GovSec 2019: Preparing for a data breach

Whitehall Media GovSec UK 2019

At GovSec 2019, Lorraine Dryland, Deputy Director of Technology Security, Department for Work and Pensions, delivered a masterclass in how best to prepare for a data breach.

Below is my summary on the key points addressed by Lorraine and what you can do to ensure your maximum preparedness.

There are four key questions you must ask yourself when assessing your organisational capabilities; why, what, how and who.

• WHY? what’s the issue or problem?
• WHAT can I do to resolve the issue?
• HOW am I going to implement the what?
• WHO should support

1. WHY?
Given the multitude of cyber threat actors, the variety of characters and the various motivations behind the launching of such attacks, first and foremost you need to understand who has the intent and capability to impact your business and what are the consequences; from politically minded hacktivists, organised cybercrime, nation-state operatives to insider threats, the threat picture is complex.

2. WHAT?
Next, you must act in a considerate and reflective manner in order to assess your organisational, technical and governmental capabilities. This will help you accurately measure the extent to which you will be able to respond in an authoritative, technically minded and governance led manner.

Security strategy

• Operate to a single security strategy across the organisation is essential to deliver the protection of People, Technology and Process

Security principles

• Strong security principles must stretch across the organisation; security hygiene, tooling, and process; standardisation and harmonisation

Cyber defence

• Moving from a reactive to proactive and predictive security posture. Enable organisation wide visibility and real-time alerting

Risk, people and culture

• Manage security risks consistently to balance risk and opportunity. Embed security culture that will ensure compliance as BaU

3. HOW?
Getting executive buy-in and funding, and operating a risk management framework that works for your organisation; identify the potential trajectory of an attack, discover the vulnerabilities that could allow it to happen, cater to the assets which could be compromised and establish a reliable risk managed defence such as 3 lines of defence model
The how is also relevant post-attack when assessing how best to improve your security posture in preparation for future attacks.


• Define your digital assets, their purpose and security parameter
• Deploy complete and continuous surveillance
• Audit existing resources


• Risk management model deployment
• 3 layers of defence
1. Own and manage risk
2. Oversee risk
3. Internal audit


• You must define the purpose of each team and assign accordingly; it must be broader than Security:

1. Plan – organisation wide, business plans encompassing a full organisation view
2. Protect and Detect – behind the SOC – Tooling across Org, POLICY, education and awareness. Respond – Must include the business, HR, Media, Legal, MS Provider it’s not just a SOC issue
3. Recover and Review – its Front-Line business that gets you back to service and independent incident review is a must to ensure lessons learned
4. Customer care – don’t forget your customers if you provide a service, ensure they are as informed as they can be on managed channels

Continuous training and exercise

A war footing mindset is vital in order to ensure your security team is ready, poised and performing at peak level for when the time comes to respond to real life events. Such training and exercises must include the security team, from red teams to blue teams, non-security staff and third-party actors.

4. WHO?

Who is best placed to follow the above advice? YOU! That’s who! Security is everyone’s responsibility no matter their rank, expertise or role and responsibilities within an organisation.

Everyone is capable of becoming a security champion.