Cyber News Global: Issue 7 by Cyber News Global

Contents

4 Protecting - Operational Technology

Dear Reader,

9 Cyber Awareness Training Guinness World Record

Welcome to Cyber News Global, this informative publication has been brought to you exclusively by Cyber News Global Limited. The focus of the editorial team is to bring together the leading Industry subject matter experts to provide insights into the ever-changing world or Cyber Tech, Human Capability, issues of focus and Cyber leaders of today and the future.

12 How to Succeed in Cyber Security Public Relations

CNG has focused on building collaborative relationships to be present at many of the worlds leading Cyber events, and in so doing bridging the gap for our readers and partners to share their news and views with a global audience.

18 Showcasing Women Leading Cyber in Scotland

One such collaboration is with ScotlandIS the leading membership body for Cyber Security companies in Scotland, their commitment to the cyber community goes above and beyond what any other group attempts and we are delighted to be working closely with them here in Scotland and overseas. This edition of CNG has a major focus on all the amazing people, companies and organisations that are driving Cyber forward in Scotland. Cyber Scotland Week is just one example of the amazing work ScotlandIS are undertaking for their members. CNG are delighted to be working with them at the Third Sector Cyber Resilience event in Edinburgh and their wider membership. This is just the start of collaboration for CNG and ScotlandIS in 2024. So please read, review and share our content with your partners and colleagues, CNG Media team will be on the ground providing exclusive insights and interviews that will be shared on CNG TV. Finally, CNG are delighted to welcome Claire Melville and Consilio Events onboard as our exclusive event management partner. Claire will cut her teeth with the entire event management of the Scottish OT Cyber Summit on the 30th May in Aberdeen, we are delighted with the vast capability Claire brings to event management, with over ten years of expertise driving many of the major cyber events hosted by the Scottish Government in Central Scotland. Claire welcome on board.

Have an inspiring day and read on!

14 Who is SCOTLANDIS?

24 Overcoming Recruitment Barriers in Cyber Security 34 Trust,Cyber & Resilience How does it work 40 Knock your Cyber Training out of the Park 46 Five Steps to Improving your Cyber Security Awareness Program 9

Cyber Awareness Training Gunniess World Record

Showcasing Women Leading Cyber in Scotland

Overcoming Recruitment Barriers in Cyber Security

Trust,Cyber & Resilience

Official Partner

Protecting Opertional Technology

PROTECTING OPERATIONAL TECHNOLOGY – AN INDUSTRY VIEW

Martin Smith, MD of CyberPrism, looks at the issues facing industry in securing its OT.

There is a growing perception that Operational Technology is the next big focus area for cyber security. Certainly, the incidence of attacks seems to be increasing, although reporting is still low. Moreover, World events such as the war in Ukraine and its associated energy conflict have concentrated minds on industrial security as the Global situation becomes less stable, and the boundary between state intervention and criminality becomes increasingly blurred. The huge potential for ransom, extorsion and economic disruption now seems clearer than ever. The Energy Sector in particular looks like a great target, but it is the indiscriminate nature of many forms of malware which is perhaps most worrying: there is no need to be targeted in order to become a victim and many successful attacks can be seen as a form of collateral damage which was never envisaged by the initiator. These forms of malware can be seen as hybrids of weapons and contagions – analogous to biological warfare in some ways. Add OT security’s implications for safety and the environment, and it is easy to see why it is attracting attention. But what are companies doing about this? What are we seeing as industry, and the Energy Cyber News Global

Sector in particular, tries to adapt to a changing threat landscape? Firstly, we need to understand that we are dealing with commercial entities here. Companies exist to create value and sit within complex ecosystems, with multiple threats and a host of conflicting drivers. Government entities are subject to many of the same pressures. Quantifying the risk and consequences of attack, and the benefits of security investment in terms of value and ROI, is difficult. Perhaps the most obvious driver is the operational cost inherent in increased ‘downtime’ due to cyber attack; but many industries are still on the road to truly data-driven operations, may be subject to other factors such as weather in offshore operations, and significant downtime is often seen as a fact of life. Reputation, and the consequences for share price, would be another significant driver, but it is really where this starts to overlap with some form of licence to operate, backed by Government regulation and enforcement, that we are seeing most traction for what can otherwise seem like an intangible issue.

Add in safety and the environment, for instance in the Health and Safety Executive’s enforcement of the Network and Information Systems Regulation in the UK Energy Sector, and we move to a much more tangible imperative. So, given increasingly effective industry drivers, what are the issues? We tend to see cybersecurity as a technical activity, but the first issue we encounter in most situations is governance. Put simply, who is responsible for OT security? It may be that the IT Department has ended up with the lead – either explicitly or by association. Alternatively, the integrator or OEM might be assumed to have this role, or perhaps it is Operations or Engineering. Sometimes different elements have responsibility for different OT networks at a single site – a difficult situation for the Duty Holder to manage, especially where the supply chain introduces extra vulnerabilities. Either way, we would suggest that clarity of 2 roles and responsibilities – and associated resourcing – is a necessary precursor to technical intervention. On the technical level, from what we see, it is fair to say that there is a lot of work to do.

Protecting Opertional Technology The issues set out above, along with the prevalence of aging equipment connected in ways that weren’t originally intended, and not fully patched or patchable, has left us with a matrix of vulnerabilities: essentially a large and complex attack surface. Key issues would be asset and vulnerability discovery, network visibility and alerting, network segregation and event response – but there are several others, all underpinned by personnel awareness and training, and with an underlying issue to do with insecure network architectures. Having scoped the problem, we seem to have encountered a bow wave of work which runs the risk of pushing OT security from the ‘not understood’ pile to the ‘too difficult’ pile. How to move forward against this difficult backdrop? Well, wicked problems must be addressed by teams, not individuals. In this case, the team must include operators, license holders, cyber security companies, integrators and the supply chain – to name but a few. Our military background tells us that the most important element in any team is trust, so that is where we must start. Building trust won’t be easy in an attractive industry with many new entrants at various levels of competence, but it is essential if we are to make progress against increasing threats. However, even given the right relationships, Industry doesn’t have enough qualified people and simply increasing the training pipeline won’t generate the right level of experience. This is where technology has to come in. Processes such as asset discovery, segregation, alert response, compliance tracking and training need to be increasingly automated: not taking the humans out of the loop, but putting them in control. Trust will be a factor again here – interventions in OT networks must be safe and there is too much loose talk of AI. Legacy systems will need particular attention, especially those that can no longer be patched effectively. This is where we come in as a Security as a Service (SECaaS) provider for OT, fusing deep

integrating technology and services into existing infrastructure more costeffectively than most clients could achieve on their own, to increase asset availability and regulatory compliance, and to leverage trusted data to support the fine-tuning of operations and improved decision-making. Industry may be somewhat behind the power curve, but with the right industry drivers, improved governance, trusted teams and the right technology we stand a good chance of turning this around not without some investment, of course. OT security can be made feasible and cost effective, but it will require considerable collective will to regain the initiative. The good news is that some companies are grasping the nettle in exactly this way: they are the leaders who will show industry the way ahead. Regulatory compliance may be the key driver for OT security at the moment, but we look to the time when it will be overtaken by a desire for real security and the competitive advantage which process optimisation and protection can bring.

CRI M I NALS USI NG TH E DARK WEB TH I N K YOU CAN'T SEE TH EM. WITH SEARCH LIGHT CYBER, YOU CAN.

