Fail to plan, plan to fail
This episode explores the importance of planning for cyber attacks.
For many public sector organisations, it’s a question of when, not if, a cyber attack will take place.
In this episode we discuss the evolving landscape of cyber threats and what steps we can take to become more resilient to cyber risks.
Fail to plan, plan to fail transcript
Mike Fell, NHS England:
Hello and welcome back to the Cyber sessions hosted by me, Mike Fell, the Director of National Cyber for the NHS. Today, we're going to be scratching the itch, of the security itch of risk and resilience with the heading of ‘fail to plan, plan to fail’. So for many public sector organisations, the view is it's a question of when, not if, a cyber attack will take place. In this episode, we're going to discuss the evolving landscape of cyber threats and what steps are being taken to become more resilient to cyber risks.
Really pleased to be joined today by Joe Fogerty, an old friend from civil service days. So Joe, can you introduce yourself and tell us a little bit about your role?
Joe Fogarty, DWP Security and Data Protection:
Of course, Mike. Hi again. Hi, everybody. I'm Joe Fogerty and I head up the Cyber Resilience centre at DWP and there's a few aspects to this role. So one is pure cyber security and that involves looking to make sure that we're delivering resilient public service to everybody in the UK who relies on this by looking after all of those systems that they themselves rely on.
I'm also responsible for personnel security for the department and my team also has a significant role in helping to prevent organised criminal fraud against the welfare system, so quite a varied role, Mike.
Mike Fell, NHS England:
Fantastic. And as we were chatting through preparing for this, I think you took umbrage at something from the opening line about the matter of it being ‘if not when’. So do you think it is a question of when, not if a cyber incident will take place?
Joe Fogarty, DWP Security and Data Protection:
Well, I think the issue there, Mike, is really one of mentality. And the way I would think about it is if you take the view that it's only a matter of time before you're going to be beaten or breached, do you actually make that more likely to happen?
So it may well be the case that any organisation suffers a successful attack at some point in time, but to my mind the mentality behind that is really important, so we don't take that view and the view we take is that OK, it's possible. That someone might breach our defences. It's possible. That anyone might have their defences breached, but if you take the attitude that says we're determined to make sure that this doesn't happen. I think that changes your approach to the subject, and I think to give a slightly different example.
The way I think about it is OK, let's imagine you're competing in the Olympics, and if you were waiting to start and your mentality was I'm going to get beaten. How likely is it that you're going to be successful and have you actually started to defeat yourself? So it's a bit of a philosophical point I think, but I think the mentality is really, really important because the more you can convince yourself that you can actually protect yourself against these, I think the more likely it is that you're going to succeed.
Mike Fell, NHS England:
It's a very powerful way of thinking about it, and in another of these sessions in conversation with Charlie from the UK Health Security Agency, we spoke about the toxic positivity sometimes required in this space, and I think you're using a different example there. A different approach for that same bit of really seeing it as something that we can get on top of which I think is required and I'd like to hear more of it. So when we talk about, you know, the Olympics and competition and that. Quite often get that oppositional and competitive kind of language within cybersecurity, and I'd like to turn now to a little bit of the threats that we are attempting to out compete. So from your experience in one of the largest central government departments. What do you see as the greatest cybersecurity threats and risks? And how, how do you go about identifying and prioritising those?
Joe Fogarty, DWP Security and Data Protection:
That's a great question and I think I might be slightly philosophical about this as well, but I'll start with a number of things that anyone working in a large organisation that's under threat might want to think about, and I don't think any of this will come as a surprise, so it's getting the best picture you can of your hostile opponents or likely hostile opponents in the first place. What their capabilities are. And everything else that goes along with that. And having a very good series of relationships, both in the public and the private sector, that can help illuminate that threat or that risk and also the ability to think towards the future. So a couple of things that I think are fairly obvious currently is OK, the AI now and the future and the rapidly developing future of AI and what that might mean, quantum computing is another example what that might mean for us. And all of that's very important.
But there's an additional way of looking at this problem I think, which is the probably the philosophical bit, which is another mentality issue. And another way, an additional way to think about this problem is to say whichever organisation we happen to be working for. One way to think about this is to say the biggest threat to us and the biggest risk to us, is us. And to pay a lot of attention to that, because wherever we happen to be working everything that we do is under our control. What our hostile opponents do is not fundamentally under our control. So one way to think about this is to say, OK, do we have any excuse for not understanding our own environment really well to which the right answer I think is no.
