DevSecOps Series: the top three challenges in securing public sector digital services

Publish date:

The public sector faces a unique set of challenges due to its organisational setup and the nature of its work.

When we talk to our clients, its often understandable that they are worried about the fact that, somehow, their ability to secure digital products and services cannot keep pace with the speed at which they are built. In a previous blog, we discussed how new DevOps tools and methodologies accelerate the creation of new features and updates to applications.

However, traditional approaches to security can no longer keep pace due to a variety of challenges, resulting in increased exposure to cyber risk and a decrease in the speed of delivery. The public sector faces a unique set of challenges due to its organisational setup and the nature of its work.

Recently, I had the opportunity to speak with a senior security expert working in the UK public sector, in order to understand which security challenges, in his opinion, top the list when it comes to delivering new digital services for government.

Here’s a summary of our discussion

Challenge 1: The stakes are very high

According to him, the digital transformation of the public sector based on government’s “Digital by Default” strategy aims to boost public services such as healthcare, pensions, universal credit, and law enforcement with digital technologies to make them more accessible and operationally efficient.

The problem he focused on was that such digital services are also high-value targets to a variety of would-be attackers for two main reasons:

  •  Some of the services are considered critical national infrastructure. If they were not available for any period of time, there would be a high chance of social unrest making them ideal targets for activists and state-sponsored hackers.
  • The volume of sensitive citizen data managed by the services could be exploited for financial gains by organised criminal gangs, disgruntled civil servants, and connected third parties.

Challenge 2: Legacy security mindset is deep-rooted within the culture

The second big challenge is that siloed security functions do not integrate well with more digital functions.

Furthermore, security functions with an old school approach to working are still the norm and digital departments can find it difficult to collaborate. For example, the security function mandates heavy documentation and vetting processes which often fly in the face of the agile principle of “working software over comprehensive documentation.”

Another challenge is that some security managers are not familiar with the latest technology and methodologies, which makes it difficult for them to assess risks and make recommendations.

Challenge 3: A reluctance to embrace cloud technology and open source products within the technology stack

In other heavily regulated sectors, public sector organisations are still not placing big bets on cloud-based delivery models, despite having plenty of options available from tech giants such as AWS, Google, and Microsoft.

For DevOps, the cloud is at its core, as it enables scaling the infrastructure up or down in a matter of seconds, as and when needed. However, according to our security expert, the security function in a typical public sector organisation operates a list of approved services and tech stack elements that restrict DevOps teams from using a better form of technology (usually cloud-based).

This practice, he says, gives the department control to reduce exposure to security risks. However, the challenge is that such a list is not updated frequently and is sometimes updated by the people who don’t understand the technology. As a result, there is a reduction in agility because teams struggle to deliver iterative improvements quickly across the stack.

Automating delivery pipelines will not address all the challenges

Technology is only part of the solution though. It is clear from interviewing our security expert that many challenges arise from cultural differences and a lack of education. With this in mind, organisations should focus on the following core principles to fully achieve a DevSecOps approach to security:

  1. Educate your workforce
  2. Automate your processes
  3. Monitor your applications and security level progress

Over the next three articles, we will be exploring further each of these DevSecOps principles, and how they can be applied to ensure departments can generate the maximum value from DevOps while upholding their security responsibilities to UK citizens.

In the meantime, you can find out how secure your DevOps is by filling out our online assessment. It’s free, anonymous, and allows you to benchmark your maturity against other organisations and industries.

Related Posts


A new era in data privacy enforcement: your open source code may be your new weakest link

Guest Blogger
Date icon September 6, 2019

As you may have heard, an airline company was assigned a potential £183 million fine by the...

Accelerated Solutions Environment

May the Games begin

Guest Blogger
Date icon June 26, 2019

What would your business do with £1million?


Expect the unexpected from a career in cybersecurity

Guest Blogger
Date icon June 18, 2019

Cybersecurity isn’t all about teenage hackers or middle-aged people in grey suits. Those are...


By continuing to navigate on this website, you accept the use of cookies.

For more information and to change the setting of cookies on your computer, please read our Privacy Policy.


Close cookie information