyn Wintle. We’re creating a team to help clients build and operate their services more securely, combining Glyn’s extensive penetration testing experience with Harry’s experience building digital services for the public sector.
We’re delivering high-value penetration tests that are actually designed to find problems. We’re producing readable, plain English reports that inform and explain, so that leaders can make good decisions. We’ve built pragmatic advice, scoping and long-term follow-up into our process to support clients before and after testing. And we’re embedding security specialists in teams to help clients make secure decisions from the start, so that by the time a penetration test comes, it’s a part of a routine: not the start of a crisis.
Delivering a digital service that’s secure takes a little extra effort, and requires some new skills. But it’s not that complicated. Growing a culture of secure decision-making is within the grasp of any digital team, and we want to help more teams get there.
If you’d like to learn more, or to talk to us about how we could help your organisation, head over to www.dxwcyber.com for more information.