Our dark web investigation and monitoring tools can help you to identify criminal activity on dark web forums, marketplaces, and hidden sites. This provides invaluable early warning to cyber threats, critical time to adjust your defenses, and the opportunity to prevent cyberattacks.

VISIT SLCYBER.IO TO FI N D OUT MORE.

Editorial Design lucy@lucyharveyprcomms.co.uk media@cybernewsglobal.com Advertising Events & Partnerships marketing@cybernewsglobal.com claire@consilioevents.co.uk CONTRIBUTORS

OUR PARTNERS

Disclaimer: The views and opinions published within editorials and advertisements in Cyber News Global are not those of our editor or company. Whilst we have made every effort to ensure the legitimacy of the content, Cyber News Global cannot accept any responsibility for errors and mistakes.

ADVERTISE WITH US View our media pack at

www.cybernewsglobal.com or scan the QR code

Guinness World Record

First Official Guinness World Record FOR A CYBER AWARENESS ONLINE COURSE DELIVERED BY UK COMPANY OSP CYBER ACADEMY

On behalf of the Kingdom of Bahrain Scotland’s OSP Cyber Academy and the Arab International Cyber Security Conference & Exhibition (AICS) unite to achieve a cyber Guinness World Record – 1550 complete Internet Safety lesson in 24 hours.

OSP Cyber Academy and the AICS announce they have set a new Guinness World Record for the ‘Most People to Take an Online Internet Cyber Safety Lesson in 24 hours’. The record was set during the AICS in Bahrain, where 1550 people from 44 countries completed the lesson in 24 hours, turning the day into the world’s largest cybersecurity training event.

AICS is Bahrain’s largest cyber security conference, bringing together government regulators, industry professionals, and solution providers to discuss and develop plans to secure their cyber and IT infrastructure. The event took place on 5th & 6th December and had a space dedicated to the Guinness World Record attempt, which was opened by Shaikh Salman bin Mohammed bin Abdulla Al Khalifa, CEO, National Cybersecurity Centre, Bahrain.

Shaikh Salman bin Mohammed bin Abdulla Al Khalifa CEO, National Cybersecurity Centre, Bahrain

“We are absolutely thrilled to have achieved a place in the prestigious Guinness World Records. Our achievement has helped educate 1550 people on internet safety, arming them with the knowledge and skills to spot malicious activity online. Digital is the backbone of every industry worldwide, but criminals see this as an opportunity to launch cyberattacks and harm people. Only through education and awareness can we deter these threat actors.”

From Left to Right: Shaikh Salman bin Mohammed bin Abdulla Al Khalifa, CEO, National Cybersecurity Centre, Bahrain; Amal Almurbati, Managing Director, Faalyat WLL; Thomas McCarthy, Irene Coyle, Blair Wallace, OSP Cyber Academy

The Internet Safety lesson was created by OSP Cyber Academy, one of Scotland’s leading providers of cybersecurity training.

The lesson provided participants with valuable insight into the techniques cybercriminals use to exploit internet users and organisations, as well as providing advice on how to recognise scams and protect against them.

We need to do more of these engaging tournaments to get more people thinking about their safety online. I am delighted that we have managed to achieve this Guinness World Record. We only needed to train 500 individuals to achieve the title, but we tripled our target. What a success,” said Thomas McCarthy, CEO of OSP Cyber Academy.

The World Record attempt began at 11.12am (AST) on Tuesday 5th December 2023. Evidence was shown to GWR Adjudicator Pravin Patel and Expert Independent Witness Isabelle Meyer that the leaderboard was wiped clean of any test users right before the attempt began. The course was then freely accessible for anyone from anywhere in the world for exactly 24 hours.

“Cybercrime affects everyone today. It’s not just an issue for businesses, if you are on the internet, then you are a target. By achieving this Guinness World Record we have helped to educate more internet users on online safety – but in the most fun and imaginative way possible. Shaikh Salman assessing the progress of the live Guinness World Record Attempt Cyber News Global

The World Record attempt ended at precisely 11.12am (AST) on Wednesday 6th December 2023 and in the presence of Pravin and Isabelle, the leaderboard presented the current total course completions: 1,550.

Guinness World Record 11

A few ‘completed’ users were selected at random to prove authenticity of the result. It was found that these users in fact spent more than one-hour on the course; re-attempting knowledge checks and demonstrating a clear path of real time eLearning. This was a key requirement for this Guinness World Record Attempt, and reflected the success of awareness training. In support of the global effort to improve Cyber Awareness, OSP continued to welcome users onto the platform after the 24 hour period. Course access remained open to be accessed freely worldwide for the entirety of the conference. A further 552 people completed the course, even after the official record attempt was over. This not only re-enforce the success of the Guinness World Record Attempt, but shows that people are keen to learn, and that they understand the importance of good cyber awareness. OFFICIAL GUINNESS WORLD RECORD: 1550 TOTAL COURSE COMPLETIONS:2102 TOTAL COUNTRIES PARTICIPATED: 44

For GWR Course SCAN THE QR CODE

HOW TO SUCCEED IN CYBER SECURITY PUBLIC RELATIONS Lucy Harvey

This month Cyber News Global had the pleasure of speaking to cyber security PR expert, Lucy Harvey, the director of Scotland-based Lucy Harvey PR & Communications. So, what were Lucy’s top recommendations to help organisations succeed in cyber-PR?

Public Relations (PR) is critical for any cyber security business wanting to improve its brand awareness and reach new audiences. But the biggest hurdles are often knowing where to begin to guarantee the program is a success.

industry leaders.

CNG: So, Lucy can you tell us a little bit about yourself and your background?

In the fifteen years I’ve worked in cyber security I’ve witnessed massive changes. When I first started out, the industry was called IT security and only a few very niche journalists covered the topic, but today cyber dominates the media, and the world. It’s an exciting and constantly evolving space to work in. That’s why I love it.

Lucy Harvey: I’ve been working in cyber-PR for over 15 years and during this time I’ve worked with some of the biggest brands in the industry. From Silicon Valley powerhouses to Israeli innovators, I’ve worked with hundreds of cyber companies, often helping them transition from small startups into

Two years ago, I founded my own cyber-PR business based in Edinburgh, and I’ve been supporting companies in Scotland improve their brand awareness through media relations. Prior to this, I spent nine years at Eskenzi PR, the longest standing cyber-PR business in the world.

Cyber News Global

CNG: Can you provide background on what cyber security PR is and how it supports an organisation’s overall business growth strategy? Lucy Harvey:PR is an image builder; it supports brand awareness and helps organisations reach their target audiences. It often falls under marketing, but it isn’t a sales tool. While marketing is directly linked to driving sales, PR is all about creating a positive image and improving brand awareness, with the ultimate goal of helping a business grow in its target markets. If an organisation wanted to work with healthcare organisations,

+ they could run a PR campaign on publications in the sector, where it sends out news releases, articles or research with the aim of securing coverage and promoting its key messaging. This means when the company walks into a pitch meeting with a healthcare organisation, their prospect will likely have read about them in the news, which will give them confidence in the brand. Organisations and consumers are far more likely to buy from a brand they know, whether it’s a can of Coca-Cola or a SIEM tool, so that’s really where PR fits into the overall business growth strategy. CNG: What does an organisation need to do before kicking off a PR program? Lucy Harvey: Preparation is very important before starting off in PR as it allows an organisation to set goals and tailor their efforts. First, plan out what the objective of PR is. Is it to launch a new product? Is it purely for overall brand awareness? Or, is there a specific market an organisation wants to reach? Once this has been decided, it’s good to build out a content plan which outlines key distributions to media. It’s also important to make sure spokespeople are assigned and media trained, so organisations can be ready to respond to media requests as they start coming in.

