The UK defence sector is currently experiencing a period of intense activity. With the Ministry of Defence (MoD) committing to a sustained increase in spending to 2.6% of GDP by 2027, the opportunities for Small and Medium Enterprises (SMEs) are significant. However, for many business owners I speak with, this opportunity is accompanied by a sense of compliance fatigue. The complexity of the MoD’s supply chain requirements, specifically DEFCON 658 and the Cyber Security Model (CSM) can feel like a never ending barrier to business.
When faced with these hurdles, many Managing Directors fall into a financial trap. They assume compliance means buying expensive hardware, new firewalls, advanced encryption tools, or complex monitoring software in order to achieve various certifications. It is a solution first thinking model, where they buy the solution before they have diagnosed the problem.
This approach is the anti-thesis of a cost effective approach to addressing the issue. To navigate MOD compliance requirements, without bankrupting your margins, you need to approach it in a pragmatic, logical way to establish what IS required and what ISN’T. This degree of clarity is obtained from two foundational steps: the Business Impact Analysis (BIA) and the Gap Analysis.
Why Most SMEs Overspend: The Cost of Guessing
In the medical world, a surgeon would never operate without performing extensive examination, to understand the root cause of a problem, prior to identifying an appropriate surgical pathway. Yet, in the defence supply chain, I see companies purchasing expensive Security Information and Event Management (SIEM) systems or 24/7 Security Operations Centre (SOC) monitoring because they presume this is what their client requires and so they develop a need for them, without establishing the purpose.
The trick is to understand the value of your information to your Business, the MOD and other stakeholders, and hostile threat sources and actors. Once you know what you are protecting you can then take appropriate, informed decisions on how to protect it. This lays the firm foundation for justifying expenditure decisions on expensive and complex technical control mechanisms, or in some circumstances justifying expenditure on more economical but equally effective alternatives.
If you apply “High” level, expensive security controls to “Very Low” risk issues, then it is waste, plain and simple. You may also be hampering your business operations with security restrictions which are simply not necessary.
Under the MoD’s Cyber Security Model Issue 4 (CSMv4), for example, conformance is risk-based. If you skip the analysis phase, you risk overspending on security you do not contractually require.
Why Do Businesses Need to Conduct a Business Impact Analysis (BIA)?
A BIA is a Workshop based activity conducted with key business stakeholders which helps organisations prepare for unexpected disruptions by identifying and evaluating the potential impacts on key operations.
This analysis is essential for developing strategies that minimise downtime and financial losses as well as identifying relationships between business departments affecting information and data security. The latter point is crucial in forming an understanding as what controls are most effective in addressing or mitigating business risks.
The main objectives of BIA are to determine:
- Which activities are critical for the organisation’s survival
- Assess how disruptions could affect these functions
- Prioritise recovery plans to address potential challenges
Additionally, a BIA provides leadership with actionable data, enabling more effective decision-making during crises.
What is the Purpose of a Gap Analysis?
Once the BIA has identified what needs protecting, the Gap Analysis identifies how to protect it.
A Gap Analysis is a systematic comparison of your current security posture, against a known standard such as the Cyber Security Model, DefStan 05-138, FSC, IPSA etc.
Using DefStan 05-138 as an example, MOD will specify the Cyber Risk Profile Level they expect their supplier(s) to achieve and maintain as part of their contractual requirements.
The Gap Analysis will examine what the business currently has in place, regards security controls, compared to the requirements of the DefStan. Where there are gaps, these are recorded and reported. Once the Gap Analysis is complete, a prioritised roadmap is produced identifying what business needs to do to address the gaps in a proposed timeline. Instead of a vague blanket style approach the business is provided with a targeted set of controls to implement which can be costed in terms of resource and technology, such as:
1. Implement Multi-Factor Authentication (MFA) on the cloud portal
2. Update patching policy to 14 days for critical vulnerabilities
3. Formalise the Incident Response Plan.
The Gap Analysis is a cost-efficient means of identifying what is required to implement the appropriate amount of security measures for the business avoiding expensive overly engineered solutions which may otherwise lead to cost and time overruns and may not even address your security requirements.
The Benefit of the BIA and Gap Analysis
Undertaking a BIA and Gap analysis pays dividends when you engage with Prime Defence Suppliers and Partner organisations who, as part of their due diligence activities require proof of your cyber maturity. A BIA and Gap Analysis report provides evidence of your own maturity and underpins any risk based discussions which are needed to justify decisions that have been taken.
Frequently Asked Questions
Q1: When should I consider a Business Impact Analysis?
Usually when the business is considering a strategic or significant change. For example, changing direction and targeting new markets (e.g. Defence). The BIA will assist in informing the business on the legislative and regulatory impacts of change as well as the potential costs to restructuring Cyber and Information security arrangements. The BIAs and Gap Analyses are very useful when producing Business Cases when considering new strategies, programmes or projects.
Q2: What is a CRA (Cyber Risk Assessment)?
The CRA is the MoD’s tool for determining the cyber risk associated with a specific contract. Under CSM Issue 4, the buyer (MOD) completes an initial assessment of a contract to establish a Cyber Risk Profile Level which is flowed down to the Contract Supplier. This Cyber Risk Profile Level is then flowed down through the supply chain.
Q3: Can we conduct BIA and Gap Analysis ourselves?
You can, but internal teams often have blind spots. An external auditor / consultants like Pera Prometheus can often deliver it effectively since they do it regularly. They can provide a comparative analysis between similar organisation and recommend efficient cost effective solutions.
Conclusion
Conformance and Compliance should not be treated as a box-ticking exercise.
Conformance and Compliance can be strategic enablers and should be treated with the care and due diligence that decisions of this level require. By prioritising a Business Impact Analysis and Gap Analysis, you avoid uninformed decision making.
At Pera Prometheus, we specialise in helping businesses, be they large enterprises or SMEs navigate Defence compliance with precision. We don’t just give you a checklist; we give you a roadmap to secure your business and win credbility. Contact us today for a compliance readiness Discovery Call. Let us help you turn compliance from a barrier into a competitive advantage.
Stay Safe, Stay Secure
