Earlier this month, we have received confirmation the GDS and CCP were removing accreditation requirements from the G-Cloud catalogue. I always pay close attention to what is communicated about the G-Cloud framework. More than 40% of our revenue came from G-Cloud last year, and we are selling more and more through the framework every week. As 80% of our business is Public Sector, we have been huge beneficiaries of the GDS SME programmes and G-Cloud in particular. The removal of the requirements to accredit (IL2 and above) follows the complete overhaul of the security standards applied to government data in April this year. Gone are the confusing Impact Levels (interpreted differently by every single government client I have ever met), replaced by the simpler system, which in my view opens up a lot of options, especially at the Local Government level. It also removes “badges” from the G-Cloud store, and replaces them with a self-certification process (which we are yet to see) from G-Cloud 6 onwards.
I have heard views that this move may make it harder from SMEs to compete, as it removes a potential distinction, and may make the buyers more nervous. Everyone can potentially offer self-certified solutions, suitable for anything they wish to make it suitable for. Hence, it may be harder for SMEs to distinguish themselves, or to provide assurance, and the trust may naturally shift to larger players. I believe that this is not the case. Here are my 10 reasons as to why this is a good thing.
1) Having an IL3 or IL2 certified badge on G-Cloud, while looking good, was of little value to the buyer. Whatever certification supplier brings, the buyer still needs to do a full risk assessment of the solution and of their overall environment. If a breach occurs, ICO or anyone else will not care whether the supplier was accredited – only whether the risk assessment was done and procedures were followed for the solution / implementation. You can implement an accredited solution in a bad way, and equally an unaccredited solution may provide much higher overall level of security of designed correctly. 2)
Sure, saying you will only deal with IL3 certified people, makes life a little easier at procurement, but it also means that you disregard solutions that may be even more secure, cheaper or more elegant and simpler, in order to satisfy an artificial requirement. Remember, having a badge, means nothing at all to you - all that matters is how you architect it. Some services demand accreditation sometimes, but even that is starting to disappear, and we have always been successful in having the argument that what we have designed / proposed is more secure than a "vanilla" IL3 would provide.
3) Certification process was long, and GDS had to have resources to satisfy it – the more suppliers, the more resources. If 80% of suppliers sold nothing through the programme, then 80% of certification resources are wasted. And why should all buyers pay for the (often unnecessary) requirements of the few? In many cases IL3 certification was demanded by lazy security managers (see point 1 and 2).
4) The certification was done at a point in time – like all accreditation it was never a substitute for understanding the service, technology or delivery model – which may change, and be different in 6 months – further undermining the value of the badge. Given that G-Cloud contract last 2 years, and the catalogue entry lasts 1 year, so potentially a buyer could believe a 3 year old badge, which is probably useless...
5) For PSN or to achieve their own accreditation for the overall solution, buyers saved very little time in dealing with accredited suppliers – they still needed the underlying information, not just the badge. Good suppliers maintain and understand the information, without necessarily certifying it externally.
6) Most importantly (and I have seen this happen), the badges gave the impression that solution (however its implemented) was suitable for the purpose, and that was simply not true – in fact it aided the confusion and suggested that internal process could somehow be simplified or avoided if only you went with an accredited supplier. It also made security look like a "gated" static process, as opposed to a dynamic, constant and continuous assessment.
7) None of our existing clients have ever asked us for a certification – our competitive advantage has always been in flexibility, price and depth of technology understanding, and it remains there, whether certain solutions are certified. Helping each one of our customers to achieve the right level of security is always part of what we do, as part of every project, so we never saw the reason for doing it "externally" for general purpose.
8) External accreditations (such as ISO27001:2013) provide the same or similar level of assurance, and help demonstrate the company is serious about security internally – and they are “supplier wide”, not simply targeting one offering from them. Hence they are a better guide for buyers, in deciding whether they are dealing with a serious company or not.
9) In terms of competition, the difference between suppliers is very clear – just try inviting 10 people to an RFP. Larger companies tend to have a completely different outlook, attitude and approach to customers, and an SME having a badge (or not) is completely irrelevant in that process. We have the ability to quickly make decisions, start partnerships, put fees at risk, and work on a share reward basis, or do pretty much anything the client wants. If the buyer values this, then they will continue to do so, if not, then they are probably never be our clients, whether we are certified or not.
10) Not having badges, increases the number of potential suppliers for each requirement. On the one hand, this can be bad – too many, and the buyer can struggle to process them properly, but on the other hand, it should force them to look at other factors more, and more competition is always good in the long run. I believe that after a while, suppliers who are not serious about working with the Public Sector will start (this has already begun) to fall away, exposing the ones that are more committed and focused on this market. The above are my views, and I do not have a deep security background, but purely from commercial / business perspective, I think the change is positive, and will help Arcus and other companies that want to do business in the sector and compete fairly, and robustly.