Getting these thought-leadership comments out to media is a great way to generate coverage in quality publications.

Press releases are also a good tool around products or company announcements, but organisations must use these to talk about benefits rather than features. Always remember, in product press releases, features tell, but benefits sell. CNG: Now that an organisation is prepared, how quickly will they see results?

Lucy Harvey: If you create good

quality content and run a fastpaced reactive comment program, organisations should see results very quickly.

Lucy Harvey: In PR content is king. Organisations want to produce good quality, informative, content that will be of interest to media and its readers. In cyber security we are never short of stories around breaches or government actions to tackle cybercrime, and media always like to hear quotes from experts in relation to these.

let down their customers. Instead use PR to educate, explaining how a product or solution helps drive cyber resilience and how it can be used to limit an enterprise’s exposure to attack. Education is essential in PR and it’s the best way to gain quality coverage of an organisation, while also helping others improve their defences in the ongoing fight against cybercrime.

To hear more from Lucy Harvey, watch our recent Let’s Talk Cyber podcast, where Cyber News Global CEO, Tommy McCarthy, has an indepth discussion with her, delving deep into the exciting world of cyber-PR.

If the content is good and valuable to readers, media will be much more inclined to cover it. This should also mean organisations see a positive impact with their PR activity very quickly. CNG: Now that we are wrapping up, do you have any final pieces of advice for organisations thinking about PR in the year ahead?

Lucy Harvey: Remember Thoughtto plan, remember leadership the importance of articles on key good content and industries issues are avoid, at all costs, great material for PR. over-promising but So is research into under-delivering industry trends and in terms of product comments on capabilities. breaking news.

CNG: What kind of content is particularly good in PR? What would you recommend companies focus on?

How to Succeed in Cyber Security... 13

For many years the cyber security industry was built on FUD (Fear, Uncertainty and Doubt), where vendors would scaremonger with apocalyptic threats and then pitch their products as the silver bullet solution. But today we know there are no silver bullets in cyber security, so vendors must avoid pitching their products in this way. Otherwise, they won’t make friends with the media, and they will ultimately

To listen to Lucy Harvey interview with Lets Talk Cyber:

SCAN ME

TIME TO INSPIRE

Who is SCOTLANDIS? 14

WHO IS ? OUR SERVICES Eco System Development

Business Innovations

WHO IS SCOTLANDIS

What DO We Do

ScotlandIS is the trade body and Cluster Management Organisation (CMO) for the digital technology sector in Scotland and are proud to host the Scottish Cyber Cluster, ScotlandIS Cyber - Where Cyber Security meets industry, innovation and talent.

Our mission is to build a connected cyber community across Scotland. We aim to drive cyber security growth and innovation, to support the growing skills pipeline and collaborate to address cyber security skills challenges.

We are pleased to introduce ScotlandIS Head of Cyber Cluster: Beverly Bowles! Bev joined ScotlandIS last summer 2022 as the Project Lead on their IT Managed Services work, running a series of ITMS events, building a community of IT Managed Service providers in Scotland, and working with providers to create an ITMS Charter (an established).

We also seek to build strong UK and international relationships to support and promote the Scottish cyber security community at home and abroad. Our ecosystem of cyber security experts, businesses and academia have created new and innovative products and systems

Cyber Skills Growth

that are enabling and driving industry to reach new frontiers. We choreograph the relationship and community bringing together pioneering cyber companies with investors, industry and government creating wealth in Scotland. Where we say we bring together cyber companies with investors etc. WHY SCOTLANDIS ScotlandIS is at the heart of Scotland’s digital economy, shaping, changing and driving it forward.

MEET OUR CYBER CLUSTER

Power of Cyber Security

The Power of Cyber Security Solutions: A Global Imperative and why Scotland’s cyber ecosystem could be the key to solving global cyber challenges. with Edinburgh University recognised as Cyber Security Centre of Excellence in Cyber Security Research (ACEs-CSR)

A Call for Global Cooperation:

Safeguarding National Interests: The digital landscape knows no boundaries, and neither do the threats that traverse it. For nations, investing in cutting-edge cybersecurity solutions is not just a matter of protecting sensitive data; it is safeguarding their very sovereignty. As cyber threats evolve in sophistication and scale, governments worldwide must proactively seek innovative cyber security measures to secure their critical infrastructures and maintain the trust of their citizens. And Scotland’s growing cyber security ecosystem has the talent, innovative solutions and services to help do just that.

Cyber threats respect no borders, and neither should the response. A united front against cyber threats requires international cooperation. Through shared intelligence, coordinated responses, and joint initiatives, nations can create a formidable defence network. Establishing global norms for responsible behaviour in cyberspace can set the stage for a secure and collaborative digital future. In Scotland we are very lucky to have an engaged and supportive community, and this has been helped by the close working relationship across enterprise, government, academia and the entrepreneurial and start-up community. These 4 parts of the ecosystem jigsaw work in close collaboration to drive growth and innovation in

Behind every successful cyber security solution are skilled professionals. In the pursuit of bolstering digital defences, nations benefit not only from advanced technologies but also from fostering a workforce proficient in cyber security. Collaboration between countries in sharing expertise, cultivating talent, and establishing international standards is pivotal in creating a collective defence against cyber threats. This is something that Scotland as a nation take very seriously.

There are just over 400 cyber security companies which operate out of Scotland, ranging from startups, scale-ups, SMEs to large global enterprise who see Scotland as a key market to target and having that local presence as being a critical part of that strategy. The estimated total GVA of the Scottish cyber sector is £426m with £811m generated in 2021 from cyber specific companies across Scotland. With our thriving cyber ecosystem it is clear to see that Scotland should be a key collaboration focus area for any country looking to strengthen themselves in the area of cyber security.

More than 70% of Scotland’s universities offer cyber security courses and many courses are now lookingat embedding cyber security practices into them in areas that are not even considered as technology focussed. Abertay University has the first Ethical Hacking degree course in the world, and the only fully certified NCSC (National Cyber Security Centre) degree is run by Edinburgh Napier University – BEng Cyber Security and Forensics. Additionally, there are 2 NCSC fully certified Masters courses available, one at Abertay University, MSc Ethical Hacking and Cyber Security and Edinburgh Napier University, Advanced Security and Digital Forensics,

This era of cybersecurity is a global one. As nations confront the challenges of an interconnected world, prioritising cyber security is not just a matter ofnational interest; it is a shared responsibility. By investing in and collaborating with the innovative and pioneering cyber security companies in Scotland, nations can forge a path toward a digitally secure future, ensuring the protection of their citizens, economies, and the integrity of the global digital landscape.

