Scottish Cyber Coordination Centre: SC3 strategic plan 2024 to 2027

1. Mission

1.1 Context

The Strategic Framework for a Cyber Resilient Scotland, championed by Scottish Ministers, outlines their vision for a digitally resilient nation. In this Framework, they acknowledge the pivotal role of digital technologies in our daily lives, society, and economy. As Scotland embraces and benefits from digital transformation, it also faces a serious and evolving cyber threat and risk landscape as a result. Following on from several significant cyber attacks on Scottish Public Sector organisations, Ministers announced that as a matter of urgency they were bringing forward proposals for the establishment of a recognised, authoritative, and collaborative function to combat the accelerating cyber threat. The Scottish Cyber Coordination Centre (SC3) was established to meet this requirement and address key cyber resilience challenges facing Scotland.

1.1.1 Cyber resilience challenges across the public sector

• Disjointed community: siloed organisations and security teams with lack of shared service solutions or common collaborative efforts.
• Varying levels of cyber security maturity (and criticality).
• Insufficient specialist skills and resources.
• Lack of consistent C-suite ownership and understanding of cyber risk.
• Reliance on legacy technology.
• Lack of senior awareness and visibility of supply chain vulnerabilities and risks.
• Escalating threat and risk environment as digital adoption increases.

1.1.2 Benefits and opportunities of SC3

• A unified, coordinated approach to cyber resilience.
• The provision of specialist services and targeted support to organisations.
• A capability offering to raise the bar on cyber maturity nationally.
• An opportunity for continuous data-driven insights and improved understanding of the cyber maturity and resilience landscape.
• An opportunity to realise economies of scale and efficiencies for reputable centralised services such as threat intelligence and vulnerability management.

1.2 Vision

Vision for 2027: SC3 will be a focal point for Scotland’s cyber security and resilience, providing services to help protect against and respond to the accelerating and evolving threat of cyber attack while promoting adherence to appropriate standards and best practices across critical functions and infrastructure.

1.3 Objectives

1. Create a data-driven operation that can track and evaluate actionable security metrics for every public sector organisation in Scotland.

2. Ensure that public sector organisations remain informed regarding current and emerging risks and threats, and are equipped and prepared to manage them.

3. Reduce the prevalence and remediation timescales of exposed and exploitable vulnerabilities across the public sector.

4. Increase the level of preparedness for cyber incidents across the public sector, such that all organisations have current and well tested response plans and that major national cyber incident response processes are robust and effective.

5. Ensure that appropriate standards and good practices for cyber and information security are defined, reviewed, adopted, and adhered to across the public sector.

The objectives and development of SC3 also align closely with the UK Government’s Government Cyber Security Strategy. Published in 2022, this strategy sets out how the UK Government will ensure that all core government functions are resilient to cyber attack, strengthening the UK as a sovereign nation and cementing its authority as a democratic and responsible cyber power. It advocates for a holistic approach to be taken, and this is reflected in the two strategic pillars of ‘Organisational Cyber Resilience’ and ‘Defend as One’.