Andrew Besford has over 20 years’ experience in technology-enabled business transformation. His early career was in the telecoms industry, in both in-house and consultancy roles in a number of countries, most recently at UK mobile operator O2. Andrew joined the UK Civil Service at the start of 2014, initially to set up business transformation at the Department for Work and Pensions, where he was responsible for developing a compelling vision for the future of the organization. Andrew then joined the Cabinet Office as deputy director of the Government Digital Service, and led the creation of the Government Transformation Strategy, which was published in February 2017. Andrew holds a degree in Computer Science from Cambridge.
My first job as a civil servant was in 2014, where I established the business transformation programme to modernize the Department for Work and Pensions (DWP). DWP is the UK’s biggest public service delivery department, and has a long history of administering the state pension and a range of benefits. Its operation distributes around £167bn of benefits per year (£650m per day, in 2.8m separate payments). The business costs around £8bn per year to run, employs 95,000 people, and delivers face-to-face services through 720 Job Centres. The big themes of the transformation were around secure self-service wherever possible, intelligent use of data, and process automation. I later moved to the Government Digital Service to work on the portfolio of digitally-enabled transformation programs across UK government.
Across all of these themes of transformation, we were constantly balancing the pace of technological change with the ability of the organization to adapt to new ways of working. With public services that people depend on, it’s always vital to consider how the organization will continue to serve people reliably whilst it is changing. Sometimes this means you need to make incremental changes, because a major technological overhaul and starting from the ground up would be too high risk, even though it may appear to be a better technology solution.
Public sector digital transformation programs tend to be driven by a mix of three key drivers – making efficiency improvements, improving the customer/citizen/user experience, and implementing the government’s policy agenda. Sometimes a new government policy can be an opportunity to modernize the way the whole of something works. Other times the policy might stay the same but there is an opportunity to deliver it in a modern and efficient way, which means making the best use of today’s digital delivery approaches and technologies. Eventually it will also mean adopting more internet business models but we are still in the very early stages of governments thinking in this way.
Some of the dynamics of this really are unique to the public sector – you have to deal with all service customers/citizens/users, some of whom may be extremely vulnerable or unable to deal with you online. You are spending public money, and the procurement rules are always a factor. A hugely positive aspect is that your colleagues are people who go to work every day to make government work better for the people who need it most.
The scale may be vast, but other challenges of transformation are the same as you find anywhere else – making smart use of data, having a plan for legacy systems, getting enough people with the right skills, aligning the organization around a clear vision, establishing the basics like a common language and a focus on user needs.
Although my job title doesn’t say cybersecurity, it is absolutely integral to leading business transformation in this environment. Different parts of the public sector have aspects in common, for example the need to handle sensitive personal data. But different areas naturally have different threat profiles – for example DWP is a unique environment in that it pays out such a big percentage of our GDP directly to citizens.
One key factor when you are building new digital services in this environment is that you have to be careful with which parts need an iterative test-and-learn approach, and which parts need a high-volume, stable and auditable approach. Sometimes this experimentation is essential, for example when creating new online services which you hope will change people’s behaviors. Other times this can be risky or impossible, for example if you consider the interface to the banking system. Using appropriate methods can be very hard if there is a context of “agile everywhere”, which has sometimes been dogmatic.
There is a fine trade off between making a service useful and making it safe. Often, senior leaders of organizations need help to understand the risks and the choices they face, so it was a big part of my job to clearly communicate the risks associated with projects and the mitigations that can be put in place.
The vision for business transformation needs to include security at its heart, and not just include it as an afterthought. As ever, this can be a juggle because other themes must also run strongly through the story, especially around people and technology.
Of course boards will always want to know “Are we secure, and compliant?” But when you are working on transformation, they probably also want to know “Why are we not more of a “digital business yet?”. So there has to be a security perspective on the organization of the future. Frequently this means evolving the security focus so that it is not just about securing networks and endpoints, but extends to designing secure services.
My view is that transformation leaders always have a role to play in security. This could be helping board members understand what good looks like, and helping them understand options and consequences. Equally it could be helping to raise colleagues’ awareness and understanding as part of a more general digital upskilling.
The emphasis on user needs has been a real turning point in how UK government thinks about delivering digital services. In 2014 the Government Digital Service mandated the Service Standard, which includes as its first point to “Understand users and their needs”. This helped establish the thinking that without understanding users, you won’t know what problems you’re trying to solve, what to build, or if the service you create will work.
From a broader cybersecurity perspective it is important to start with user needs, while acknowledging that the government has needs too, for example to protect taxpayers’ money, reduce fraud and preserve trust.
It’s impossible to overstate the human factor. In government terms this applies to the people who use government services, as well as the people working within government agencies.
Digital services rely on balancing a low-friction user journey, with the need for proportionate controls to limit business risk. Designing this successfully can only be done by putting the users at the center of the design. For public services this will touch on user identity, data ownership and sharing, minimizing risk and administrative errors that could cause significant damage – all while respecting people’s privacy and rights.
Criminals might impersonate these services without the victim ever contacting the agency in question, so this is in part a national problem, not an organizational one. For example, the UK’s tax, payments and customs authority (HMRC) has experienced significant criminal use of their brand, highlighting the need for a national response to protect citizens and ensure that when people see an email from a .gov.uk email address they can trust it. In 2016, HMRC was the 16th most phished brand globally, but following efforts from HMRC and the UK’s National Cyber Security Centre, by the end of 2018 it was 146th in the world.
Within government agencies, for those who advise on policy, build technology solutions, and deliver front-line operations, there are also threats at the human level. These could be from organized criminals, hacktivists or state actors, who may use attacks based on social engineering or spear phishing.
As always this depends on the context, but there are three common themes I would highlight from recent work.
Firstly, we need to help senior leaders understand cybersecurity better. Transformation is a leadership problem and sits in the realm of the boardroom; it is made possible by leaders understanding what it means, and setting out a vision for the organization. Those people generally don’t have a deep understanding of cybersecurity, but increasingly recognize how critical it is, because they have heard of WannaCry ransomware, Cambridge Analytica data mining, and British Airways/Marriott fines under GDPR.
Secondly, we need to focus on creating the right conditions in the organization for delivering new services. This means enabling people and empowering teams. Someone in your organization is eventually going to end up attempting to do secure service design themselves – with or without any guidance from specialists. Cybersecurity practitioners need to collaborate across the organization, avoid creating factions, and make sure it gets done right and integrates with your other layers of defence.
Finally, we need to embrace digital change and experiment. Any big organization needs to be able to operate while under persistent threats and sophisticated attacks. And you need your teams to be enabled to experiment (safely), test and learn what works, and continuously evolve services to deal with the evolving landscape they operate in. Security leaders can and should be at the heart of safely delivering the transformation ambition.