Get set to use everything in your membership in 2025

Cyber risk (2/5) – People, teams and cyber roles

Part two of the Cyber Risk report

Authors and contributors: Jos Creese, Martin Ferguson

Effective cyber management requires effective leadership, and not just in IT. This is the second of five cyber reports. It looks at the role of IT leadership and specific cyber technical functions, set alongside other key roles that play a part in cyber management, from the Senior Information Risk Owner (SIRO) to local councillors.

For IT itself, there are recognised methods for good cyber management – protecting data and IT assets from abuse, misuse or just reducing human error. Systems patching, risk tracking and penetration testing regimes, coupled with strong asset management and data controls, go a long way to protecting councils from common threats such as phishing, viruses and ransomware attacks.

But more needs to be done to create strong resilience in critical digital infrastructure. This includes growing the awareness of the responsibility that rests with IT suppliers. Gone are the days (if they ever existed) when outsourcing IT included outsourcing risk management. With the growth in cloud adoption, IT partnerships and shared services, IT supply chains are often opaque and complex. The inherent cyber risks of these new delivery models, coupled with the growth in emerging technologies, such as the Internet of Things (IoT), Artificial Intelligence (AI), Machine Learning (ML), Robotic Process Automation (RPA) and Virtual Reality (VR), must be understood, visible and controlled.

Today’s IT architectures typically comprise a web of interconnected digital components and linked data. These bring huge benefits, such as data mining and insight, but also bring new risks. It is essential that councils are able to retain a good grip on how and where data handling and processing is undertaken by others, especially when external suppliers and agencies need access to sensitive or secure infrastructure and systems. This goes beyond vetting IT service providers, to include all contractors and suppliers involved in public service delivery.

Everyone in the organisation has a responsibility for cyber, and that requires wide training, awareness and accountability, with appropriate support and advice from IT itself.

Publications in this series: