What are the biggest changes you’ve witnessed in cyber security during your time at SBRC?
General cyber security awareness is a lot higher now than it used to be, and that’s due to a combination of factors. Overall, businesses are much more attuned to cyber resilience as a whole and, generally, they have a better strategic approach to the long term sustainable cyber resilience of their organisation.
Policing is in a much stronger place in terms of its ability to understand a firm’s needs in this area. The arrival of the National Cyber Security Centre (NCSC) has been a very significant step forward and we’re really seeing its activity hit home now. GDPR has also been a positive driver for change.
What have been the highlights of your time at the organisation?
There have been so many it’s hard to narrow it down to just a few, but, setting up Curious Frank is among my top highlights and proudest achievements. Curious Frank is a subdivision of SBRC and it helps businesses improve their cyber security through ethical hacking. The overall goal of the organisation is to improve the cyber landscape and, over the past six years, it has done just that.
I’m very ambitious for Scotland’s cyber reputation and we have a long history of innovation but, on the global cyber stage, we’ve kept our light under a bit of a bushel. I would love to see Scotland taking itself much more seriously in terms of its own reputation for cyber security. Curious Frank has helped to do that.
The organisation’s success has highlighted Scotland as a cyber model and we’re looking at ways it can become more of a national franchise model. In addition, Curious Frank has served as a key stepping stone to some of Scotland’s young cyber talent. A number of our interns, whom we have recruited from university, have gone on to enjoy amazing international cyber careers.
I’m also very proud of helping to establish SBRC as a trusted organisation, and of the relationship I have helped to create and shape with Police Scotland. Police Scotland has treated me as one of their own and we have worked together on a number of projects that are helping to keep Scottish businesses safe.
Looking to the future, what cyber threats do you see on the horizon and how might organisations mitigate them?
People will continue to be both the most common threat and biggest opportunity in terms of cybersecurity. I’ve had some really interesting conversations recently with diverse partners, from police to psychologists, around what might make behaviours change. We still see people falling for the same old scams, such as phishing, which often results in people wrongly transferring cash to criminals. We’re very trusting as a nation, which I think is great, but the reality is that we need to wise up to these tactics.
As the world’s appetite for innovation grows, so does the skills gap and, again, therein lies the opportunity for malicious activity. By addressing the digital skills gap and raising cyber security awareness we can address those threats. On top of that, we need fresh innovation in cyber policing and to take more of a partner approach to cyber threats.
I think inclusion will be key to building on our ambition to make Scotland a global cyber security player and to defending against threats. Scotland can really stand apart and be at the front of that ambition if it just harnesses all that is already happening and makes some decent noise!
I would encourage companies to take cyber resilience advice from trusted organisations and to embrace young talent. To stay ahead of the threat and to take back control of the crown jewels within their business, they need to be ambitious in their approach to cyber resilience. My advice to any firm is “figure out what it is you need to know in order to achieve this and, if you aren’t sure, ask a trusted source”.
What more do you think needs to be done to ensure Scotland’s cyber security sector continues to progress?
We have so much indigenous talent here but, yet again, we keep our successes low key on this. Gaming has well and truly landed its reputation, as has cyber to some extent, but there are big employee numbers needed in software, new business, applications and immersive skills.
If Scotland can really develop this reputation for providing all this, then more and more companies will come to Scotland and investment potential will really fly. The great work done by Ian Blewett and the team at Scottish Enterprise and Scottish Development International are key to driving this goal forward, as is the work of SBRC’s close partners ScotlandIS.
You’re now moving on to set up Business Resilience International Management (BRIM), a new company that looks to create business resilience and cyber centre’s globally. What has prompted that move?
BRIM has been in the works for a while now. The demand for SBRC’s models from other cities, police forces and other countries has increased significantly. Therefore, more and more of my time was being called away elsewhere. SBRC is worthy of really strong leadership and full time directorial overview, so now is the right time to move.
I’ll continue to be very active in the cyber world but it won’t only be in Scotland now. I’m delighted to be able to continue working, especially with the SBRC team and some of our Board, on aspects of this and, of course, the link between me and SBRC will always be a strong one as indeed I hope is the link with policing.
Plus, I see so many people who don’t know when it’s time to go. I have other matters waiting now and, as a friend keeps reminding me, I need to carve out time to go and paint, which is my other great passion and where I have not had enough time in the last few years. So that is definitely on the agenda.
Part of being a leader is knowing when it is someone else’s time. A kite won’t fly unless you know when to let go. Now is the time to take up the next flag.
Could you tell us more about BRIM, and what your role at the organisation will involve?
I’ll be running BRIM, which is a consultancy enhancing some of the models I developed while at SBRC, and working closely with the cyber team especially, on several large projects like the cyber models for policing in other areas. Already interest has begun to appear from overseas and I would love to develop the Scottish model even more and to really fly a flag for Scotland.
I’m looking forward to working with a number of partners, including some of the SBRC Board. I have especially enjoyed the challenge of bringing private and public sector together. Already this week another two people have contacted me to see if BRIM could help with solutions, and I’ll relish trying to help with dilemmas, recommend alternative solutions and, wherever it helps, doing a bit of fixing.
So BRIM is very much open for business, which is really exciting, and I hope that others will remember us if there’s something I can help with.