City of Bradford Metropolitan District Council 

Northern WARP – IT Security Training Joint Procurement 

Briefly describe the initiative/ project/service; please include your aims and objectives

Local government authorities (LGAs) are increasingly facing cyber threats that can compromise their data, systems and services. To enhance their cyber resilience and protect their citizens, LGAs need to invest in cyber security training for their officers. Cyber security training can help LGAs to identify, prevent and respond to cyber attacks, as well as to comply with relevant regulations and standards. Cyber security training can also foster a culture of cyber awareness and responsibility among LGA staff, which is essential for maintaining good cyber hygiene and reducing human errors.

LGA funding for cyber security training can support LGAs to access quality and affordable training programs that suit their needs and capabilities. LGA funding can also enable LGAs to collaborate with other LGAs, local and central governments, and industry partners to share best practices and resources on cyber security. LGA funding can also incentivize LGAs to adopt a continuous learning approach to cyber security, which is necessary to keep up with the evolving cyber landscape and emerging technologies. LGA funding for cyber security training is a strategic investment that can benefit LGAs in the long term. By improving their cyber security posture, LGAs can enhance their service delivery, reputation and trust among their stakeholders. LGAs can also reduce the costs and risks associated with cyber incidents, such as data breaches, ransomware attacks and service disruptions. LGAs can also contribute to the national cyber security agenda and support the economic and social development
of their communities.

The Local Government Association provided each LGA through an online submission to get £5k to help with professional cyber security training , this was given out twice once in 2019 and another in 2022. In 2019 the YHWARP ran by Bradford Council undertook this for its own members which was really successful and in 2022 YHWARP joined up with the NEWARP and NWARP and we managed to get 22 of Local Authorities onboard.

The main objectives were;
– Maximise the pool funding
– Maximise the number of delegates that can go on the course
– Making sure that the course provide exams
– Maximum of 3 officers being trained with exams
– Undertake 2 rounds of professional cyber training
– Allow a wide range of courses to be available
– Additional benefits with the large procurement from QA
– Making sure that we have a good return on exam passes – 40% and above on all courses

The initiative and innovation was to pool this money together to get the best deal possible for the 3 WARPS and make sure that there was value for money and maximising our investment from this initiative.

What are the key achievements?

One of the most important aspects of IT security is training the staff to be aware of the risks and best practices. However, many organizations lack the budget or resources to provide adequate training for their employees. This is where pooling money for IT security training can be a great solution. Pooling money for IT security training means that several organizations or individuals contribute to a common fund that is used to pay for high-quality and relevant training courses. This way, they can share the costs and benefits of learning from experts and gaining valuable skills.

Some of the achievements that can result from pooling money for IT security training are:

– Improved security posture: By learning how to prevent, detect and respond to cyberattacks, the staff can reduce the likelihood and impact of security breaches. They can also comply with the standards and regulations that apply to their industry and protect their reputation and customer trust.
– Enhanced collaboration: By pooling money for IT security training, the organizations or individuals can also network and exchange ideas with each other. They can learn from each other’s experiences and challenges and find solutions together. They can also create a community of practice that supports each other and fosters a culture of security awareness.
– Increased efficiency: By pooling money for IT security training, the organizations or individuals can also save time and money that would otherwise be spent on finding, evaluating and booking training courses. They can also access a wider range of courses that suit their needs and preferences. They can also leverage economies of scale and negotiate better prices and discounts with the training providers.

Here are the stats regarding the achievement from the joint procurement of the pooling of the Local Government Associations.

Cyber Security Training money provided to Local Authority.
Round 1 – December 2022 – March 2023
The listed price for round 1 was £115,000
We paid with exams included on all courses
Round 1 – £50,000 – 35 delegates – 6 courses
Round 2 – April 2023 – March 2024
The listed price for round 2 was £105,000
We paid with exams included on all courses
Round 2 – £46,000 – 34 delegates – 10 courses
Courses attended
1. Certified Ethical Hacking Course
2. CISSP
3. CISM
4. BCS Certificate in Information
5. NIST
6. CompTIA Security+
7. Certified Data Protection Practitioner
8. Certified ISO 27001 Practitioner (QAISOP)
9. Lead Auditor ISO27001 (QAISO27KLA)
10. Management of Risk (M_o_R 4) Total Learning (QAMOR4-TL)
11. Certified Chief Info Security Officer
12. System Security Certified Practitioner

Total cost of the courses would have been including exams £220,000 , with the funds pulled together between 22 Local Authorities we managed to spent £96,000. Saving of £124,000. Just shows when we pull together funds we can make huge savings.

