The security profession

The concept of government security can be traced back to the building of medieval castles, but the profession is one of Whitehall’s youngest – established just 18 months ago, with a focus on online defences. Its first head is Jonathan Lloyd White, HMRC’s director of security and information.

Lloyd White joined HMRC as an administrative assistant nearly 20 years ago, and has worked his way up through every grade into the senior civil service – taking a break to work as a strategic risk consultant for an insurance firm. In 2010 he rejoined HMRC in a data analytics job, putting him at the heart of a growing agenda; and in his new(ish) role, he’s on a mission to raise the profession’s profile within government. “I want to bring security out of the back office and recognise the important role it has to play across the civil service,” he says.

On his appointment Lloyd White commissioned a survey of the profession, the results of which were published in November. While the 349 responses revealed that people were happy with the level of leadership within the profession, they also raised concerns which, Lloyd White says, are defining his priorities. Chief among these is a lack of diversity: the profession is dominated by white males. “I firmly believe that only by taking that on can you help meet the hugely diverse needs of the civil service in a modern digital world,” he comments.

Innovation is another priority: evolving threats from hackers and terrorists mean that the profession cannot stand still: “The world is changing, and security has to change with the world. We have to stay innovative and responsive, and look for changes – not just be reactive.” 

Lloyd White cites Big Data as such an area of change, referencing the HMRC drive – alongside the Government Digital Service – to pull all its data together in one place and overhaul its website: “This is a big security risk, but [Big Data] also has the potential to allow us to look across lots of information coming in across the networks, allowing us to spot danger.”

Spreading the message about the importance of security to all civil servants is another part of his mission. This will require security professionals to become “trusted advisers” to colleagues implementing policy and structural changes, he says. “We are in a really fascinating stage where the civil service operating models with digital need security at their heart. It is no longer possible to have [security] as a bolt-on, because any attack on your digital services attacks your operating model.”

Government’s current move away from large ICT suppliers to more diverse supply chains involving more SMEs – including many based abroad – provides one example of this shifting context, he says. To meet changing needs, the profession must give advice which meets increasingly-complex security requirements without unnecessarily increasing bureaucracy: “It is about applying sensible risk management. The security profession has to work closely with the commissioning side of the business to respond to the changing environment.”

Nurturing such relationships will also require a change in attitude within the profession, he says: “We need to be more open and show the workings behind our conclusions. We are working hard to see the security issue and put it into a business context.”

It’s also important to broaden skill sets among security professionals, Lloyd White believes. Although the survey showed a high level of skills and experience in information assurance, he says that improvements need to be made in capabilities around personal and physical security: protecting buildings and personnel. Training courses in these areas already exist, he adds, but need to be more effectively promoted and more easily accessed.

Work is also being carried out with the Cabinet Office to build the capability of the security profession. Filling gaps – particularly in deep cyber skills – is challenging, he says, given a global shortage of such experience. But young talent is being attracted fresh from university; and Lloyd White says that pay, although lower than in the private sector, isn’t so meagre as to make it difficult to recruit. “I think we can attract top talent,” he says, commenting that people join the civil service “for the interest of the work – it is an amazing environment to work in.”

Increasing the standing of the security profession will not be easy, however, due to the diverse nature of the roles which come within its remit. Reporting lines vary by department, with security sometimes sitting under finance; sometimes under estates; and sometimes under ICT. It is a challenge that Lloyd White is well aware of. “I don’t think there is a strong sense yet of a unified security profession,” he says. “I don’t want to be too prescriptive in getting there, but that is what building the profession is about.”