The Human Element:

CyberNews NewsGlobal Global Cyber

Showcasing the Women Championing Cyber in Scotland

Clare El Azebbi

Head of the Scottish Government’s Cyber Resilience Unit

To coincide with CyberScotland Week, this month Cyber News Global is showcasing some of the leading women in Scotland who are spearheading the industry. These inspirational women are driving innovation in Scotland, while working tirelessly every day to turn the country into a powerhouse in the ongoing fight against adversaries. Support is everything and the Scottish cyber community consistently collaborates to share ideas, network, and offer each other guidance. But there is one group that truly champions and supports the industry as a whole. ScotlandIS offers support to technology companies in Scotland, helping them grow, succeed and reach global audiences. The team is led by some of the finest female leaders, including Karen Meechan, the CEO, who has set the bar so high we can only look on and admire what she has achieved for the industry so far. Well done Karen.. The women listed below are also championing cyber in Scotland, here we are recognising them for their continued contribution to the industry. Please join us in celebrating their accomplishments. Clare El Azebbi, Head of the Scottish Government’s Cyber Resilience Unit Clare El Azebbi is the head of the Scottish Government’s Cyber Resilience Unit. A seasoned policy professional, Clare wrote Scotland’s first cyber resilience strategy and currently drives implementation of the second. She and her small team work closely with partners across public, private and third sectors, as well as the UK Government to strengthen Scotland’s cyber resilience. Clare also chairs the CyberScotland Partnership (“the CSP”), made up of national agencies and organisations that have committed to work together to ensure a more joined-up, Cyber News Global

cohesive approach to raising awareness of cyber risk among Scotland’s communities, public sector organisations and businesses. The CSP includes representation from Police Scotland and agencies responsible for school, college and community education, the national skills body and enterprise agencies. Clare has led numerous national cyber initiatives and campaigns and is committed to embedding digital security and resilience in all parts of the lifelong learning system; recognising the importance of reaching people from diverse backgrounds and making cyber careers attractive to young people and particularly girls and neurodivergent people. Clare says: ‘I have been entrenched in Scotland’s cyber resilience policy from the very start and it is a huge privilege to work with Scottish Ministers, fellow civil servants, the National Cyber Resilience Advisory Board and other stakeholders to make Scotland a more digitally safe and secure place to live and work. We have made significant progress in Scotland including embedding cyber resilience into education, building a proactive public sector cyber security community, and supporting business leaders to recognise that cyber is a business risk that they must plan for. Digital adoption and transformation have created immense opportunities for individuals and businesses. However, as we continue to make the most of these opportunities, we need to be aware of the risks and be ready and able to prevent, or quickly manage and recover from incidents, when they do happen. Cyber Resilient Scotland: strategic framework - gov.scot (www.gov.scot)

‘Partnership has been a core means to building Scotland’s cyber resilience to date. I have always recognised the value of working across sectors and communities, as protecting a country and its people from cyber crime cannot be driven by government alone. The CyberScotland Partnership is proving its worth as it collectively coordinates national guidance and awareness messaging. Each partner adapts the central messaging for its audience and networks, whether that’s for young people, people with disabilities, businesses, or educators.’ Irene Coyle, Chief Operating Officer at OSP Cyber Academy Irene is an advisory board member for the Cyber Centre of Excellence UK (CCoE) and an accomplished international speaker, presenting key topics around cyber security and data protection. Irene joined OSP Cyber Academy after a 30-year career in Police Scotland in a variety of roles, including chief inspector for recruitment. During her career in the police, Irene focused on protecting people’s data, including as the detective inspector of the Public Protection Unit at Grampian Police. In this position she introduced the Vulnerable Persons Database, a project which was then rolled out nationally across Scotland. She was also responsible for designing and implementing a positive action for women program within the police, to increase the number of women joining the police in Scotland. Irene also implemented GDPR throughout the recruitment function within Police Scotland.

She is an accomplished Data Protection Officer (DPO) working with many organisations supporting their implementations of data protection programs, and she is also a UK NCSC assured trainer for cyber security and data protection. Irene’s role at OSP Cyber Academy: As the Chief Operating Officer with OSP Cyber Academy, Irene’s role has evolved over the last six years. She was pivotal in turning a face-to-face cyber security training provider into a digital company, offering customers a variety of options for cyber and information security training, deliverable at all levels across an organisation. Irene has developed the OSP training platform so that customers can access a library of courses, which are interactive and engaging. Irene’ s role is to ensure that OSP Cyber Academy training meets the NCSC standards to help educate staff and build improve an organisation’s cyber resilience. Irene is constantly looking at alternative methods to engage staff and recently introduced cyber immersive training to the OSP Cyber Academy portfolio. This is a pop-up escape room style exercise that is taken to client’s premises to undertake a team exercise without the team realising they are receiving key cyber security training messages.

So, tell your staff what you want them to know more often. Irene thinks it’s important for women within the cyber security industry to make themselves as visible as possible to help demonstrate that there are so many roles out there for women to make a real difference. We all have transferable skills to bring to this industry which will make Scotland a safer place to live and work, so be visible for others to see the potential.

Irene’s call to action: Irene is extremely passionate about raising awareness of the risks posed to protecting data in the digital world, while not expecting everyone who is not working in information security to know about the threats that exist. Whilst training is a recognised term, Irene wants organisations to focus more on ‘education programs’ – the more often you tell people information (around cyber security) the more chance of the message landing!

Louise’s role at i-confidential: As Chief Operating Officer for i-confidential and member of the board, Louise leads the business and drives the delivery of its objectives. She develops strategies to grow the organisation and ensures clients receive a consistently high level of service. Louise oversees company operations and employee productivity, building a highly inclusive culture so that team members can thrive, and organisational goals are met. As an employee-owned business, Louise works closely with the employee ownership trust board to ensure the company meets its long-term aspirations. Louise commits her time and that of her team to understanding the challenges facing the cyber security industry and taking appropriate action to promote positive change.On both improving the skills gap in cyber security, and increasing inclusion and diversity, Louise is:

Irene Coyle

Chief Operating Officer at OSP

• • • •

As an experienced DPO, Irene’s role is also to work within organisations and support them on their data protection journey, while delivering practitioner level training on data protection which is NCSC Assured. Irene is an Advisory Board member on data protection and training for the Cyber Centre of Excellence which provides cyber services to Public Authorities across the UK. In this capacity, she delivers webinars, training sessions and conference presentations to share her knowledge on the best way to improve your employee cyber resilience.

Women Leading Cyber in Scotland 19 Outside of work, Louise enjoys running, being outdoors, and spending time with her family.

•

Louise Beattie

Chief Operating Officer, i-confidential

Louise Beattie, Chief Operating Officer, i-confidential Louise studied psychology at The University of Edinburgh before embarking on a career that led her to take on a variety of human resource, service improvement, and security-related roles in the financial services sector. Louise joined i-confidential in 2010, at the beginning of its journey in cyber security and risk. She initially managed all business operations and played a pivotal role in the evolution of the business, overseeing all hiring decisions, performance management, and professional development. Now, as Chief Operating Officer, Louise is leading i-confidential through its next phase of growth.

Collaborating with further education colleges, providing industry mentors and support. Supporting cyber security students to get relevant work placements and internships. Working to form a STEM education funding partnership. Working with local high schools, providing careers guidance, CV writing, and interview coaching. Collaborating with a girls’ school to develop careers guidance on cyber security.

Louise’s call to action: Promoting cyber security as a career choice, in particular for women, is now at the forefront of the work i-confidential does as a company, and where it is investing significant time and energy to try and make a difference. By being a visible role model and encouraging other women in the industry in Scotland to do the same, Louise wants to change perceptions of who works in cyber security and the career pathways available. Scotland is brimming with talented people who can make amazing contributions to the industry and ensure a more successful future for everyone if we all commit to giving them the opportunity.