If we have issues with whatever it happens to be, if we have an issue with our governance structure around this, should we do something about that very quickly? I think the answer to that should be yes. So that we can fix this problem. So even though we need to pay an awful lot of attention to what's going on in the outside world and what might be coming our way we ought to be operating on the basis that says there is no excuse for us not to be able to control everything it is that we're capable of controlling. And if we do that, I think we're going quite some way towards protecting ourselves against what may be unknown future threats coming towards us and will give us another mentality of protecting our own environment and protecting all the services we're delivering because we're thinking in our own heads, we can control this. We're not relying on what our opponents are doing.
Mike Fell, NHS England:
Yeah, I think that's a really powerful way of thinking about it and I'll kind of reflect certainly on that data-driven approach. I think the point you make there about our moral obligation and reality of understanding our own environments is really important. And I think data is a key part of that for a couple of reasons. I think you know you've already flagged the kind of opportunities of artificial intelligence and machine learning and clearly if we're going to avoid some of the risks of AI, such as the AI hallucinations and inaccurate datasets we need the most accurate data to go into those machine learning models in the first place. If we stand the chance of using them to the greatest purpose and for regular risk listeners as well, you'll know that I'm a huge fan of the comparison with the airline industry and the crew resource management, black box thinking approach to that and earlier today I was actually with the director of safety at one of the large UK airlines.
And it was just with envy that I looked at the level of data-driven information they had about safety from their approaches, their pilots, every decision that was made with every variable from the weather, from the altitude, from the different aspects of the performance of the aeroplanes and I think that's ultimately what you're saying, that that industry, it was for me another example where they really did have granular understanding not only of their systems, but of everything contributing to those risks, that's enabling them to really make it a safe operating system.
Joe Fogarty, DWP Security and Data Protection:
It's a great way to think about it, Mike, and I think for a subject like cybersecurity, this isn't 100% true, but I think it's largely true. It is a large part of cybersecurity is about data. About understanding data. Acquiring the right data and knowing what it means.
If you're working in a counter fraud environment anywhere, it's very similar. It's largely about the data, what you have, what you understand, if you're doing personnel security, a large part of that is the same. So the ability to acquire the right material, the ability to understand it and then act on it, A, I think is fundamental and B, it means you can you can add to your own overall capability.
By sharing that obviously lawfully and when it's necessary with different parts of the business, so they too can take advantage of all of this knowledge and in both our cases, this is ultimately to protect the people we're looking after, patients obviously in the NHS case and a significant part of the UK in ours.
Mike Fell, NHS England:
Yeah, and I think we've been almost kind of talking theoretically and philosophically in some of this, but you're right in bringing it back to the real individuals that they're the heart of why you do your job and why I do mine and what are the real cyber risks for those customers and staff, you know it's not sequel injection attacks, it's not technical, how would you describe the reality of actual real cyber risks for those communities that you serve?
Joe Fogarty, DWP Security and Data Protection:
Yeah, if you're putting yourself in the position of being a member of the public, who is using or relying on these services, which is where we always want to be.
But from that perspective, there are 2 particular things that need to be avoided. One is disruption to that service. That me as a customer really needs to receive that's fundamental because there's an absolute reliance on these services for a significant number of people. So that drives your cybersecurity approach backwards from that to say this is what we need to do then.
To do our very best to make sure these are resilient, the other aspects of a customer of ours is to make sure that their data is being protected properly and effectively and it's not being abused. It's not open up to fraud and I think some of those considerations are very, very similar between our two services which is patient care in your case. Welfare and pensions in my case, but to a larger extent it's the same group of people. And I think the considerations are very similar for both.
Mike Fell, NHS England:
And I mean clearly a huge and diverse population that you serve and served by one of the largest organisations in government as well.
Against the competing realities that everybody has when they rock up to work, cyber inevitably is not number one that each staff member thinks of. So what do you think the level of awareness generally of cyber risk is in your organisation? Is it something that's kind of in the DNA? Is it something that that people need to be aware of? How do you go about doing that?
Joe Fogarty, DWP Security and Data Protection:
Such a good question. My view is I think it's quite good and it depends whereabouts in the organisation you're talking. So, if you're engaging with someone who's owning at very senior level, that service delivery risk to the public, I think the understanding around the risk to that service delivery from cyber and a whole variety of other threats is very good I think.
