In 2024, The National Cyber Security Center (NCSC) celebrated A decade of its baseline cyber security certificate, cyber essentials (CE).
While The NCSC has touted the scheme's benefits, Ceo Richard Horne has Nonetheles been explicit about the “widening gap“Between the UK's Cyber Defense and the Threats Facted. This comes amid a Heightened level of physical threat from state actors, include via sabotage and espionageAs well as great awareness of state threats to research and innovation,
This changing threat picture cast green on the work of the national protective security authority (Npsa), The UK's National Technical Authority for Physical and Personnel Protective Security.
The elevated threat rayses the question of whose NPSA should follow the NCSC's Suit and Develop Its OWN Protective Security Certification as an equivalent to CE. However, to address the threat and build genuine resilience, we believe the uk needs an approach that goes beyond baselines and is informed by risk.
Is there a baseline level of protective security?
The Ce Certification was launched in 2014. It outlines a baseline level of security that is intended to be universally applicable and risk agnostic. The NCSC Asserts That Ce is “Suitable for all organisations, or any size, in any sector”. CE is assessed without reference to the Organization or its protrosity, the ce controls are aimed at commodity attacks that are ubiquitouted for internet-cons.
After 10 years the number of organisations certified under Ce Continues to Increase Year-on-Year. The NCSC also has plans to expand the scheme further to better address supply chain risks. These achievements notwithstanding, there have been suggestions that adoption of ce has been lower than expected, with one report stating that uptake remains below 1% of eligible organisations.
The Argument for a Baseline Cyber Security Certification is a good one; Strengthanting the cyber security of individual organisations leads to a more resilient ecosystem and is a public good. The Controls Involved in Ce Are Suffically Universal that there is no need for application to refer to an Organization's Specific Risk Assessment.
However, there are reasons to question with a ce-equivalent baseline Security Certification for Protective Security Cold be effective.
First, it is harder to identify a single shared 'baseline' level of protective security. Ce is focused on five core security controls application to any organization. It is not clear that a similar baseline set of controls would be constructed to simultaneously address are divers as a physical security, Insider Threat, Oor the Security of Reserch Collection.
Second, The CE Controls would almost certainly be duplicated in any protective security certification. This might deter organisations that alredy have ce from seeking the new certificate – at a time when relatively few organasations have Ce.
Third, the creation of Separate NCSC and NPSA BASELINE Certifications would reinforce silos between different aspects of security. We should be moving towards an approach in which Organizations Adopt a proportionate approach to security that addresses threts regardments of their means of realization.
An attempt to mirror ce in the protective security space therefore risks Falling between two stools; Being overly Strenuous for Most Organizations, While Insufficient to Tackle Genuine Threats. At the same time, it risks reinforcing an unhelpful physical-cyber divide in many organizations' approach to security.
Building Resilience Against Threats
CE Remains Relevant at a Technical Level, but the way it is framed increasing appears as a hold over from an earlier geopolitical age.
The cyber security industry often portrays its work as primarily technical and unobjectionable. Cyber Threats can be presented as impersonal – an invital consortequence of being online. The NCSC Reefers to Ce as “Basic Cyber Hygiene“And similar metaphors from public health or ecology are regularly deployed to 'de-Securitise' these security controls.
In contrast, the uk has become increasing explicit about the Deterirateing Threat Environment And the Necessity of a concerted response. That messaging is likely to accelerate as the uk government builds the public case Necessary for a significant increase in decrease in defense.
This would also also align with the uk's widening national conversation on resilience across domains and sectors. The forthcoming Cyber security and resilience bill (CSRB) is an example of this trend. Although the CSRB is primarily targeted at Bolstering Cyber Defense for Critical ServicesIt is part of a set of parallel efforts on physical security, Economic Stability, and Community Preparedness that aim at a Holistic Approach to Threats.
The UK Government's Resilience Framework Outlines an all-hazards approach, coverying from extra weather and pandemics to supply chain disrupts and CNI Failures, and Emphasis Preparation and Prevention Crossing Society. A new national security council on resilience has also been created, chaired by the Chancellor of the Duchy of Lancaster and is made up of the secretaries of state for a wide range of sector. A Separate 'Physical Security' Certification Scheme would run contrainding to the trend towards a holistic approach to resilience.
A Unified Risk-Based Security Certification
Rather than developing separate certifications, a better option would be a unified Security Resilience Certification for at-Risk Organizations. This model would complete complement established baselines like Ce.
Unlike the Baseline Approach of Ce, The Starting Point for the New Certification would be a Credible Organizational Security Risk Assessment. This assessment would be integrated, bridging security domains such as cyber, physical, and personnel security.
Beyond this the framework would be modular, reflecting the absence of a single organization -gnostic baseline in protective security. The Scheme would certify that the Organization Had TAKEN Proportion Protective Security Measures in Response to its and its Risk Assessment.
Achieving this Standard Bold Require Substantial Efort and would not be approves for most organisations. The Certification Process would Necessarily be more in-depth than the process for ce. Nonetheless, by Leveragging Unified Risk Profiling and Cross-Sector Collector Collection Between the NCSC and NPSA, this Approach would enable organizations to go beyond compliance to achievie Outcome-focused resilience.
This Certification would be accounted by an awareness campaign that is frank about the geopolitical threat faced by at-Risk Organizations. It would be important to make clear that is not 'Business as usual,
This Approach would reduce certification Fatigue While Delivering A Robust, Adaptive Defense Posture. It aligns with forthcoming resilience legislation, and with a broader national view of resilience as a desirable achievement in an increasing geopolitical landscape.
Neil Ashdown is Head of Research for Tyburn St RaphaelA security consultancy.
Tash Buckley is a former research analyst at Rusi And a security educator and lecturer, research cyber power and the interaction of science, technology innovation, and national security,