Elaine McKechnie,

Beverly Bowles

Head of cyber, ScotlandIS

Senior Manager working in Cyber Security

Elaine McKechnie, Senior Manager working in Cyber Security, Virgin Money Elaine is a Senior Manager working in Cyber Security at Virgin Money where she leads the team developing cyber strategy, threat intelligence and security culture. Elaine has embraced roles in the financial services industry across IT architecture, big data, cyber risk and information security. As a former police officer turned cyber professional, Elaine loves to encourage others to build careers in the fields of technology and cybersecurity and holds positions on various member advisory committees, setting direction for cyber skills in the UK, driving collaboration between communities and shaping technology outcomes. Elaine’s role at Virgin Money: As a bank looking after people’s money, keeping customer data safe is at the heart of our business and the cyber security team is key to that. It’s an exciting time to be working in cyber at Virgin Money and I have the fortune to be leading the team who are responsible for developing and communicating the cyber strategy, helping colleagues understand what it means to be a secure digital bank that our customers can trust. We analyse the threat landscape, external to the bank, so we can determine the impact of geo-political risks and emerging threats. This leads to lots of investigations and exploratory conversations with different teams so it’s great for building stakeholder relationships and understanding what goes on in different business areas. We have a passion for growing our security culture too. That means creating innovative learning pathways for cyber and thinking about how our security controls cause friction in colleague and customer journeys. I love that cyber security is an enterprise requirement with no boundaries on our reach! My role feels different every day, I love the variety of problem solving and the sense of achievement from working with Cyber News Global

others to improve security and processes. Elaine’s call to action: When I transitioned careers into technology I was overwhelmed by the world of opportunity and the range of jobs that I simply never knew existed. This makes me determined to tell people about the diversity of roles available in technology and cyber – it’s such a vibrant landscape. When I go to careers events, I still hear lawyer, doctor and accountant as the top jobs mentioned on people’s minds. My call to action is to switch the conversation away from traditional roles to digital & technology jobs to attract more diverse talent. You can’t be it if you can’t see it! Beverly Bowles, ScotlandIS

Head

cyber,

My journey into cyber was not what can be considered a traditional route. I started my career in the police and throughout a 28-year policing career, I undertook roles from response and community policing to communications and transformation programmes. I transitioned into cyber through the Cybercrime Harm Prevention Team and Cyber Strategy Implementation Team, working with, public, private and 3rd Sector organisations to build Scottish cyber resilience. Through the Policing in a Digital World Programme, I developed the Cyber Prevent Strategy with the UK Government, ensuring alignment with Scottish law. Upon retiring, I lead the ScotlandIS Managed Service Provider project, establishing a network, encouraging collaboration, and developing a Best Practice Charter to enhance cyber resilience in the supply chain. I am now the Head of Cyber at ScotlandIS. Beverly’s role at ScotlandIS: As the Head of Cyber at ScotlandIS, I lead the cyber cluster,

supporting startups and seeking funding and growth opportunities for cyber service and product companies, both domestically and internationally. Additionally, I organise events to cultivate community engagement and collaborate closely with other clusters across the UK, academia, and government bodies to advance the interests of the Scottish cyber community. Addressing current community issues is central to my role, where I strive to understand and provide support while seeking opportunities to support the creation, development and growth of new and existing cyber businesses and support the development of a healthy and diverse talent pipeline. We continue to build on the great work done with the managed service provider’s project. Recognising the critical role, they play in securing the supply chain, bringing together organisations from across Scotland, developing a working group aimed at sharing insights, best practices, and lessons learned. Together, we developed a Best Practice Standards Charter, filling a regulatory void within the community. The charter, launched in September 2023, established essential and enhanced standards and now has over 20 signatories to the Enhanced Standard. The community’s enthusiastic response to this project has gained interest out with Scotland with clusters in England and Wales expressing interest in adopting our community led approach. Beverly’s call to action: Through my work with Police Scotland and ScotlandIS I have seen the positive impact that diversity and inclusion have had on the development of Scotland’s cyber sector. Embracing a range of perspectives and talents not only strengthens our cyber resilience but also fosters innovation and creativity. As a community, let’s ensure that individuals from all backgrounds are made aware of the wealth of opportunities

Susan Brown

Chairwoman and CEO, Zortrex

that exist from policy making, technical roles and beyond and feel empowered to pursue careers in cyber, creating a vibrant and inclusive workforce. Through mentorship, support and community development we can champion diversity and inclusion, shaping a brighter, safer future for cyber in Scotland. Susan Brown, the Chairwoman and CEO, Zortrex Susan Brown is the Chairwoman and CEO of Zortrex, an East Lothian-based cybersecurity company. With a visionary leadership style, Susan is spearheading the development of a trailblazing cybersecurity solution that integrates and bridges the gap with traditional systems to distributed ledger and metaverse technologies. Susan’s role within Zortrex: As the Chairwoman and CEO of Zortrex, Susan Brown leads a dynamic team in the development of a groundbreaking cybersecurity solution. Her role involves shaping the company’s strategic direction, fostering innovation, and guiding the team toward creating a resilient and adaptive security infrastructure. Susan’s commitment to pushing the boundaries of conventional cybersecurity positions Zortrex as a potential industry disruptor. Susan is also known as the “First Lady in Data Privacy Security” This speaks volumes. Susan’s cyber security call to action: Susan believes in fostering a culture of innovation and inclusivity in the cybersecurity industry. Her call to action is to encourage mentorship programs, educational initiatives, and collaborative efforts that empower women to explore and excel in the diverse opportunities within the field. Clare sees the biggest cyber risk of all is people who aren’t aware or ready to respond, adding that a great number of incidents could be prevented by improving the basic awareness of the general public,

Annabel Turner

Director, Cybersafe Scotland

the general workforce, as well as those in leadership positions.

to support digital safety for the most vulnerable children and young people.

Clare’s career before cyber policy was in education and she is a passionate supporter of digital skills development, especially among women and girls and has actively supported initiatives such as the Empowering Women To Lead in Cyber Security run by Empowering You, which are creating the gender balance desperately needed in the cyber security industry.

Annabel chairs the Child Exploitation Committee for Aberdeen. She is a specialist in children’s rights and is passionate about the importance of Safety by Design and bringing together others from across the tech ecosystem to create change and build positive solutions. She is a member of the International Tech Legality Human Rights and Technology CoP.

She also believes that cyber resilience knowledge and skills must be introduced from a very early age and has worked with Education Scotland to develop a story book called “The Bongles and The Crafty Crows” which has been distributed to all 60,000 first-year primary school children in Scotland. Clare says: ‘Just as we teach children the importance of locking the doors to their homes, it is imperative that they become skilled in creating strong passwords to keep their online data safer and more secure – helping to deliver a brighter digital future for us all.’ And for the future? ‘The vast range of new and emerging technologies including AI, significantly raise the complexity of securing our digital ecosystem. It is therefore paramount that we monitor how these technologies evolve, together with their social, economic and political contexts to make informed decisions on organisational and national resilience. We need a diverse talent pool to ensure that we keep our country and our communities secure.’ Annabel Turner, Director, Cybersafe Scotland Annabel practised as a barrister before working with the International Justice Mission on their “Not on My Screen Campaign” to end Online Child Sexual Exploitation.She founded Cybersafe Scotland, a social enterprise which provides education and training to reduce online abuse and delivers programmes

Annabel’s call to action: As Director of Cybersafe I have overall responsibility for strategic planning. The role is wide – we were fortunate to develop our current programme, Respected and Safe Online, in Aberdeen. It has had hugely positive impact, so we are now rolling it out to other local authorities. A vital part of our work towards ensuring that children’s digital rights are respected, is advocacy - making sure that the views and experiences of the children we help and represent have real impact. I support others to create meaningful change as a result of hearing and understanding these experiences. Children are currently facing huge challenges online as well as huge opportunities. We must recognise both if we are to ensure their futures. This is also vital if companies are to meet their legal obligations around Safety by Design - ensuring that products and applications are designed with these users at the front of our understanding, nationally and internationally. I lead the development of this work from a policy perspective and work directly with individual companies. I also work with our team – our child psychologist, social workers, teachers, education leaders and a learning and development specialist - to develop our training and products. Whenever possible, I try to spend time in schools with the children we serve. Their trust in us is one of our greatest strengths as an organisation.

