By Gemma Diamond and Mark Roberts
It was great to see the Scottish Government’s cyber resilience framework published in January which aims make it much clearer and easier for public bodies to assess their risks and comply with relevant requirements.
A key feature of this framework is its focus on board and senior management buy-in and use of the framework. This chimes with findings from all our digital work about the importance of leadership. Digital and IT work is often at risk of being seen as something peripheral to an organisation’s main business. This is not true. Public bodies are increasingly digital organisations and digital technology supports all business activity.
As the Scottish Government cyber resilience framework states:
“It is vital that Boards/executive teams understand that the cyber risk is a business risk – it has the potential to have a significant impact on an organisation’s ability to deliver its duties and objectives in respect of public services, and fulfil to its obligations to staff and citizens. Cyber resilience is not purely an IT issue.”
This focus in the framework is welcome and provides a clear set of questions and tools for leadership teams to ensure that the risks are being appropriately mitigated. Our audit focus is making sure that leadership teams are asking the right questions, supporting and challenging relevant staff, and reviewing supporting evidence.
Over the course of the year we’re going to get out and about talking to leaders about the new framework and how our audit work will reflect it, so please get in touch if there is a forum we could attend or if you want to discuss with us.