From the exams taken so far this is the percentage of those that have passed the exams over the two rounds
1. Certified Ethical Hacking Course – 90%
2. CISSP – 60%
3. CISM – 65 %
4. BCS Certificate in Information – 90%
5. NIST – 90%
6. CompTIA Security+ – 70%
7. Certified Data Protection Practitioner – 80%
8. Certified ISO 27001 Practitioner (QAISOP) – 60%
9. Lead Auditor ISO27001 (QAISO27KLA) – 80%
10. Management of Risk (M_o_R 4) Total Learning (QAMOR4-TL) – 90%
11. Certified Chief Info Security Officer – 50%
12. System Security Certified Practitioner – 80%

On the back of that we have also had some money left and went out for a smaller round 3 of the IT Security Training on the following courses;
• Incident Response & Continuity Exercising Simulations (6 delegates)
• Certified ISO 27001 Practitioner (6 delegates)
• Certified Information Security Manager (6 delegates)

Also an additional 19 staff will be trained in 2023/2024 from the above which cost £20k if each member had to go out themselves the cost would have been £40k so saving £20k 

How Innovative is your initiative?

This has never been done at any level in the UK , where central funding has been provided to Local Authorities and to look at pooling this together that money to maximise the impact this had for training staff on professional IT Security training. We made sure by speaking to the LGA that there was no issues for pooling the money together and they confirmed as long as one officer undertakes the training and exams by 31st March 2023, then that would be acceptable. We undertook the round 1 procurement through our process and then in round 2 we were supported by Calderdale Council to help with the procurement with QA training. The process was very easy, asking for expressions on what course each LA wanted to undertake, this was then gathered by Bradford Council on numbers. Negotiations took place between Bradford and QA , on the cost of the course and being able to maximise the training and on the back of that we had a cracking deal where we ultimately saved £124,000 of public sector money if we had gone alone to undertake all of those courses.

We made sure that the courses were private to WARP members , which helped with networking and also being able to share experiences etc in a trusted environment. It also helped that all the courses were done online and helped to maximise the funding further without paying for expenses, travel etc. We believe this is innovation at its best maximising funding, pooling money together across the Local Authorities, making sure that we got the best deal possible, networking in a safe environment and most of all creating stronger links between YHWARP, NEWARP and NWWARP, and on the back of that we created the Northern WARP.

What are the key learning points?

One of the benefits of pooling money together on IT Security Training is that it can reduce the overall costs and risks for each individual or organization involved. By sharing the expenses of hiring qualified instructors where we have the choice to choose them, purchasing relevant materials, and accessing online platforms, the participants can enjoy a higher quality of learning at a lower price.

Additionally, by learning from each other’s experiences and best practices, the participants can enhance their skills and knowledge in a collaborative and supportive environment. This can lead to improved security awareness, performance, and compliance across the network. Furthermore, by pooling money together on IT Security Training, the participants can create a stronger sense of community and trust among themselves. They can leverage their collective resources and expertise to address common challenges and opportunities in the field of IT security. One of the other key learning from pooling money for IT Security Training is that it can create a collaborative and supportive culture among the WARP members. By sharing the costs and benefits of the training, the employees can motivate each other to learn new skills and apply them in their work. They can also exchange feedback and insights on the best practices and challenges of IT security. This can foster a sense of trust and accountability among the team members, as well as improve their performance and satisfaction. Pooling money for Security Training can also help the organization to save resources and achieve its goals.

By investing in the training of its employees, the organization can enhance its security posture and reduce the risks of cyberattacks. It can also leverage the expertise and knowledge of its employees to innovate and improve its products and services. Pooling money for IT Security Training can be a win-win situation for both the employees and the organization, as long as it is done with clear objectives, expectations and agreements. They can also benefit from the social and professional connections that can result from such a cooperative endeavour. In conclusion, pooling money together on IT Security Training can offer multiple advantages for the individuals and organizations involved, such as cost reduction, risk mitigation, skill development, and network building.

This is very easily replicated using the following steps
1. Agree on funding amount with organisations
2. Agree on courses / outcomes
3. Agree on lead organisation that will pull the information together
4. Collect information around delegates and which courses
5. Negotiate with training provider on cost for providing the courses with numbers
6. Agree on price
7. Using direct award or procurement to run the tender
8. Award tender
9. Pass on information to winning provider
10. Allow them to undertake the coordination , exams etc
11. Report back on the outcomes agreed to those that participated or did not participate in the pooling of funds