And then if you're engaging with any number of and which is the majority of people who don't own that risk, there's a slightly different way of thinking about this as well to say, OK, if you come back to this fundamental purpose, this is why we're here, which is trying to make sure those services are resilient and looking after our customers in the UK. Well, that's everybody's job in the department. So you've got this shared interest irrespective of which part of the organisation you're working in. So one of the things that we try to do and this is a different part of the team, not my part of the team, but one of the things we try to do there is to frame this in those terms, is that these things are very, very important because this is all about good customer service delivery and looking after the interests of whoever it is we’re serving and that gives you that common vision and that common approach rather than an approach that says, you know, cyber and its own right is important.
Or data protection in its own right's important or counter fraud in its own right is important. They're all there for the same reason, and I think once you frame it that way, it's very much easier for people to pick this up very, very quickly. I'll say one other thing you know as well in terms of some of the education and awareness that people can do. So a lot of organisations concentrate on phishing, so protecting staff against emails that might contain malware or anything else that they contain.
And one of the advantages I think organisations can have from doing this is, this is something that any recipient can pick up and use and you can use it at home. You can use it to protect yourself at home. You can use it to protect your family at home. So there's an element of that that has utility beyond the simple message that you're sending about this, you know, particular environment we're working in and I think that can gather attention very quickly as well because it's very really obvious that this is usable. This is usable in my own life as well as my work in life. And I think that sort of message can be very powerful very quickly.
Mike Fell, NHS England:
Yeah, I think there's a huge amount of benefit in that approach of almost trying to make ourselves redundant as security professionals by pushing that cyber's a bogeyman, isn't it? It gets the headlines, people do it, it gets the IT, attracts the funding, the support, and it is seen as the worst case scenario. But I think actually what I think you're saying is we need to push it down and remind people that actually cyber is just a vector for affecting customer service or something that actually we care about at work, but it's just actually a protection of larger living in the modern society as well.
Joe Fogarty, DWP Security and Data Protection:
Yeah, I think you're absolutely spot on there, Mike, yeah.
Mike Fell, NHS England:
Yeah. Good. I'm going to change the topic a little bit here. I often say in my role the most important part is protecting the critical national infrastructure for which NHS England is responsible, for which I shamelessly delegate to a very capable CISO, Mark Logsdon, but arguably the more interesting part of the role is that enabling the wider NHS to be cyber resilient. And it's interesting because it's complex and it's diverse and it's federated and I don't have the level of control that I have within my own organisation and I know your role has similar challenges with the relationships and the data flows with local councils and a whole range of other organisations to do what you need to do. So can you talk to us a little bit about your approach to how you get a unified joined up response? We in the cyber strategy for health talk of a unified response in a disaggregated sector, and I'm just interested in how you go about doing that, particularly kind of in incident response, but more broadly as well within your different complex disaggregated sector.
Joe Fogarty, DWP Security and Data Protection:
Hmm, that's a great question, Mike, because I think there are there are some similarities. Between our organisational constructs here and some things that are different. So I think I'll start with a difference, I think, and then and then come on to areas that are similar. So when we're looking at this from a from a purely departmental perspective that's monolithic. So we're a single entity not federated internally. And so that has a that has a number of advantages in terms of ease of whatever that's going to be, you know, ease of policy, ease of the sorts of controls you're going to put into whatever it is you need to defend.
A number of advantages there I think in that system. But I mean like every organisation we're part of a much broader ecosystem. So we will have relationships with local councils in the UK like everybody else. There's a very significant supply chain coming into the department, so there's a real need to have very close working relationships in all of those areas, and you're asking particularly about incident management.
So what we will do if there is an incident outside our specific domain, but may have a connection to us. So for example, a local council might be a good example of that. We’re of a scale, because we're a very large department.
Where we can volunteer to provide assistance if required and if necessary so we can share all the experiences that we have and the expertise that sits in the team with other parts of the sector. And I think that is really, really important because there's a concept going back to the government cybersecurity strategy, which was published a couple of years ago now. And that concept talks about defending as one. Across the whole of this system, because irrespective in the public sector of where we're working.
