Putting cyber security at the heart of our approach

Nick Roberts | 14 Dec 2015 | Comments

Over the last month the Government has announced a number of new measures in a bid to elevate the awareness and importance of cyber security.

We’ve seen the Chancellor visit GCHQ and announce additional funding of £1.9 billion to deliver a series of initiatives to protect the economy and infrastructure, along with Ed Vaizey, Minister for the Digital Economy proposing a cyber health check for FTSE 350 firms.

As a CEO, I of course welcome this as a positive intervention and one that should drive us forward as an industry to take a closer look at our own security. But as the designers, builders and operators of infrastructure that millions of people rely on every day, it’s also a chance to ask if we can honestly say we’re doing all we can to protect ourselves, our clients and the public.

In recent years we’ve all witnessed greater convergence of IT, enterprise technology and operational technology within our organisations. The pace of change has been really quite dramatic and shows no sign of slowing down anytime soon. It’s this connection between hardware and software that is making cyber attacks easier and more dangerous, penetrating to the core of our operations. What’s more worrying from an industry perspective is the potential impact of an attack on some of our Critical National Infrastructure, such as utilities, power networks and public transport. We design infrastructure to last decades, but hi-tech threats are constantly evolving. So how can we ensure we keep up with the security challenges facing our infrastructure and know we have done everything possible to protect our public services?

For me there are two steps we can take as an industry to truly embed a holistic approach to security. Firstly, we need to elevate the importance of cyber security to board level, just as safety is considered a top priority amongst senior leadership teams. In many cases this will mean investment, but like safety, this is a necessity rather than a luxury.

The second change we can make is around education, training and skills. In many cases cyber-attacks do not come through a failure in the technology we’ve put in place. Instead attackers frequently exploit the ignorance of a company’s employees to gain unfettered access to key systems. It’s for this reason that I believe we need to invest in training our people to understand and report security issues quickly.

In summary, we need to focus on the positives, learn from our mistakes and follow the Government’s timely investment and guidance to put security high up on the agenda where it increasingly belongs.