“Empowering Change: Eight Women at the Forefront of Scotland’s Cyber Defense” Rachel Jones,

Annabel’s call to action: We urgently need women in all aspects of cyber. For any industry to thrive it needs diversity, but this is especially true in cyber, which is at the heart of all of the greatest change in society now. Women bring a unique and vital perspective to many of the areas I hope that Scotland will lead on in the future. We cannot develop, design, and maintain cyber products that are safer by design (and protect children, girls and women) without women! We need so many things to make this happen - but I would love us to keep talking about the why. Rachel Jones, founder & Chief Innovation Officer at SnapDragon Monitoring Founder and Chief Innovation Officer at SnapDragon Monitoring, Rachel was thrown into the world of anticounterfeiting when her invention, Totseat, the washable, squashable highchair was faked. Horrified, she learned how to remove counterfeit products from online platforms using intellectual property and resolved to build software to empower even the smallest brand to fight back. Ten years on and SnapDragon works with some of the world’s most loved brands, protecting their businesses, revenues and, most importantly, customers. Rachel was CEO of the business until undergoing treatment for breast cancer last year. She is Co-Chair of the UK’s IPO Crime Group, an NED for Equity Gap and a mentor for TechScaler. Rachel’s role within SnapDragon Monitoring: As a bank looking after people’s money, keeping customer data safe is at the heart of our business and the cyber security team is key to that. Cyber News Global

It’s an exciting time to be working in cyber at Virgin Money and I have the fortune to be leading the team who are responsible for developing and communicating the cyber strategy, helping colleagues understand what it means to be a secure digital bank that our customers can trust. Taking a step back from the CEO role, following treatment for breast cancer last year, I am now involved in a more ambassadorial role, which I also love. I’m trying to keep abreast of the wily and increasingly clever ways that fraudsters look to rip off brands and consumers, as well as looking at new cyber partnerships, ideas and their commercial merit, and working with the leadership to continue to encourage growth. As an example, since Covid we have seen a significant increase in fake websites and domains, and also in impersonation, of both businesses and individuals on social platforms, thus the overlap with what might be termed ‘true cyber’. I remain completely passionate about our team and in developing their ambition, talent and careers, while ensuring good mental health and a work life balance for all. Rachel’s call to action: There is a misunderstanding that you need to be a techie to get into, and do well in cyber. Clearly there are roles for those who love computer science and maths but, equally, there is a myriad of exciting opportunities for folks who may be less mathematicallyminded, where problem solving, communication or even modern languages come into their own. into their own.

Founder & Chief Innovation Officer at SnapDragon

Importantly, cyber doesn’t need to be a young persons’ industry – many fascinating jobs suit women returners who have, and do, juggle endless priorities and want a fulfilling, parttime role. In many fast-growing businesses, older, wiser, people with experience, working part-time, can be incredibly valuable, and valued, being both affordable and dedicated. As the industry continues to grow, we all need to be more encouraging in talking about the wide-ranging opportunities and prospects for the young, and those a wee bit older!

Providing Cyber Security Solutions designed to Protect your People

www.csa.limited | info@csa.limited | +44 (0)300 3034691

ISO 27001 Certiicate Number : 21227-ISMS-001

ISO 9001 Certiicate Number: 21227-QMS-001

OVERCOMING RECRUITMENT BARRIERS IN CYBER SECURITY

It’s well known that organisations across the globe are suffering from a workforce cyber skills shortage, which is leaving security teams understaffed, and potentially exposing them to attack. This month, Cyber News Global was delighted to interview cyber recruitment guru, Nicola Huskie, and hear her invaluable advice to help job seekers and organisations overcome recruitment barriers in cyber security. Can you please provide some details on your background and experience? I’m the chief commercial officer and head of talent acquisition for i-confidential. I’ve been working in HR and recruitment for around 18 years, but I recently moved into a commercial role. My background is in IT, oil, and gas. I’m used to working with international companies and I’ve helped many organisations develop their in-house recruitment capabilities. I’ve been with i-confidential for nine years, working with new and existing clients, driving their recruitment strategies, while also supporting them with their cyber security needs. Cyber News Global

Instead, the focus is on hiring individual candidates that meet multiple requirements. But this is placing pressure on both organisations and job seekers.

Nicola Huskie Chief Commercial Officer & Head of Talent Acquisition for i-confidential.

i-confidential is a cyber security and risk consultancy. Whether our clients have a security issue, or an outcome that they want to get to, or they are looking to enhance their own internal teams, we offer services to address their needs. What challenges do organisations face with recruitment today? The cyber industry is struggling with a lack of skilled personnel, but with budget restrictions in place across most organisations, this is having an impact on recruitment. Organisations no longer have the luxury of filling all the empty roles in their security teams.

For organisations, they need to attract the best talent, while for job seekers, there is more competition than ever before. The biggest challenge for organisations is a lack of inclusivity in their recruitment strategies. The most secure organisations are diverse because different cultural or gender groups introduce important traits into roles. But organisations need to know how to attract a variety of groups in the first place. This means tailoring job adverts so they appeal to a wider demographic. Otherwise, some groups could be completely discouraged from applying for a role, and it’s the organisations that can suffer the consequences of this. To listen to Nicola Huskie interview with Lets Talk Cyber: SCAN HERE

Overcoming Recruitment Barriers... 25 What is your key advice for job seekers?

Can you provide an example of a candidate you have recently placed?

The biggest challenge job seekers face today is not knowing how recruiters recruit.

I was introduced to a lady via LinkedIn who had an excellent background in IT, but no cyber experience.

In the age of AI, recruiters are using algorithms to identify candidates, but this means many applications are never even seen by a human. The key goal for job seekers is to get past this first stage in the recruitment process. The CV is used less today, but job seekers still need to make sure it includes all the keywords applicable to a certain role. Making sure your CV is tailored to the role you’re applying for is essential.

She couldn’t get into the industry, and it was interesting listening to her journey and the obstacles she had faced. She was joining groups, networking, and doing everything right, but she was still struggling to land a job. In the end, I worked with her to update her CV and introduced her to companies in the cyber space, and then she landed a fantastic role. This is where i-confidential really adds value. Our clients trust us and we know the industry. We only put quality people forward for roles. We could see her skills and behavioural qualities would work well in cyber security and never hesitated in putting her forward. She now has a very successful career in cyber security, and the clients we work with are consistently impressed with her. Any final pieces of advice for job seekers?

