Enterprise risk management strategy: A planning guide for CIOs
A comprehensive collection of articles, videos and more, hand-picked by our editors
The job of Pauline Neville-Jones, special representative to business on cybersecurity, is to ensure that U.K. government agencies and private companies work together to counter cyberattacks and protect their nation's critical infrastructure. In part one of this video interview filmed at the Information Systems Security Association conference in Nashville, Tenn., Neville-Jones talked with SearchCIO's Christina Torode about the vulnerability of corporate supply chains to cyberattacks. Here Neville-Jones discusses the particular difficulties the U.S. government system faces in raising cybersecurity awareness and why the best place to start may be at the state level. Here are excerpts from their discussion.
If you were to make a recommendation to the U.S. government on how to get started on something like this, what would it be?
Pauline Neville-Jones: We have a fairly centralized government [in the U.K.] and a fairly tight economy. I would say we have the advantage of smaller scale and a [unitary state], whereas … you're much bigger geographically, population-wise and you're federal. That complicates things.
Also, if I dare say this, your government at the federal level is more stovepiped than the U.K. government … .I think presidential lead[ership] is very important in the U.S., and actually getting the [National Security Agency], [Department of Homeland Security] and other departments … really going together hand-in-hand -- I think that's quite key for the U.S.
One of the questions I don't know the answer to, but I do ask myself, is whether the U.S. can handle this at the federal level. I doubt it. It seems to me that, actually, the state level is very important. The state governments, I think, can do quite a lot actually to galvanize cybersecurity awareness. They may not put a lot of money into it, but actually, it's the power of the pulpit. State governments do also procure. They can use the power of procurement actually to increase the level of security and increase awareness for the need of security. They can do a great deal, I think, on the infrastructure front, cooperating with federal. This is an area, I think, where state and federal do need, in a sense, to be working to a common plan.
And for corporations, where would be a good place to start with cybersecurity awareness? Let's say they don't have any government support at the moment -- what can they do?
Neville-Jones: Most companies have some link with a federation somewhere. There is a trade federation that most companies actively belong to or is available to them. I think this is one of those areas where the trade federations can and should … help their members. They should help their members understand, but actually, their members also do need to understand this issue and be active on it. I think that's one way the corporate sector can help itself.
In the U.K., you can start right at the top with the Federation of British Industry and the Institute of Directors. There are a number of vertical organizations that actually push this [cybersecurity awareness] message down inside the private sector, and that is beginning to happen. I think otherwise, it is the whole question of just getting the message out, doing the sort of thing I do, in fact, which is a little bit preach the gospel, understand the issues, and also translate back to government where corporates find they've got problems: 'How do I do this?'
I find there are quite a lot of companies that are quite willing to take action if they knew exactly what it was that they should be doing. That's where guidance is helpful, and that's where, again, government can help in a general sense. I think in the end, it boils down to the federations of the private sector also helping their members with technical advice and solutions.
Then the other thing, which in a sense is where we're trying to go in the U.K., is to get a lead person at the top end in some of the bigger industrial sectors, which helps cascade down through the supply chain. I think company directors and CEOs have to be aware these days of public policy issues. There is no escape. You do have to do health and safety --there are mandatory compliance issues -- well apart from having to pay your tax. I think there's no way of getting away from the fact that the safety and security of your data is something for which you should have a strong sense of responsibility. If you fail to do so, your business may fail. It's very, very simple.