Ultimately, we are looking after the interests of the same group of people who are the citizens and residents of the UK, and the more that we can share that experience around, the more that we can learn from each other, swap practise with each other the better, because this is the thing collectively that's going to look after the whole of the UK interest and not just as sectoral interests. So we put quite a lot of effort into developing those relationships and then keeping them.
Mike Fell, NHS England:
Yeah, I think and I mean certainly from my experience in this, there is few other ways of doing it and that relationship part I think is the key to this, this isn't. I think few would say that there is a technical way of doing this or a process way in doing it, it is ultimately a relationship based one for that trust isn't it? And getting the same bits for that. And as we talk about trust, I think you and I have worked pretty closely for quite a number of years and to lighten the mood of the session you, the listeners, need to understand that you and I have always had a rather competitive nature to our relationship in the olden days I think. You used to regularly tell me that 80,000 endpoints under your management was better than the 60,000 that that I looked after and then I think I could come back with ...
Joe Fogarty, DWP Security and Data Protection:
With a bigger figure?
Mike Fell, NHS England:
With a larger number of money. So and I've not probed this one with you, so I'm genuinely interested. So there's about £150 billion of revenue that goes through the NHS annually to to pay for things. First quick one is how does that compare to DWP’s money flowing through?
Joe Fogarty, DWP Security and Data Protection:
That another good question so I'll say this obviously without sounding competitive at all, right, in terms of scale, but in the last financial year, I can't remember the exact figure, but it was it was upwards of £240 billion that went through those bank systems.
Mike Fell, NHS England:
Ah gutted, that’s what I get for throwing unscripted questions in there. But the reason that I raised that, I'll park it and move on quickly given that yours is a bigger number than mine, is using it a hook to talk about fraud. So with £150 billion and this one I can definitely get a higher number of 1.7 million staff inevitably and 80,000 suppliers, inevitably fraud is a consideration and the NHS has a dedicated counter fraud authority to handle that. I know you've got a different approach in DWP. So I just wanted to ask how much of a different problem is fraud from cyber? And talk to us about how you do it, because I know that you've run things essentially within your own team as well given the similarities of approach.
Joe Fogarty, DWP Security and Data Protection:
Yeah, that's a fundamental question, Mike. And I think if we ignore cyber and fraud just for a minute and just come right back to the basics about why we're here. So we had to provide a resilient service and look after all the people we should be looking after. OK, so that's what we do in a cyber security sense. And that's what we were doing when I came to lead the team. But we started to think fairly early on after I started that, OK, well, if I were running a team whose job was to counter organise fraud in this environment.
Naturally, I'm going to want to protect all of those payment services, and I'm also going to want to protect all of the people that we're working for, ultimately, all of the customers, their data, I don't want their data hijacked, stolen, used against them or used against the country. So the view we started to take is well, we do the same job.
As the counter fraud teams, because ultimately we're here for exactly the same reason, we just have slightly different disciplines and we've never thought before about bringing those disciplines together to see well if we share our knowledge, our expertise, about how we solve problems, can we improve how we do all of this? So it was, it was an experimental idea and my way of thinking was we really ought to be able to help with this. We don't know that we can because we've never done it before, but we ought to be able to do it.
Using some of the skills and capabilities we have and then we blend them with what the fraud teams do and that turned out to be true in practise and very significantly true. So there was an answer to a parliamentary question fairly early on during the pandemic. I think it was the end of 2020.
But there was talk about what had been happening during COVID. So since the lockdown in March that year and in that first 8 or 9 months of COVID, we were able to enable the prevention of just under £2 billion worth of organised attempts to defraud the welfare system. By thinking about this subject in a slightly different way, I'm bringing these capabilities together and what happened as a result was not just the fact that that's been prevented and that amount of money hasn't gone into the criminal economy and it's been denied to them with all the knock on consequences that would have had.
But there was some other benefits to that that I didn't anticipate when we first went down that route. And one of them is cybersecurity in its own right can be a bit daunting to people 'cause it can get very, very heavily technical, and it can put people off talking about it or really understanding it.
But fraud is a really, really easy concept to understand, and virtually everybody understands the concept of fraud. Well, one of the things that came out of this approach is that the approach that we take, the essential approach that we will take to countering fraud is exactly the same approach that we take on cybersecurity.
