Tell us about your career in cybersecurity to date.

I have been involved in security matters in the UK for at least a quarter of a century, probably longer. Twenty-odd years ago, being a member of the House of Lords, I had security people and professionals coming to me to raise issues about the vulnerabilities in cybersecurity surrounding the UK’s critical national infrastructure. They were not just referring to nation state incursions but the everyday hackers and the proliferation of cyber crime affecting so many UK businesses. I pursued this in Parliament and the initial response could only be described as complacent.  I was assured that there wasn’t really a problem, that it was all under control, there were decent systems in place to deal with the different cyber threats. But that was then. Within a few years, the fears were publicly acknowledged and it has become a key issue – one that I continue to raise both in Parliament and elsewhere.

What does Cyber Safety mean to you?

The compliance model is a dangerous one for many organisations, breeding the very real threat of complacency. Too many organisations tick all the boxes, comply with all the recommendations, and pay a cybersecurity firm to install various bits of software on their system, feeling confident that they have ‘done’ cybersecurity.

​

The reality is that this level of cybersecurity isn’t enough. Organisations need to follow a cyber safety model which is an entirely different way of operating your organisation. It’s about identifying the most vital parts of your organisation, contemplating what would happen if they were to vanish, and examining every single possibility of failure. It’s about recognising that when a breach does occur, there needs to be a very clear, detailed plan in place and a second order of defence.

​

Cyber safety to me therefore encompasses far more than just security.  It must involve the entire company, and every individual within it.  It also has to look at the different forecasts and plans for the future.

Why is Cyber Safety important to you?

I chair the National Preparedness Commission, whose focus is on how we can raise our game in the UK to be more prepared and more resilient to all sorts of threats, one of which is cyber. We increasingly live our lives through digital means.  That is creating a huge vulnerability.  Unless the entire system is secure, the safety of the whole of society is put into jeopardy. That’s why cyber safety is so vital and why I’ve decided to become a member of the Cyber Safety Force.

What are the three biggest Cyber Safety challenges facing businesses today?

It’s an arms race. The good guys are trying to keep up with the bad guys, the technology is becoming increasingly sophisticated, and there are threats coming from lots of different directions. The big issue is that cybersecurity has become a case of keeping up to speed and responding to something you’ve never seen before on a regular basis. The second problem is that issue of compliance. You’ve got to make sure you’ve met all the sensible safety requirements that your investors and auditors expect you to have done, but you need to go far beyond that. Doing what you’re expected to do does not make you safe, there needs to be that shift towards a cyber safety mindset.

​

Finally, it’s about culture. The biggest weakness is often people and when we’re all trying to get a job done quickly, cybersecurity isn’t likely the first, second or even third thought that comes to mind. I believe we’re past the day of passwords on sticky notes on computer screens, but that doesn’t mean security has greatly improved here. We need to foster an environment of cyber safety, involving people, processes and technology.

What more can be done to support businesses with improving their Cyber Safety?

A huge help would be greater intelligence. Having a clear understanding of what’s out there, who’s doing what, what the current scams are, phishing techniques, attack vectors etc. Having a network of information and experts to build cybersecurity into all business departments is what’s currently missing and where businesses could do with further support, and it’s one of the key reasons for the Cyber Safety Force.

Why do you think businesses generally prioritise cybersecurity ‘compliance’ without striving to champion best practice and true Cyber Safety?

It’s largely driven by businesses looking for the easiest answer to solve the problem. But, the reality is that there is no ‘easy’ answer, nor are there simple ‘guidelines’ when it comes to cybersecurity. All they provide is a false sense of security. Businesses need to move past the ‘tick box’ mentality.

How will online security continue to evolve in the years to come?

It’s difficult to predict this but there are a few evolutions we can be certain of. Security and threats will change and develop rapidly. One must presume that machine learning and AI will accelerate this process, as it is doing across all areas of technology. Reassuringly, this technology will also help to support our response and businesses should make use of such tools when they become available. The difference between the winners and losers will be how quickly businesses can adapt and respond; cyber criminals don’t have to wait or worry about procurement policies.

Are there any other businesses you believe set the standard for cyber safety?

The concept of the Cyber Safety Force is to encourage people to exchange information in a safe space, gaining a clear understanding of what they can do and how they can respond. Its whole purpose is to recognise that a culture and a mindset of cyber safety is needed; there is no finish line or goalposts. As a result, I would say there is no business that is setting the standard currently – that is the reasoning behind the Cyber Safety Force, for organisations always to strive for better security and ultimately, safety.