The UK Defence supply chain is complex and reliant on many Small and Medium sized Enterprises (SMEs). In response to global tensions and increased capabilities and resources available to modern threat actors, SME’s have a growing responsibility to strengthen their defensive capabilities and security posture to protect the sensitive information they hold and in turn, protect the nation’s interests. As the backbone of Defence innovation, SMEs are no longer too small to be a target; rather, they are increasingly viewed by threat actors as soft targets and potential gateways into larger Defence Primes and national infrastructure.
To counter the increasing threats, MOD have introduced Cyber Security Model version 4, developed alongside of DefStan 05-138 Issue 4 as well as cooperating with IASME who have introduced the Defence Cyber Certificate. Both initiatives require increased due diligence and management of information and digital assets and with this comes the increased responsibility for SMEs deliver information assurance and cyber resilience.
The increased demand from MOD requires skilled individuals who are costly to employ and difficult to retain. One option is to contract a Remote Security Manager (RSM), also known as a Virtual Security Manager (VSM), or Virtual Chief Information Security Officer (vCISO), to provide the necessary expertise to manage their business’ Cyber and Information security. These are both skillsets which take years to develop and are expensive to retain or produce in-house and so drawing upon external resource is a cost effective way of covering a highly technical and expert area.
The Capability Gap: Why General Commercial Support is Insufficient
Working with defence involves a ‘step-up’ in terms of risk management from a business and Cyber/Information security perspective. This is as a direct result of the Threat level which needs to be addressed when supporting defence contracts.
While standard commercial technologies i.e. antivirus, IT infrastructure and general support capabilities form a good basis there needs to be additional emphasis and diligence on the management of processes, people and technology.
Defence-grade security requires a proactive, governance-heavy approach that traditional IT generalists often lack the resources or expertise to provide. Cybersecurity in the Defence sector is a business-critical issue that must be led from the top, integrating risk management into the heart of the organisation’s strategy and a culture of evidence gathering to prove that processes are being managed and maintained.
Traditional or commercial IT roles are often only required to adopt a compliance approach to managing the day-to-day management of systems, whereas for defence, a risk based decision making approach is required and this is a speciality a RSM can bring to a business, providing the necessary oversight required to ensure that Cyber and Information Security processes/procedures are identified, prioritised and documented in line with organisational and contractual objectives.
The RSM Framework: Governance, Risk, and the NCSC 10 Steps
A Remote Security Manager serves as a strategic partner, implementing and managing a governance framework derived from the Government Functional Standard Government Functional Standard GovS 007: Security – GOV.UK and aligned with the NCSC 10 Steps to Cyber Security and the Cyber Governance Code of Practice.
This role is focused on:
- Risk Management: Gaining assurance that critical assets are identified and that risk mitigations account for changes in the threat landscape or regulations.
- Strategy Alignment: Ensuring the cyber strategy is embedded within the wider organisational strategy and meets MoD regulatory obligations.
- People and Culture: Promoting a security culture that encourages positive behaviours and accountability across all levels.
- Incident Planning: Developing and exercising plans to respond to and recover from cyber security incidents impacting business-critical processes.
- Assurance and Oversight: Establishing clear roles and responsibilities, including quarterly reporting to the board to track suitable metrics.
- Asset Management: Maintaining a complete, accurate, and up-to-date inventory of all assets to ensure you understand what you have and can protect it.
- Supply Chain Resilience: Formally evaluating and managing the cyber risks of third-party providers, a mandatory requirement under the new Cyber Security & Resilience Bill 2025.
- Continuous Monitoring: Moving beyond static defences to detect and analyse anomalies in real-time.
By utilising the knowledge and skills of RSMs/vCISOs, SMEs gain access to seasoned expertise at a lower cost than that of a Full-Time Employee. Many SMEs don’t require an FTE in this role.
Operational Resilience: Managing Insider Threats and Supply Chain Vulnerabilities
Supply chain resilience expectations are particularly challenging for SMEs who tend not to have extensive knowledge and expertise in this area.
An RSM helps SMEs manage supply chain security by bringing their extensive experience to bear, assessing business and sub-contractor information risks and conformance to contractual obligations.
As a first step, the RSM will likely carry out a Gap Analysis to understand where effort is required to develop policies and procedures for managing the Defence clients’ information. From there, a programme of work will be constructed and agreed with the client to address any shortcomings from the assessment. These could involve:
- Developing and implementing an Information Security Roadmap
- Delivering a staff information security training programme
- Developing and implementing an Information Security Management System
- Undertaking business and supply chain risk assessments
- Advising on the development of sub-contractor contracts to reflect the flow down requirements of overarching Defence contracts
- Providing senior stakeholders with relevant advice and guidance on matters concerning Cyber and Information Security
- Advising the business on relevant security certifications and attaining those selected i.e. Cyber Essentials, ISO 27001 etc.
Through these activities, the RSM reduces the business’ exposure to threat actors targeting SMEs to reach Defence Primes.
FAQs
1. What is the difference between an MSP and a Remote Security Manager for Defence?
– An MSP manages day-to-day IT operations (uptime, patching), while an RSM/vCISO provides robust high-level strategic governance, risk management, and alignment with MoD standards.
2. How does an RSM help SMEs meet Cyber Essentials Plus requirements for MoD tenders?
– An RSM guides the implementation of core technical controls and prepares your organisation for the mandatory independent verification required for Cyber Essentials Plus, ensuring SMEs are audit-ready for MoD tenders.
3. What are the security risks for SMEs in the Defence supply chain?
– Key risks include weak physical security, absence of a business continuity plan, absence of Security Management Plan (SMP), cloud misconfigurations, weak credentials, and insecure APIs, which malicious actors exploit to gain unauthorised access to sensitive Defence data.
4. Can a Remote Security Manager handle incident response remotely during a breach?
– Yes. An RSM establishes incident response plans and, during a breach, can take responsibility for critical decision-making, external communications, and mandatory 24-hour regulatory reporting.
5. How does outsourcing security leadership improve our board-level accountability?
– An RSM provides the board with formal reporting and cyber literacy, ensuring directors can effectively govern cyber risk as a material business risk.
Conclusion
In the evolving UK Defence landscape, SMEs within MoD are a genuine target and must move beyond tick-box compliance to build a culture of security resilience. A Remote Security Manager provides SMEs the best option to gain the benefit of an experienced security expert at a reduced cost. Expert RSM from consulting companies like Pera Prometheus can provide high-level governance and strategic foresight needed to safeguard both your business interests and national security. By leveraging specialised expertise on a flexible basis, your organisation can focus on its core business operation while maintaining compliance and security.
Stay Safe, Stay Secure