So as soon as you start articulating, OK, this is what we'll be doing in that forward environment. Oh, and by the way, the approach we take is exactly the same on cyber for exactly the same ultimate purpose. It suddenly becomes a non frightening subject to talk about and I didn't anticipate that happening when we first started, but it has made a real difference in enabling people to think actually this isn't scary at all, is it? It's just another aspect of a public service protection. And I wish I had anticipated that because I probably should have done.
But I didn't, and the other knock on consequence for us is, let's take private industry as an example. It's not uncommon for the cybersecurity part of those industries to be an absolutely necessary cost of doing business. And quite rightly so. But what's happened as a result of diverting some of this capability into countering forward as well is you can turn this capability into a return on investment as well, which is quite unusual.
So it works really well. And it continues to work well and we're very glad now we went down this route and I think I'll say one last thing and I'll stop talking, but it comes back to this fundamental idea of answering the question, first, why are we here? Not what are we doing? And as soon as you answer the question of why you're here, you start to find all sorts of friends that you didn't realise that you had.
Mike Fell, NHS England:
Yeah, I mean, some great insight in that, some of which was new to me as well, as you say, kind of makes your friends elsewhere and I think security can be seen as a cost centre and and that's a really obvious example where it really is demonstrating the value and the benefits in ways that we sometimes do struggle to articulate when we silo ourselves and keep ourselves separate from other bits and it leads on to the next question as well about future thinking and recognising we are where we are.
I think most organisations look back and can only deal with the cards that are in your hand at the time and legacy technology design decisions that are being made, business processes and that are all part of the dynamic of the risk landscape that we all that we all face.
But that shouldn't prevent us from looking forwards and secure by design as a principle both from Cabinet Office, NCSC and being kind of spearheaded by the Ministry of Defence is seen as one of the one of the ways of fixing this forward and turning off the tap of security issues that we've that we've seen designed in in some cases. And I think your example there around fraud gives an opportunity where clearly systems can be designed to be fraud proof as much as possible by design as much as well as secure. So how are you going about making sure that they with all the other challenges that you've got not least adding on all the fraud work to your to your team how do you go about making sure that we are prepared for future threats. And that new systems are secure by design.
Joe Fogarty, DWP Security and Data Protection:
So it's another really, really good question and part of this comes back to this thinking about OK, we control our own destiny here, we control or should do. And we control our own environment. And so there's a large degree to which we can control that future in terms of where we're going and what we're going to do about it. OK, so every organisation will have something, some bit of legacy, for example, that it's got well, we've just got those things.
And the issue there is to afford the best protection of those things while you're moving into whatever environment is you're going to move into. And then it's a question of pooling all of that knowledge. And that capability that we have across the public sector anyway about really, really good practise, whether that's coming from the National Cyber Security Centre or whether that's coming from the chief digital and data office to say, OK, this is what we are going to do for the future and there's a couple of things you need to do around that is not just say, OK, we think we're doing fairly well. Is to be absolutely sure that not only are you having that assured what you're doing and tested, but that you're also constantly learning lessons. So we are pretty meticulous now if we see something for example or there is an incident that you are quite rigorously getting into this, obviously you're stopping this thing from happening whenever you can. But then you're learning those lessons and then you're applying those lessons back into the system and then you're testing to see where those lessons that were applied are actually working. And that's a constant that's a bit like painting the forth bridge.
And there's an element also I think of even if we're in a position where we have a very good understanding of what that threat picture currently is and a very good understanding what it might be in the future, there's always a degree to which that no matter how good you might be there, you're not omnipresent.
And you're not going to be sitting inside the minds of your most hostile and capable opponents. And there are going to be elements of this threat that realistically, you're not going to uncover in advance, and it may well be that there are vulnerabilities that you have that even if you really understand your environment, you will not be aware of everything that might be vulnerable that isn't currently known in the public domain. So that lends itself coming back to this mentality, to say we need to have as much protection as we can around all of this and we need to make it very difficult for an opponent to beat this variety of defences that we have and you're trying to put yourself in a position there where you're doing your best to be able to cope with things that you just don't know about are coming your way. And that sounds like a bit of a nebulous concept, but I think it's really, really important because you don't then get inadvertently blinded by we think this is the threat because we know about it and we think this is the extension of the threat when it's almost certainly not.
Mike Fell, NHS England:
Yeah, I think that was very wise and a real example of not preparing for the last headline, preparing, you know anticipating the next one. And I know you've personally kind of been at the forefront of moving that mindset in some of the choice of wording that you use, not least with that of your team and I think the community generally talks about cybersecurity, you've been you've been speaking on branding your own team as cyber resilience for some time.
