Securing the defence supply chain
In the second in our series of interviews with defence SMEs, we speak with Bernard Parsons, CEO of Becrypt, about the Defence supply chain and the needs of the technology industry when engaging with the government.
Becrypt was founded in 2001 by Bernard and three former colleagues, to meet the growing security requirements of mobile technology and provide full disc encryption to the government.
Today, Becrypt is a leading supplier of Mobile Security products and services with a focus on product assurance, multiple platform support and flexible delivery: from being embedded within the platform, to hosted within the Cloud. Their focus is to help security conscious organisations be leaders in enabling value from the use of secure mobile technology.
The company works closely with the MOD, and has for a number of years, meeting the unique security requirements of the organisation. Today that involves developing robust secure mobile technology platforms and lightweight operating systems.
As an SME within the defence supply chain, what do you think of the initiatives to encourage more participation?
There are a lot of initiatives at the minute that are trying to tackle the issues, which we are very supportive of, obviously we are keen to see increased engagement and use of SMEs.
The one I would particularly highlight as valuable are the supplier engagement days. They are extremely important to us and so I would encourage businesses to get involved with their trade associations that can help organise these.
I do hope there is continued investment in these days as it’s very important that SMEs have that direct engagement with the MOD and the end customer to be able to hear first-hand evolving requirements. But also to articulate directly the innovations that the small businesses are making, because it is never the same when you go through a Prime.
That said there are genuine initiatives between Primes and SMEs to create communities of suppliers. This is a genuine response to Government strategy by the Primes to involve smaller companies, which is great, however there is a necessary filtering in both directions when you are communicating through a Prime Buyer.
The best interests of the systems integrator are not always in line with the best interests of the customer. And unless you have that direct engagement, so you can advocate your innovation directly to that customer, it could be lost as it may conflict with something else in place.
Direct customer engagement is absolutely critical from our point of view.
And is that happening?
Yes, we are seeing some of that facilitated by trade associations and some by the MOD themselves. We are fortunate that we have been around a while and are quite well deployed within the MOD itself, so have the opportunity to open those doors for direct communication ourselves, where newer and smaller companies may struggle.
We are engaged with the cyber growth partnership and there is increasing dialogue there. It is that kind of forum that is bringing industry and government together, facilitating dialogue from both perspectives and identifying opportunities and challenges that can be tackled collaboratively.
What do you see as the issues facing SMEs getting into the supply chain, such as red tape bureaucracy etc?
There has been too much red tape historically that inhibits engagement and some of the commitments that have been placed on SMEs in the past have been unattractive, liabilities etc.
However, there are genuine initiatives in place to address some of these problems and lighten the load for SMEs.
There are a number of practical challenges as well – we’ve talked about engagement – while SMEs do have more opportunity to provide innovation, there is often a challenge in positioning new ways of doing things, etc, into the MOD. There is a bit of a conflict in that standards are more static (accreditation/security) than innovation, especially within technology. We can define a particular standard for a particular protective marking, but that will never keep pace with the nature of innovation in small businesses.
So it is a challenge that needs an openness and willingness to have what ends up as a multi market conversation. You need the SME, you need the MOD, and its willingness to do something different, but you also need third parties to bring an authoritative quality assurance.
From a cyber perspective, while cyber technology is incredibly important to the defence sector, you can go to a variety of sectors for business: health/finance etc you don’t need to go to MOD for feedback or contracts.
Yes, you’ve hit the nail on the head. Our focus is cyber as it crosses all sectors, but many of the challenges that MOD has with engaging with SMEs aren’t unique to defence – it happens across government and across sectors.
What are your expectations for the year ahead?
It might sound a bit stale, but I’m going to mention GDPR. I know many within the security industry have been talking about it for quite some time now, however, this is broader than defence, certainly affecting the defence supply chain and beyond.
As 2018 and the introduction of the new GDPR legislation gets closer it is becoming more of a reality for more organisations. So we will, and are, seeing a significant increase in the diversity of communities that are focussed on their responsibilities around data protection. I imagine this will be a theme of 2017, as organisations get themselves ready for the introduction of GDPR.
With an MOD centred perspective, MOD is regulated and there have been efforts to get the defence supply chain to up its game, with initiatives such as cyber essentials and DCPP, and I’m sure we will see much broader adoption of cyber essentials.
What do you think of the CyberEssentials Scheme?
Of the scheme itself, it’s a good start and there is certainly room for a scheme that is a lot more accessible for smaller companies that don’t have the expertise or resources to go through anything much more heavy weight.
So yes, it’s a good start, it at least gets organisations engaged in a basic risk management process where one might not have existed previously. But I feel we may get to a point where it’s just a tick box exercise and that is perhaps where the scheme will need to evolve beyond even CyberEssentials Plus.
In terms of being more prescriptive perhaps and defining what good looks like, as opposed to pointing out what you need to be concerned about. Being more prescriptive about security controls may have to be on the cards eventually.
So the challenges are clear and the need for engagement is a priority. Contact your trade association and keep up to date with supplier engagement days through the Defence and Security Accelerator pages.
If you would like to join our community and read more articles like this then please click here