Dr. Colin Williams
CTO, Computacenter
1
Tell us about your career in cybersecurity to date
I’ve been fortunate to be in the IT industry in many forms for around 35 years. My roles have included security, technical, and strategy leadership from the mid-80s so I was involved in the dawn of server-based networking, early security infrastructure that became the physical firewall, the evolution of legacy firewall platforms to become next generation appliance, and the appearance of soft and virtualised security controls (including zero trust principles). Now, I’m excited about the emergence of generative AI offering the game changing defensive capabilities that are required to face unprecedented cyber security attacks at a previously unseen level.
2
What does Cyber Safety mean to you?
Cyber safety to me is about ensuring every data-driven interaction is inherently secure for users, businesses and organisations all of the time. This isn’t something that can be partial, with some parts of the chain secure and others insecure. We are only as strong as our weakest link so everything, everywhere all the time - especially if it’s data centric - must be inherently secure.
3
Why is Cyber Safety important to you and your organisation?
Cyber safety is important to me and my organisation because we have a duty of care to our own employees, our customers and everyone we trade with to ensure our activities do not compromise their data or their outcomes. To this end, cyber security is priority one, or maybe even priority zero for everybody.
4
What are the three biggest Cyber Safety challenges facing businesses today?
Firstly, it’s the continued data growth that presents both a challenge and an opportunity. There is an unmatched opportunity to leverage that data as threat intelligence proactively to defend and accelerate response. But there is also a significant challenge due to the massive attack service that data presents to anyone seeking to compromise an organisation.
Secondly, the sheer sprawl of data, that continues to grow at a never-ending rate, is the reason why “the business of ransomware” (which is often a primary cyber security concern for many business leaders) is such a lucrative and highly effective way of compromising an organisation.
And finally, the skills shortage must be mentioned but I think it’s less of a shortage in my opinion and more of a skills reallocation requirement. We have a vast workforce of IT / cyber professions who, via skills modernisation and better understanding of how to leverage data and new tools, are ideally placed to resolve the skills challenges that we have today and will have in the future.
5
What more can be done to support businesses with improving their Cyber Safety?
Education and awareness for all is fundamental and I believe this is still lacking. In a data-driven world, whether in the corporate office or our social and personal domains, an enhanced understanding of cyber security implications when accessing applications and systems is essential to ensure we can all defend against the impossible.
This is why I put education and awareness at the top of my list. It is also important to simplify and increase the availability of operational cyber security support services, with options from the smallest organisations who may not have the in-house resources to fully secure their activities, right up to the largest.
6
Why do you think businesses generally prioritise cybersecurity ‘compliance’ without striving to champion best practice and true Cyber Safety?
There were a number of reasons why businesses prioritise compliance. First off, it’s easier to manage something that is measured and aligned to accountability. A compliance driven approach offers clear guidance on the metrics that matter and what constitutes compliance to a minimum standard (i.e. “the system has passed”).
Therefore, organisations, in the absence of their own cyber security strategies and architectural templates, can find comfort in the clear guidance offered by compliance and regulatory frameworks.
However, compliance driven security approaches can offer a false sense of security due to the compliance frameworks potentially inferring nothing more is required for the system or organisation to be deemed secure. In most cases such an approach presents guidelines and controls for a general context and can miss the unique business, operational and security characteristics of an organisation that must be used to augment many of the compliance driven requirements.
7
How will online security continue to evolve in the years to come?
This question is one of context because online security can mean many things but broadly, I fear online security will get worse before it gets better. As we continue to increase online interactions, therefore shift both citizens and previously offline transactions to new online platform environments, there are many elements that must be continually enhanced.
As an example, a ubiquitous digital identity must appear at some point that brings together the span of personal and professional identities an individual possesses to offer a unified point of privilege and control. However, I fear we are still many years away from this.
I think we must also raise the awareness level of the volume of data that exists within online systems which quickly becomes invisible (with security absent or lapsing) and either a target for exploit or misuse intentionally or advertently by your online system providers.
8
Which technology with the potential to improve Cyber Safety are you most excited about?
Without joining the hype, the technology with the potential impact to improve cyber safety and security must be language models and Generative AI. It doesn’t mean it’s the answer to everything, but the ability to mine data in ways beyond human capabilities, at the speed and scale it offers, generating proactive mitigation, response and remediation will provide unprecedented cyber safety capabilities.
I think we’ve already reached the point that, regardless of whether it’s considered hype or fundamental, we have no choice but to use GenAI to defend against cyber attacks that will no doubt use AI in the future.
9
Are there any other businesses you believe set the standard for Cyber Safety?
Public sector organisations must set the standards and be seen as exemplars for cyber safety. We are all citizens of a nation with our private data and interactions with public services fundamental to being part of a society.
Therefore, public sector organisations must be seen as impregnable from a cyber safety point of view to protect our digital wellbeing, especially as more and more public services will become digital by default.
On the other side of the coin, it’s impossible to avoid the importance of financial services who must also offer a similar exemplary approach to cyber security to ensure the financial wellbeing of both consumers and organisations. As the physical representation of money and funding continues to diminish with digital transactions and currencies, the financial services industry must have a non-negotiable role to play in the use and adherence to best-in-class cyber safety best practices.