I think I think the dial is changing, not least with incidents such as the recent CrowdStrike Microsoft global IT outage with organisations realising that not just in cyber but resilience and that ability to bounce back and yes, try and anticipate the potential issues and the potential threats and the potential ways vulnerabilities might be exposed. But also as we would say in the cyber strategy for health, plan for exemplary response and recovery. And that’s something that we touched on kind of as we spoke about this before as well.
In terms of like disaster recovery and data repatriation and the ability to sustain operations over a prolonged outages, So what's the approach in DWP for that kind of disaster planning and looking at disaster recovery and getting large scale data back in the event that it should be needed?
Joe Fogarty, DWP Security and Data Protection:
That leads into another relationship question, I think, and another group of very good friends of ours are the resilience team, because a different way of looking at cybersecurity or a variety of other disciplines this is one part of the system that can make your public service delivery resilient. It's only one part of it. There are all sorts of other aspects of public service resilience. So we have a really, really close working relationship with the resilience team and we have entirely shared doctrine with them around incident management, incident response. What's then going to happen in a recovery phase, shared doctrine, shared training. Our teams can interoperate.
And the reason why we take that view is that if you can not, it's not just because it's really important to have those relationships, but if you can manage a certain type of incident, whatever it is. In my case, it would largely be cyber related. If you can manage a certain sort of incident, you can manage any sort of incident, because ultimately this is all about protecting people in the first place. Everything that we're doing.
So you bring that mentality into the way that we also think, so we'll have a very close symbiotic relationship between our teams. So if we see something, for example, that we need to respond to in an incident sense, we know we've got the resilience team already as part of this. And they themselves are anticipating the future about what would we do in resilience terms to keep our services running or to restore them very quickly in the event of this. And I think it's fundamental for people to have that sort of relationship now. We've been fortunate that we haven't needed to use any of this in my time here and that's the position you want to stay in because you never want to be in that position, but you want to be as ready for it as you possibly can be. So we drill with them, we exercise with them. Exercise with other parts of the department as well, so we can be as ready as we can be and this comes back to this fundamental principle, I think, that that we are in control of what we do, even if we're not in control of what everybody else is trying to do to us and to our customers. So it's really important that we, we continually do this and then we continually enhance it and then we learn from it.
Mike Fell, NHS England:
And I think you touched on an important point there for me about primacy and the fact that we as security professionals, certainly cyber professionals would hope that the catastrophic large scale incidents are many years apart and as a result, no matter how well we test them, truthfully, the muscle memory is rarely there and I think that partnership approach on resilience is a really important one indeed.
Joe Fogarty, DWP Security and Data Protection:
Yeah.
Mike Fell, NHS England:
Our Director of Resilience recently wrote out to all of the NHS trusts, setting out 7 key areas that must be exercised by every hospital trust, one of which being cyber. Even a couple of years ago. I think the approach would truthfully have been a single approach where we just went out and asked for cyber testing. So to see that alongside chemical, biological, radiological, nuclear testing and the other kind of causes of crises and outages that we prepare for in the sector, I think is preferable. And I think it sounds a similar approach that you're taking there of relying on those who do it more regularly. Excellent.
Joe Fogarty, DWP Security and Data Protection:
That's right. And it's really good to hear. And just one last thing on that subject, Mike, because I think you know in very, very recent memory for all of us, we've all been through COVID. And we've all been through that very significant national crisis. With real world experience of what you then need to do, obviously NHS was at the forefront of all of this. We also had a role, a very significant role, departmentally in providing services to people who suddenly needed them very, very quickly, and what do you do to pivot? To help that problem so that so there is some very recent learning there and I think one of the things that's really important for us not to forget is all that incredible learning that happened during that period so that we can apply the lessons from those because we've got actual experience of doing it.
Mike Fell, NHS England:
Yeah, absolutely. You know a lot easier to stretch an existing process, system, organisation than to start from scratch every time on it and I know there's a lot of work going on to capture those bits, whether it be through the agility of getting new services into live through all the way to more process based and commercial based bits. Cool. So obviously having a conversation with somebody as erudite and skilful as yourself immediately makes me think of talent, Joe, so I was wanting to give you the opportunity to say a little bit about talent in cyber and in your organisation and how it is that you go about making sure that we've got the right people with the right skills in the right places and supported in the right way to help us keep pace with the threats that we've talked about already.
