Briefly describe the initiative/ project/service; please include your aims and objectives

The Establishment of the Information & Cyber Security Culture within Cumberland Council, Digital and ICT Services.

Cumberland Council came into being on 1st April 2023 (vesting day) to replace the 2-tier council system within Cumbria, which consisted of six district councils and the former county council. The creation of Cumberland Council saw the former Allerdale Borough Council, Carlisle City Council, Copeland Borough Council and Cumbria County Council (55%) merge into one new organisation. In the south of Cumbria, Westmorland & Furness Council was created from the former Eden District Council, South Lakeland District Council, Barrow Borough Council and Cumbria County Council (45%).

The challenge from vesting day was to ensure that the cyber risk was brought under explicit effective management as the new council was established. Over the initial first years a new Chief Executive was appointed along with the wider senior leadership team and areas of responsibility allocated, including cyber risk.

Cumberland Council inherited four ICT departments and infrastructures, all of which had had varying levels of focus and prioritization. The largest department being the former County Council ICT department. It was agreed that Cumberland Council would host the former Cumbria County Council ICT Service which continues to support over 4,500 users (and increasing) within both new councils. To compound the challenge all former Senior Managers within the respective ICT departments within Cumberland Council left in the first few years and the new Assistant Director, Digital Innovation & ICT only came into post six months after vesting day.

The Digital Team was initially hosted with Westmorland & Furness Council but quickly dis aggregated and became established within Cumberland Council.

Aims & Objectives:

• To establish a single approach to strengthen and maintain cyber resilience, compliance and information sharing
• Consolidation of ICT Health checks with penetration testing leading to a consolidated Public Sector Network (PSN) submission and other national compliance frameworks.
• Introduce a Technical Design Authority (TDA).
• Introduce change management process and system, including the establishment of Change Management Boards (CAB). This function was not present in several former district councils.
• Embed a culture of information and cyber security awareness across the organisation(s).
• Establishment of the Cumberland Council Data Protection & Security Toolkit.
• Establishment of a corporate cyber risk management framework.
• Establishment of a corporate Information & Cyber Security reporting system.
• Establish and build stronger links with iNetwork, NW WARP, National Cyber Security Center, LGA, Cabinet Office and the wider cyber security professional community.
• Identify key enablers both internally and externally who can help on this journey of transition and to implement strategies to circumvent blockers.
• Establish and build relationships with three Senior Information Risk Owners (SIRO’s) & Data Protection Officers (DPO’s) from the respective organisations, all of whom “consume” ICT Services from Cumberland Council, including the Information & Cyber Security support.
• For Cumberland Council to become a centre of excellence for Information & Cyber Security.
• It was also extremely important to ensure the approach was and remains aligned to Cumberland Council’s core values
• Establish a Cumberland Information & Cyber Security steering group which includes both Cumberland, Westmorland & Furness and Cumbria Fire and Rescue Service key stakeholders.

What are the key achievements?

The consolidated cyber security controls provided the foundation to enable the Digital and ICT Teams to remain safe and legal and to “inject” a safe place where professional challenge can be conducted. This was achieved by the establishment of a single ICT (Hosted & Cumberland) and Digital management team within Cumberland Council led by the Assistant Director. Within this group, it quickly became apparent, through the leadership style of the Corporate Director and Assistant Director that the core values of the council were to be placed at the centre of professional practice and which soon started to deliver results. Having confidence that a single cyber security culture was being established and equally important being maintained Digital and ICT teams could then focus on delivery, at pace whilst keeping the cyber risk “under explicit control” remaining cyber safe and legal.

Achievements within the Digital Team

Websites

Achievements of the ICT Team in 2024:

• Management and support of over 14,500 devices (laptop & mobile devices) over 5 Microsoft Tenancies
• Seamless support of 8,700 ICT users over three organisations
• Information & Cyber Security advice and guidance provided to over 15,000 individuals within the council and externally. This includes the third sector within Cumbria (providing council services) and the army of volunteers who support Cumberland Communities, for example Shared Lives, volunteer drivers, and school governors. Information security best practice is not just restricted to ICT users!
• ICT responded to 63,699 incidents, including information& cyber security concerns
• Managed 26,875 service requests
• Average core system availability 99.98%
• Customer feedback: 4.5 out of 5
• Ninety-two percent of all ICT indents resolved within SLA
• Eighty-three percent of all service requests fulfilled within SLA
• Successfully prevented over 306,800 information security attacks
• Implemented harmonized door entry solution for council buildings – 1,000+ doors!
• Facilitated office moves of 1,000+ employees
• Supported three primary library refurbishment projects
• Dis-aggregation of multiple core software applications
• Microsoft Tenancy Migration
• Core data centre refresh
• Firewall upgrades and maintenance
• Supporting work placements and experience initiatives
• Information Governance harmonization
• Bridge height clearance mobile application that alerts in advance if the obstacle, such as a bridge is too low for the vehicle to pass

Achievements Information & Cyber Security

All the aims and objectives identified earlier have been delivered and continue to be maintained. As the external information and cyber security threat continues to evolve Cumberland Council’s information and cyber security position continues to evolve too and strengthen to face the incoming challenges. Without the golden thread of leadership, culture and the councils core values supporting Digital, ICT and the wider “family” within Cumberland Council, iNetwork and the wider professional community the task in hand would be simply insurmountable.

How Innovative is your initiative?

