What is the Cyber Security Challenge in the Support Services Sector?

This month, Duncan Hoggett speaks to IT security expert Randle Cowcher about the cyber security threat and how interims are helping companies to prepare. Randle’s current placement by Odgers Interim is as IT security manager for Northern Powergrid.

With over 25 years’ experience, have you noticed management teams paying more attention to cyber security?

Absolutely, there’s no doubt that the recent WannaCry ransomware attack has made everyone sit up and pay attention, particularly chief executives. It’s driven largely by media interest and the on-going timeframe of the attacks has kept it in the headlines.

For utility companies, electricity will perhaps be the most targeted of operations and protecting this is rising to the top of the national infrastructure agenda. Businesses in the sector are also aware that two major milestones are approaching, smart metering in 2020 and smart grid in 2022, both of which bring risks which they are ready to manage.

Thinking further back, the December 2015 and 2016 attacks on Ukraine’s power grid raised concerns for many companies. Not to the same extent however as the latest round of attacks.

How has this attitude shift affected leadership teams?

It has encouraged CEOs to prioritise cyber security. Security managers are being issued with new mandates, and (hopefully) increased budgets to ensure that the right preventative methods are in place. In terms of business importance cyber security is now, at least, on par with physical safety – which represents a remarkable step-change.

As part of this, there’s increasing visibility of cyber security within organisations. Having a secure IT foundation is now used as a competitive tool to win favour by different managers, each trying to prove they have the most robust defences in place.

IT managers are now required to allocate more resources and time to fully protect data – I’d estimate that up to half of their time is now dedicated to cyber security.

What does the UK’s cyber security talent pool look like?

Many IT Security managers joined the sector around forty years ago or so – which means a high proportion are nearing retirement. Skills wise, you tend to have people with specialisms, rather than an overarching skillset.

There are plenty of general and specialist cyber-security roles available – cyber security teams are growing, not just in utilities. In financial services, you can expect to see large teams approaching 300 employees. When I worked for one of the UK’s largest banks, I watched a team of five grow to number around 250 people.

What is the role of interim managers within the sector?

Demand for interims and consultants is growing. As companies work to increase their cyber security, many are seeking additional resource to support and further strengthen their cyber teams and defences.

What skills are vital for success as an interim in the sector?

As management teams are increasing – management skills are absolutely vital. Acting as an interim manager in cyber security now involves leading expanding teams, so the most important skill of all is team and programme management.

You also have to take on both the vision and the limitations, both in IT itself and through working in a corporate environment while trying to move things forward. Normally companies bring in interims to tackle a range of big problems, above the brief of consultants, so you can’t always expect to have the resources, tools or range of skills that you’ll need ready and waiting.

As an interim, it’s likely that one of your objectives will be to help develop enduring skills within the organisation. For example, at Northern Powergrid we have hired some of the UK’s first ever cyber security apprentices as part of an innovative government pilot scheme that aims to help protect the nation's critical national infrastructure from cyber threats and attacks. We have also been part of delivering an educational campaign to help our people be more cyber smart and able to identify potential phishing and SMiShing attacks.

You should also ensure that you retain and build on existing knowledge in the business, which may not have been utilised properly and engage staff to support cyber security best practice every day.

How have UK businesses performed in terms of countering threats, compared to other countries?

The UK has taken a very strong lead in fighting against cyber threats. Over the past two years there’s been a significant change in how proactive the government has been. The establishment of the National Cyber Security Centre is a prime example of this commitment.

This changing attitude has greatly helped the industry, and I think leaves us in a better position than other countries. If you think of the recent attack, the UK performed relatively well compared to elsewhere. Companies can do so much more to be more resilient against threats, but those in the UK are in a good situation, at least in terms of awareness of the threat.

What are your predictions for cyber security over the next year?

We can expect to see more wide-scale attacks. Five years ago, malware tools were not as easily accessible, whereas now they can be easily and quickly ‘weaponised’ by adding ransomware or tools which gather and report sensitive information including passwords.

At the same time, new legislation has made boards sit-up and react. Companies are scrambling ahead of the General Data Protection Regulation (GDPR), which comes into force next May, to ensure they can protect their operations from potentially huge fines.

It’s not easy to do this, and there is no simple cure – a lot of hard work is involved to segregate and classify data within internal systems and make sure the right stuff is being protected. It’s likely to become even more of a ‘salesman’s paradise’, with companies claiming they can easily fix these problems with their simplistic tools.

In practice, these challenges require a balanced review of how data is classified, handled, stored and dispose of across its lifetime. To do this, you need skilled and experienced people, so as not to waste resource and money.