Don’t be afraid to put yourself out there. Reach out to people who you don’t know and Being proactive and having a good ask them for their help because nine times out of ten they’re more than happy LinkedIn presence is also very to do it. important. All organisations Be mindful use LinkedIn for recruitment Do what you can to educate people on cyber security. Awareness is critical of the purposes today, so making and we must work continuously to arm the new generation of cyber talent sure your profile is visible knowledge because soon they will be working hard to keep our data secure. is vital. that you’re sitting

on and how you

In some cases, a LinkedIn can use that to profile is enough to land a person a job. All you need help other to do is change your status to people. say that you’re open to work, and suddenly, your whole network can help secure your next position. Recruiters often use LinkedIn to identify candidates that are ‘open to work’, so this is a must when looking for something new. Recruiters want to use the fastest methods to fill a role. Obviously, they want to find the right candidate, but they’ll use tools to help them get there quicker. Therefore, the more you can do to make yourself available and prominent on LinkedIn, the greater chance of landing a new role. How does a consultancy i-confidential help?

i-confidential adopts a people-first strategy, where we ensure a candidate matches the values and culture of the organisation we are hiring for. We also have a lot of industry knowledge, and our talent acquisition team are all accredited in cyber security. This means we understand the subject and can have credible conversations with candidates and hiring managers. It allows us to screen candidates to a level that’s useful, including an assessment of their behavioural and interpersonal skills. We also try to encourage upskilling, and we work with many universities, colleges, and schools to help educate the next generation on cyber.

To learn more about cyber recruitment, tune into our latest podcast, where we have an insightful conversation with Nicola and hear her top recommendations...

GENERATIVE AI: WHAT IS IT, HOW DOES IT WORK AND WHAT’S THE RISK? Vanessa Porter, Teradata

Since the launch of Chat-GPT, it seems that everyone is waking up to the possibilities and risks associated with a truly data driven world. There are so many buzz words associated with the revolution in analytical technologies, that having a solid understanding of the concepts is important to make sure that your business can maximise the benefits and understand the risks. So let’s start with some simple definitions of the terms that are currently being bandied about:

Artificial Intelligence Artificial intelligence (AI) is a branch of computer science which deals with the simulation of human intelligence in machines by drawing on aspects of statistics, mathematics, information engineering, neuroscience, cybernetics, psychology, linguistics, philosophy, economics, and much more. The discipline has been around for a long time but the the term “AI” has come to mean a more specific thing, referring to the application of complex techniques typically involving “Deep Learning” such as Computer Vision and Natural Language Processing.

Machine Learning Machine learning (ML) is a branch of artificial intelligence that uses algorithms and statistical techniques to learn from data by analysing it, identifying patterns, and making predictions or decisions based on the datasets they are exposed to. Cyber News Global

Machine Learning typically uses structured data which is organised into tables. Deep Learning, a subset of Machine Learning, uses unstructured data such as text and images.

Generative AI Generative AI is a type of Deep Learning that is designed to generate or create new content, such as images, text, music, and even videos. These models learn patterns and structures from a given dataset and then generate new examples that resemble the original data. These have been around for a while but the hype really kicked off in 2022 when Chat-GPT was released. A type of generative AI is Large Language Models (LLMs). Chat GPT and Bard are both examples of LLMs.

So how do Large Language Models work? LLMs are fundamentally models that take a series of inputs and then given, a question to answer will predict the sequence of words that will answer that question. You could argue that LLMs are really just a sexy sentence completion tool. I asked Chat-GPT to write me a song about AI in the style of 90s pop sensation Boyzone. And this is what it came up with:

VERSE 1: In a world of wires and dreams, where circuits softly gleam, A tale unfolds, a story to be told. Of silicon hearts that sing, in the language of machines, A dance of bytes, where secrets

are unrolled. (Chorus) Artificial hearts, beating in the night, In the glow of LCD lights, We’ll find a love that’s so divine, In this realm of ones and zeros, we’ll intertwine. Not bad, eh? You can probably fit these lyrics into any Boyzone tune, more or less. What’s happening here is that the Large Language Model is taking the dual inputs of Boyzone lyrics and articles about Artificial Intelligence and token ising them. Tokenization is where words, or parts of words, within a sentence are broken down into “tokens”. These tokens are then put through a supervised learning model where the model can train a data set to begin to link each word and also indicate a probability of word occurring in particular sequence. Then using the LLM, we can generate completely new lyrics, in the style of Boyzone. We can do that by starting at any word and then following a sequence based on the probability of next occurring word. You should now begin to see how LLMs like Chat-GPT can start to “hallucinate”. Hallucinations could also be defined as “lying with confidence”. The data sets on which LLMs are trained are based on the incomplete and inaccurate data on the internet. As the old saying goes, “garbage in, garbage out”. So if all an LLM is really doing is predicting the next word in any given sentence, the inputs upon which the model is trained need to be accurate.

Generative AI 31

What is the security risk of LLMs? One of the immediate risks of LLMs is their ability to generate convincing and coherent text. This capability significantly improves the quality of phishing emails, fake news or other forms of disinformation. One of the lessons we taught users was to watch out for emails containing spelling mistakes. That is a lesson that we will all have to unlearn. LLMs can now automate social engineering attacks. The ethical LLM engines such as Chat GPT will decline to offer information on specific individuals but the number of options for creating LLMs through non ethical sources are continually growing. If sensitive data is available in any training data set then this can be used in any output. Your policies and training should be updated to makes sure that sensitive or proprietary data is never uploaded into any Generative AI engine. The Generative AI rabbit is now out of the hat and the threats continue to emerge. Like any new technology, it’ll take time for the ethics and legalities to catch up. While it does, Cyber Security leader should make sure their users are aware of what the technology does, how it works and what the risks are.

CyberPrism OT SECaaS CyberPrism provides Operational Technology Security as a Service using proprietary technology, underpinned by industry-leading expertise, to protect OT within Industry and Government ➢ A world class team of senior military personnel and leading cyber experts ➢ Proven technology compatible with the OT environment ➢ Automated processes under human control ➢ Cyber Risk Assessment and Technical Authority

➢ Asset and Vulnerability Discovery

➢ Compliance/Maturity Tracking ➢ Network Design and Modelling ➢ Network Segregation and Segmentation ➢ Asset Life Extension ➢ Process Optimisation and Data Integrity ➢ Incident Support ➢ Supply Chain Assurance ➢ Training and People Risk Assessment CyberPrism.net 210-214 Union Street, Aberdeen, AB10 1TL Tel +44 1224 45 1999 contact@cyberprism.net

TAKE CONTROL OF YOUR OPERATIONAL TECHNOLOGY

ĐǇďĞƌƉƌŝƐŵ͘ŶĞƚ

ONCA

TECHNOLOGIES Virtual CISO & Cyber Security Experts IT Support & Monitoring ISO 9001 & 27001 Compliance Risk Management Training Campaigns GDPR Compliance Business Optimisation & Data Analysis Digital Solutions Support & Guidance Security Gap Analysis System Organisation

w w w.o n c a t e c h .c o m

TRUST, CYBER AND GOVERNANCE WITH RICHARD PREECE CHIEF TRAINING OFFICER AT OSP CYBER ACADEMY CNG recently had the pleasure to catch up with Richard Preece for an interview with “Lets Talk Cyber” who shared his views on: Trust, Cyber and Governance Trust is important; It is central to the way society works, the way organizations work, and the way we live and work. In our daily lives, we trust things. We expect people to behave in the way we want them to. Trust is ultimately based upon credibility; authenticity; and competence. For example, do I trust the pilot of the plane? Well, I do if she’s with a reputable airline and I trust that they do all the right training and safety standards. It’s in their interest to have a well-qualified and experienced air crew on a well-maintained plane, flying through good air traffic-controlled skies, to and from safe airports. Trust is central to everything because if you’re a business is trying to sell something, people want to trust that the product or service you’re selling works, is safe and secure. If you’re in government at whatever level, people want to trust that you’re going to deliver what they expect. Now we are in an increasingly digitized world, trust applies here. Afterall, no one knows you’re a dog on the internet! Cyber News Global