Joe Fogarty, DWP Security and Data Protection:
Yeah, no problem. Yeah, love this subject and you and I have spoken about this a lot, haven't we over ...
Mike Fell, NHS England:
Certainly have.
Joe Fogarty, DWP Security and Data Protection:
A number of years now. I think there's a prevalent view when it comes to cybersecurity that there's a global skills shortage. There's a UK skills shortage. Now, if you're framing that in terms of ready made already experienced, already deployed skill. That there's a large element of truth in that, but coming back to sort of behaving in a slightly philosophical way, one of the things we were thinking quite a while ago is what if we didn't believe that? And if we didn't believe that, how would we behave? And the view we took, this is now going back quite a number of years is there is no shortage of talent. There is absolutely no shortage of talent.
There may be any number of posts or disciplines where there aren't people who are steeped in that experience, but talented people can learn this very quickly. So we and I know you share exactly the same view here. We are very significant users of the apprenticeship scheme and we have some brilliant people who join us. They give us a different perspective on life. They have ideas that we've never had before. Very keen, very bright, learn very quickly and get on very quickly because they're talented.
And we also have relationships with a couple of universities where we will take placement students, undergraduate students, where we have very low barriers to entry into the team. So you don't have to be steeped in whatever it is that we might do in cybersecurity. You need to be bright. You need to want to do it. You need to be good working in the team environment. And we've had some real success with that, and then another team in the security set up departmentally, not mine, but another one we work closely with, went a stage further and developed the idea of having a security academy for people who might want to change career. Might want to start in the security profession for the first time and the barriers to entry were to all intents and purposes zero no prior security experience needed. No prior cyber experience needed. We were just looking for bright, talented people who wanted to be here. Were motivated to be here, good working in team environments and good at solving problems, and we've had some astonishing success with that internally, and it's been so successful that that's now been turned into a joint venture with the Cabinet Office for a security academy for the government security profession. I'll do a quick plug on this because that advert is still live. And from what I've seen so far, there has been a tremendous response.
To people wanting to join the profession, and I think that's really, really important that we are lowering the barriers to entry, demystifying this subject and once talented people have joined as long as you're large enough as an organisation or large as a collective, you can enable those talented people to develop very quickly. I'll say one last thing about talent and I'll stop talking. So that's it at entry level. But at this, at the same time, we're going through a process of professionalisation of the government security profession as a whole. And then there's a different set of criteria and a different set of questions for those who are senior, very experienced and we are moving towards a process quite quickly now for people to become accredited. So you can become a chartered security professional. So if you like, a licence to operate, and that I think is such a good idea.
And what that means is the more senior experience part of that whole profession can set an example can start to take the lead and you can also show new people coming into the profession with very low barriers to entry for them, that there is a route here for you. You can stay, you can move around the profession, you can develop, we’ll help you to develop. So I think in terms of my own optimism about the future of that profession, I'm very optimistic about this now because the scale of the challenge for us all is huge. The opportunities are huge and the number of talented people we've got in the UK is incredible. So I'm really optimistic about the future.
Mike Fell, NHS England:
So much to breakdown on that, that we're not going to have time today, but I once heard somebody talk about the security profession as imagine a world in which you tried to be an accountant without there being any maths or accounting rules. That's what security sometimes feels like. And I think you're right that bottom up and top down through chartered status through affiliation with the professional bodies such as the Chartered Institute of Information Security Professionals at the at the top side, providing that consistency. And then bottom up in using those repeatable models of apprentices and couldn't agree more about low barriers to entry and there being a space for everybody with different skills. And I don't just say that as a former geographer that would have had a heart attack if anybody had told me 20 years ago that I'd be working in IT, I think those are the right routes through to it. And credit to yourselves for really prioritising that and making the space for those people to thrive. It broke my heart recently when I heard a statistic that apparently in the UK last year there were less than 100 people put through the formal cyber apprentice qualifications across industry and government.
So many opportunities for those and we're always overwhelmed with really, really strong, credible applications when we do it. I think there has to be more space in every organisation to make the time and space to develop these people through those routes.
