top of page
Simon Hodgkinson

Strategic Advisor, Performanta (Ex BP CISO)


Tell us about your career in cybersecurity to date

My career spans 38 years in information technology, with the last 15 years having an increased focus on cybersecurity specifically. However, we’ve only recently started to differentiate between IT and cybersecurity, so I’d say the field has been a core part of my career for all 38 years!


What does Cyber Safety mean to you?

Coming from an Oil and Gas background, safety is a culture, not a specific task. Cyber safety is the same – it is about the culture one drives.


The best analogy I can give is at bp, no one would walk past a slip hazard, they would intervene for the safety of themselves and others. They would also record it as a near miss (something that could have led to an incident) such that the organisation can learn and put in place controls to stop the near miss happening again.


We need that same open, transparent speak up culture in the cyber space so your organisation, and the industry as a whole, learns from near-misses.


Why is Cyber Safety important to you and your organisation?

Cyber is a risk to the business achieving its strategic objectives. Therefore, being cyber safe can reduce the risk of falling victim to a cyber attack. It’s essential to business growth in a way that mere compliance fails to achieve.


What are the three biggest Cyber Safety challenges facing businesses today?

As I’ve mentioned, culture is a huge part of cyber safety and that’s a really difficult goal to achieve. Linked to that is the challenge around accountability. It needs to be really clear who is taking on the risk understanding and ownership of each area of the enterprise.


Once these two challenges are overcome, you’re met with a third: capability. Do you have the necessary skills to meet the cyber safety goals you’ve set out to achieve? Organisations have to understand their capabilities and what they may need to add in order to progress their cyber safe agenda.


What more can be done to support businesses with improving their Cyber Safety?

We need to encourage transparency. People should feel confident to speak up when they have fallen victim to a breach. This enables others to learn and hopefully avoid being the next victim.


Bitdefender recently revealed that 70% of IT organisations have been told not to report a data breach. My assumption is this is because of the potential for a regulator to take action, but in my opinion, this is counterproductive and quite the reverse of a learning/safety culture.


The greatest example of a learning/safety culture is the airline industry which dramatically improved safety performance. Human progress is driven by learning from failure.


Why do you think businesses generally prioritise cybersecurity ‘compliance’ without striving to champion best practice and true Cyber Safety?

There are two main reasons. First, because regulation requires an organisation to meet certain standards, so they have to at least reach compliance. Second, with increasing constrained resources (budget and people), organisations only focus on achieving the minimum, mandatory standards to comply with regulation.


Awareness of course plays a big part here. If organisations were aware of the danger they’re in through not adequately preparing for a cyber attack, resource would be allocated. However, because they’ve not yet been attacked, many organisations tend to operate under a false sense of security and therefore focus only on compliance.


How will online security continue to evolve in the years to come?

With the rapidly increasing pace of digitalisation, and the democratisation of access to the digital world and building within this landscape, we absolutely have to shift left and build security in from the very beginning.


For too long, security has been a ‘bolt on’, and we need to move past that. This means when new code is released, we have complete faith (to the best of our knowledge at that time) that it is 100% secure.


Which technology with the potential to improve Cyber Safety are you most excited about?

No technology will improve cyber safety on its own. This is a people, process and technology challenge. However, with the ever increasing acceleration of digital, the key will be automation. Automation which continuously monitors the risk profile as the threat landscape evolves will be business critical, and with that, automates remediation wherever possible.


Are there any other businesses you believe set the standard for Cyber Safety?


bottom of page