Cyber-Insiders-v9-spreads - Flipbook - Page 8
One challenge is how the
customer base is structured. In
other sectors, customers can
choose their providers, whether
it’s a bank, investment 昀椀rm,
or insurance company. But in
the water industry, customers
don’t have a choice. That has
implications for how the regulator
works. In 昀椀nancial services, it
was the FCA. Here, it’s Ofwat,
the Drinking Water Inspectorate
(DWI), and Defra. The regulatory
landscape is quite di昀昀erent
because we’re a monopoly, so the
regulator ensures customers are
protected, particularly when it
comes to pricing.
Another signi昀椀cant di昀昀erence is
competition, or the lack thereof.
In my previous roles, if we wanted
to bring in a third party, we’d issue
RFIs or RFPs and select the best
昀椀t. In the water industry, we have
to follow strict frameworks, and
sometimes the work has to be
opened to the entire market,
which impacts how quickly we
can implement parts of our cyber
strategy. Planning a cyber strategy
here requires careful consideration
of the commercial pipeline
and timelines.
Finally, working in a company
with a trade union is new to me.
It a昀昀ects recruitment, pay grades,
and performance objectives in
ways I hadn’t encountered before.
It’s been an eye-opener to say
the least.”
Given the complexities of
working in such a regulated
industry, how have you
approached driving security
strategy and fostering the
culture you want to create
within your team?
“I think there’s a lot to unpack
here. Driving strategy and
creating the right culture within
an organisation while they’re
slightly di昀昀erent, they’re closely
connected. When you join an
8
|
ADARMA CYBER INSIDERS
organisation, the 昀椀rst step is to
take the time to understand the
existing culture. You need to get
a feel for it to determine what,
if anything, needs changing.
So far, my experience at Thames
Water has been very positive.
The culture is proactive people
genuinely want to do the right
thing and are passionate about
the organisation’s values and the
service they provide. From that
perspective, there’s already a
strong, positive culture in place.
When it comes to driving our
cybersecurity strategy, I’m
fortunate because it’s currently a
key focus at Thames Water. There
are 21 major initiatives underway,
and cybersecurity is both a central
part of those and a standalone
initiative. The executive committee
and the board are fully behind
having a strong cybersecurity
strategy, which is great to see.
However, having support doesn’t
always mean everything is
smooth sailing. As is often the
case, everyone agrees that the
cybersecurity initiatives are
important, but actually getting
to the deployment stage can
be challenging. The ‘yes, yes,
yes’ doesn’t always translate to
immediate action.
For me, instilling a strong cyber
culture is crucial. It’s not just
about getting executive approval
for the strategy but ensuring
that everyone in the organisation
understands their role in executing it.
A successful cybersecurity strategy
relies on people; it’s not just about
technology or processes. Do people
understand their responsibility
to protect the information they
handle? In many cases, they
might not, depending on the
organisation’s maturity level.
This is where education and
awareness come in. You need
programmes to teach people
their role in security, but you also
need the right technologies in
place to help them do the right
thing. There’s always that balance
between trusting people to follow
the rules and implementing
technologies to prevent mistakes
or breaches.”
What’s your advice for
bridging the gap between
translating technical
conversations into business
language, ensuring
there’s understanding and
alignment?
“This is probably the hardest
question to answer. I can’t say I
have a perfect formula for it as it
depends on the organisation and
the level of interest and expertise
the executive committee has
regarding cybersecurity.
First, it’s essential to establish a
regular communication cadence,
or as regular as the executive’s
appetite for cybersecurity
discussions allows. It’s also crucial
to understand your audience,
which ties back to stakeholder
management. If you are addressing
the executive committee, get
to know their backgrounds and
careers. This will help you gauge
their experience with cybersecurity.
It’s helpful to ask upfront, ‘What
do you want to hear from me? Do
you want to hear from me at all? If
so, on what topics, individually or
collectively?’
Risk management is a key
area that executives typically
understand well, as it’s
fundamental to running a business.
Framing cybersecurity in terms of
risk helps get your point across.
Instead of diving into technical
details, focus on the risks and the
potential impacts of not taking
action. This tends to resonate well.
KPIs and dashboards are often
requested as a way to measure
the progress and success of your
cybersecurity strategy.