Joe Fogarty, DWP Security and Data Protection:
Yeah, I agree. I'll make one last plug and that plug relates to the UK Cybersecurity Council. Which is unique currently globally. Having a royal charter to develop that whole cybersecurity profession for the whole of the UK public and private sector, I think they're doing some tremendous work there. We have a very close working relationship with them, not surprisingly, and that's something else that's providing the wherewithal, then, for people who are entering the profession then to be able to develop, be given the opportunities to develop and get the accreditation that demonstrates you are able to deploy this talent that you've got and you've been accredited by your peers. I think it's a great idea.
Mike Fell, NHS England:
Yeah, absolutely. And I think turning it around from a customer perspective for those that we are providing security advice and incident response to. I think to provide a consistency of language kind of expectations is really key as well as there can be nothing more frustrating than going to 5 different security professionals and getting 7 different answers for the same thing, which I think is a route through.
So great stuff. Right, let's wrap things up with some futurising. So you're a lucky man and regularly tell me how supportive your board are in gifting you and your team exactly the tools that that you wish for, I'll say that with a with a straight face.
Joe Fogarty, DWP Security and Data Protection:
Yeah, did you? That's very good of you, yeah.
Mike Fell, NHS England:
Yeah, but the supply chain continues to be a challenge. I know despite your best wishes and it's an example of things where it's not necessarily in closer control as things in our own organisation. So if we think about supply chain 5 years hence. What would you be wishing for to make that supply chain more secure and to bring it back to the conversation at the start of really making sure that it was a question of if, not when, for the next supply chain compromise.
Joe Fogarty, DWP Security and Data Protection:
Yeah, awesome question you've saved a big future looking question to last there, Mike, haven’t you. OK, so looking towards the future. OK, we'll start with let's assume there's a certainty, OK. People are going to have supply chains as a certainty into the future. But irrespective of which large organisation you're working for, there are some things that are happening already that I think are very good in terms of a much greater focus now on assurance of the supply chain for everybody than there has been. I think that's a very good development and we have departmentally our own supply chain insurance team. There's a separate question to me also, this comes back to relationship building and this concept of defending as one or lots of people defending at the same time.
A significant part of the supply chain for a number of people is not necessarily identical, but there is a very significant overlap in the supply chains for all sorts of organisations so there are 2 ways of looking to the future. One is to say, OK, well, let's think about this parochially then.
And organisation A can do all sorts of work about trying to assure its unique supply chain. And organisation B can go and do whatever organisation B likes, but it's got the same supply chain or a very similar one so there's a real opportunity for us to be thinking in whatever sector you happen to be working, thinking about this on a sectoral basis, more so than simply thinking about in a single organisational basis. So if I put myself in the position, let's say, of being a supplier into whoever it is. It's going to inhibit probably my ability to be as secure as I might be if I've got any number of people from the same sector, whatever sector that is, industry or any other sector coming to talk to me about exactly the same subject.
So there is a real opportunity here, I think to pool some of those relationships and to take a slightly more holistic view than has happened previously about the whole of the supply chain issue because it's a very big issue and it's not one that's going to go away.
Mike Fell, NHS England:
Couldn’t have said it better myself and I think that approach of do it once, you know, whether you use the defend as one, or other language around it. I mean it's got to be in everybody's interest for getting the finite resources that we've got most effectively deployed. Great well, Joe, I just wanted to say a huge thank you for really insightful commentary and insight into the organisation that you support. And as ever, I'll close up by saying a huge thank you to the listeners. Thank you for dialling in and listening into the cyber sessions and look out for our next podcast.
Joe Fogarty, DWP Security and Data Protection:
Pleasure to talk to you, Mike, and thanks everybody. Pleasure as always and all the best.
Guest and host
Joe Fogarty, Head of the Cyber Resilience Centre and Personnel Security, Department for Work and Pensions
Joe has been Head of the Cyber Resilience Centre since 2016, with extensive security experience in UK national security and law enforcement roles. He was the first Head of Operations of the National Technical Assistance Centre, now part of GCHQ. He is a Chartered Security Professional and serves on the UK Cyber Security Council Ethics Committee.
Mike Fell, Director of National Cyber Operations, NHS England
Mike is responsible for the security of NHS England’s data and systems, as well as leading work to enable the resilience of the whole health and social care system in defending and responding to cyber-attacks.
Last edited: 2 January 2025 11:45 am