Cyber centre recertification proves security is more than a box-ticking exercise
Customers can have continued confidence in the cyber-security safeguards that Thales applies to products and services following renewed validation from the national body that sets UK cyber standards.
The National Cyber Security Centre has re-certified Thales Secure Communications and Information Systems (SIX), within its Certified Cyber Security Consultancy (CCSC) scheme, following a rigorous assessment of their business processes, procedures, knowledge and practical experience.
“The technological body with the national brief for cyber-security in the UK says that it is content that our consultancy meets its high standards and that we deliver the quality of services required,” said Pete Goodliff, Thales SIX, CCSC Head Consultant for Risk Management.
A rigorous assessment
NCSC set up the CCSC scheme to apply more rigorous cybersecurity standards across whole businesses. Whereas previous schemes focused on individuals, the body’s assessors now scrutinize an organisation’s business processes, delivery models. They also look at how people are developed to ensure the right resources and competencies are available to deliver competent technical consultancy services.
“The process shows that security isn’t just a tick box exercise,” said Pete. “Risk management means more than meeting standards by saying ‘I’m complying with the rules, therefore I’m secure,’ and organizations have to grasp that, or they can never produce secure products or adequately manage business risks.”
He added: “In the past, anyone with some experience with technical security could put ‘cyber’ in their job title and claim to be an expert, but their knowledge might have been limited to a particular market sector, experience or tech baseline.
“This scheme isn’t just going through the motions. You have to prove how you’ve benefited a business you were working with, by helping them to achieving a tangible business outcome through a consultancy engagement.”
Rather than simply submit an application for desktop assessment, over several months Pete had to submit suitable case studies and then present them in person at NCSC. There he was questioned by a technical director about how they were delivered, showing that he had the appropriate skills as a CCSC Head Consultant.
Cybersecurity within the procurement cycle
Pete’s day-to-day role is Cyber Design Authority to a number of Thales business lines. He is responsible for ensuring that Thales delivers, to an appropriate level of competency, the technological aspects of its cyber-security business, especially in relation to the products and solutions that are offered to customers.
“Having certification from an external body against a UK national standard gives me extra credibility with business lines when I advise them what needs doing, not only to meet Thales’s needs but those of the customer,” said Pete.
He added: “The perception in some quarters is that cyber-security is just about producing the right documentation at the tight time, but it’s really understanding how cyber relates to what the business is trying to achieve and how to deliver it for the right outcome.
“This is becoming increasingly important to all our customers, who use complex systems to deliver business critical functionality, such as the UK Ministry of Defence, which is looking to forward load cyber security activity earlier in the procurement lifecycle and apply more rigour.
“It’s become a more prominent part of their assurance activities and they want to know that cyber-security is adequately considered before a contract is placed.”
Maintaining an ongoing process
Pete was the first person in Thales’s UK security business to be nominated as a head consultant under the CCSC Scheme and others in the organization have also subsequently qualified.
“CCSC is an endorsement that vindicates the effort we’ve been putting in at the business and the individual level over a number of years,” said Pete. “But obviously we won’t be resting on our laurels, because we have to be continually re-assessed.
“It’s important to understand that while we’ve reached a benchmark, we also know what we have to do to maintain it.”