The unprecedented challenge presented to Digital & ICT teams by the establishment of Cumberland Council has been huge. Earlier we have seen only a preview of the achievements of the ICT & Digital Teams, whilst remaining “cyber safe and legal” during this transition. So, where is the innovation? That is simple, innovation is occurring within every single activity being conducted, it is not just specific to one project or initiative, its everywhere. How is this being achieved? Leadership and culture are running like a golden thread throughout Digital and ICT, linking into the council’s core values.

Key components of the leadership and cultural approach at Cumberland:

Psychological safety culture

A culture is being embedded where members of the team feel safe to professionally challenge and hold colleagues and the organisation to account. Team members can share ideas, take managed risks, and have a say on all areas of service delivery including cyber security controls. This has created an unprecedented level of cyber security awareness within the technical teams. Everyone owns the outcomes and individuals are not afraid to raise concerns and suggest solutions. Fostering creativity and collaboration has encouraged “outside the box” thinking driving change forward.

Risk based Decision Making (RBDM)

It is easy to say, “no you can’t do that it’s not safe” That is not the Cumberland way. To foster innovation risk-based decision making thrives, helps reduce risk and increases overall confidence. This is especially relevant within cyber. The safest solution would be to lock down systems so no one can have access to anything, however the organisation would not be able to function! A proportionate and embedded RBDM approach is key to effective information sharing and security.

Cross Functional Collaboration

It would be impossible to achieve information and cyber security resilience without cross functional collaboration. Every project or initiative is based on a collaborative approach between the information security team, project management, technical expertise teams, DPO’s & IG, and the respective information asset owner. Example of these has been the collaborative approach to AI. This has included:

• ICT & Digital Leadership
• Microsoft AI learning lunches attended by 1,500+ employees in Cumberland and a demand for more sessions
• AI collaboration group where anyone with an interest in AI can contribute
• Information Governance, Data Protection Officer and SIRO direction and guidance
• Senior leadership team support and promotion
• Microsoft Co-pilot roll out and corporate communications.
• Newly developed Generative AI Policy

Person Centered and Client-driven.

The service remains focused on the experience of the users and external customers alike, fostering a creative and inclusive culture.

Traditionally within Digital and ICT departments the primary focus is to deliver highly complex technical solutions, with leadership, staff empowerment, collaboration, project inclusion and the opportunity for an individual to have the freedom to innovate frequently overlooked. Perhaps promoted as an aim, but actually the absence of strong leadership has prevented this. This is not the case Cumberland. It is the golden thread. To underpin this approach senior leaders, including the Chief Executive make themselves accessible to all members of staff.

What are the key learning points?

The creation of a new local authority is daunting and to be quite honest terrifying within the context of information & cyber security. It’s a time when organisations are increasingly vulnerable to the information and cyber security threat as new leadership teams form and new procedures are implemented. The key learning points from the Cumberland Council journey over the past three years:

At the start of the LGR process ensure, prior to vesting day, there is a single senior leader responsible for Information & Cyber Security for its promotion and inclusion within every transition project. Cyber security IS NOT just a tick in the box! Many projects will not have an ICT or Digital involvement, however all, for example a commissioned service do!

Encourage your organisation to appoint senior leader(s) for ICT and Digital at the earliest possible opportunity, with the right skills, demonstrated experience and leadership know how to create, facilitate and embed the “Cumberland culture” or a leadership and culture that best aligns to their organisation.

Create and embed a collaborative approach, identify “enablers” and build those relations. These include, internally, with the ICT & Digital Teams, Information Governance, SIRO, Audit & Risk Team, Data Protection Officers, Records Management Teams, Corporate & ICT PMO. They will quickly value your input, as you will be complementing their work. Remember many hands make light work. You are not on your own!

Externally with the iNetwork (NW WARP), National Cyber Security Center, Cabinet Office, NHS Digital, LGA, Local Digital. The wheel has already been invented, the challenge is to find it and adapt it to your organisation! The financial situation for many councils is tough and many of these public sector partners provide central cyber funding to support you or the knowledge for you to do it yourself.

Use public sector cyber incidents to best advantage and always reference in presentations to senior leaders and members. It really gets the point across. Ensure you translate the technical language and technical complexities into something understandable to the lay person and standard user. Appropriate analogies can be helpful. Remember, as in Cumberland and our partners, the demographic of the workforce will be varied (18 – 82 years old) How will you include everyone in your messaging?

Establish a plan at the start how you will strengthen the cyber security position during and after the transition which will include consolidated ICT health checks, vulnerability scanning, penetration testing, software patching, governance and risk management and ensure the plan is an absolute priority. ICT systems cannot be allowed to wither on the vine as new solutions are discussed, debated and implemented. This takes years. Investment in live “legacy” systems must continue.

Create a safe space for Digital, ICT & PMO teams to provide professional challenge and also provide a cyber safe technical environment for them to experiment and develop their own solutions, thinking and ideas. This includes standard users as well. Engage!

Sharing your plans with compliance organisations and get them onboard, for example Cabinet Office (PSN). They are friendly forces and will support your endevours, but need to know what you are doing and the progress.

Ensure Information & Cyber Security professionals and external private sector support you engage have a proven track record of delivery. Seek out and check organisational references. Looking good on paper, with all the qualifications only is no guarantee of a successful outcome. It’s the practical application, understanding and demonstration of the theory and your environment that is important.

Create your own information sharing and cyber security community (family) linked to the wider external community.

Treat as an absolute priority and focus, above anything else, your staff and the golden thread of leadership and core values. Get these right and you and your “family” can achieve the impossible.

Additional Comments

Remember you are not alone on this cyber journey. Empower your staff and wider organisation, by providing a safe and valued space to thrive.