Data and technology enabled transformation, aka digitisation e.g. doing things better and doing better things, is central to future success. Governance is about who is accountable for this new digital enterprise? Making sure that as we use technologies, to seize huge opportunities and address challenges that we are doing it in such a way that both enables and protects. Ultimately so people can trust that technological driven change is legal, ethical, and secure. That means recognizing that change potentially amplifies existing risks and creates new risks. Looking forward, how you are going to enable your strategy to achieve what you want to achieve as an organization? That doesn’t mean you have to be the expert, but you need to be able to understand and challenge the experts, management, and yourself, to see how these changes, could impact your organization, both positively and negatively.

skill, and diligence, and to look after the long-term, sustainable future of your organisation. That means we need challenge questions. There are three core governance challenge questions, and similarly three core risk challenge questions. First, from a governance perspective is what information do you need to support your critical decisions? Digitalisation cuts across everything because it is your business! What information do you need to make decisions? Second, what expertise do you need within your organization? That might be specialist advisors who you can call in, to provide appropriate challenge. This helps board members, executives and further down the chain, really to have honest and open conversations about the challenge and to navigate issues. To listen to Richards interview with Lets Talk Cyber:

If you do not, then you are not fulfilling your fiduciary duties to show due care, SCAN THE QR CODE

Trust, Cyber & Resilience 35 What are you trying to achieve as an organization? What are your values? How do you establish and demonstrate trust? First, by being credible in your actions, do you have a credible plan and strategy for cyber resilience and overall resilience; are you executing that strategy? Second, are your actions aligned to your values and communications; are you being authentic? This appears to be the case in the Post Office Horizon scandal. Trust in the Post Office and Fujitisu has been compromised.

Richard Preece

Chief Training Officer at OSP

The final thing is you need to think about what the impacts are if things go according to plan, but also if they go wrong. Because digitalisation pervades the whole organization, you are going to have impacts across reputation, operations, commercial arrangements, potentially legal and regulatory impacts. Finally, all of this has a financial impact. Sometimes a pound of prevention to prevent or to enable effective response & recovery, to minimise harm, saves considerably more in long-term. However, these are challenging decisions to understand and think through. But it is the only way to credibly make investment and wider governance decisions. This then leads to risk challenge questions. These are about knowing yourself as an organization. First, what things are outside your control and what’s your plan if they get disrupted? Suppliers are absolutely on point as a target for supply chain disruption, both in the physical world, but in the digital world also. This is a key trend, because a bad actor can gain greater impact by targeting supply chains, therefore hitting multiple customers. Second, what are the inherent risks in your organization, in the way you operate? All people, data, technology, processes, and facilities are vulnerable to both malicious and non-malicious disruption. How can you mitigate inherent risks? Does your culture support this honest reporting and communication of inherent risks an issues. Finally, digital transformation is an important part of your strategy. So, what happens, from self-inflicted injury? How could this digital transformation go wrong? Because the business case will all be how it can go right! But what happens on a bad day? Conduct pre-mortems, to genuinely challenge where things can go wrong and take measures to prevent in advance. Context is everything, but in the cyber world is constantly changing. People always want to say, well, what are my peers doing? That’s important, there’s no monopoly of good ideas, but ultimately, what do you need?

Finally, is what you are doing competent and how do you make sure? As with any complex problem, you need to be asking the right challenging questions and seeking advice from different perspectives, another apparent failure at the Post Office! That means being much more open and creating a safe space where your IT, security professionals and others can have an open and honest conversation. They may say, yes, we are doing this, but we are still concerned about this aspect. It’s not a blame game, it’s about understanding the challenges and having an appropriate culture to encourage that. Ultimately, it’s about not treating cyber as a technical issue that’s done by other people. It’s treating cyber as part of your overall strategy. Recognising it is part of trust in your organisation and why that is important. Many thanks go to Richard for his years of support to OSP Cyber Academy the great work he is doing with the OSP Cyber Academy Cyber Risk & Resilience Board Course which is an Assured Course with the National Cyber Security Centre UK (NCSC).Find out more about the training by scanning the QR Code or contact:training@ospcyberacademy.com

Security, Cyber and Investigation Services

VALKYRIE SERVICE LINES CYBER SECURITY TECHNICAL SURVEILLANCE AND COUNTER MEASURES (BUG SWEEPING)

CYBER PENETRATION TESTING CYBER AWARENESS TRAINING PHISHING SIMULATIONS CYBER SECURITY REVIEW CRISIS RESPONSE SECURITY TRAINING PHYSICAL AND PERSONAL SECURITY

INCLUDING ASSESSMENTS | ACCESS CONTROL | TECH SECURITY

INVESTIGATIONS PHYSICAL PENETRATION TESTING

15 Belgrave Square, London SW1X 8PS, UK

+44 (0) 2074 999 323

security@valkyrie.co.uk

www.valkyrie.co.uk

If you want to bring Cyber Security alive for your staff who are not involved in information security, then our pop-up “escape room” style training is an engaging and interactive experience.

Cyber Escape Rooms “Knock your Cyber Training out the Park!” Cyber News Global had the pleasure of catching up with Irene Coyle, Chief Operating Officer OSP Cyber Academy who shared her thoughts on Immersive Training and the OSP Cyber Academy Cyber Escape Rooms. Knock your Cyber Training out of the PARK. I believe that to have an effective cyber training programme and not a one-off event), there are a number of things you should be considering when building your programme ... Typically, information security training happens when an employee joins and they are overloaded with information, and they are only really concerned with where the coffee machine is. 1. Frequency and recency of signals passing from one neuron to the next increase memory Tell people what you want them to know often! (don’t worry I am not getting too scientific here) Shift the focus from an annual task to an ongoing program, comprising e-learning, team meetings, face to face training and newsletters. The more you provide information, the more chance you will have that the message will land. 2. Emotions strengthen Memory When we have fun, our brains release dopamine. According to neuroscientist Dr Martha Burns, dopamine has a direct impact on our ability to remember. Cyber News Global

The more interested we are in an activity; the more dopamine is released and the better we remember it. She calls dopamine the “Save” button. 3. Memories are stored in multiple parts of the brain Research suggests that memories are stored in many different parts of the brain. Different ways of learning trigger different reactions and different connections between synapses. If we engage all the senses while learning it will create memories in many parts of the brain and will reinforce your learning.

In addition, our brains are programmed to focus on new and unusual ways of learning. Learning that taps into the brain’s natural curiosity will be more successful. OSP Cyber Academy want your staff to be engaged and motivated and feel minimal stress, Learning comes not from quiet classrooms and directed lectures, but from classrooms with an atmosphere of exuberant discovery” – that’s what we have introduced in our Immersive Training – a pop up escape room style exercise. Our immersive training is a mental and physical adventure-based game in which players solve a series of puzzles and riddles using clues, hints, and strategy to complete an objective. During our training, users will have fun, cover important topics, and have time to reflect on that learning. The originality of the immersive approach will also support remembering key lessons. “We come to your office and just need the space of a desk, we set up the exercise all from one suitcase, so you are in a police officers desk area with items on the desk to explore” Solve clues, crack lock codes, decipher information in emails. You need to act as a team to complete the exercise. We all know from training some people will just sit back and hide and let others do the guesswork – we have designed our training so that everyone has a part to play The message should be for your organisation to build cyber resilience – everyone has a part to play not just your IT team. The training should form part of an overall information security awareness training, comprising different types of learning including e-learning and regular newsletters. Studies show that people will retain up to 60% more information when they are having fun and this training is designed to be fun for the learners involved which means it is more effective in increasing cyber security awareness with your staff. You will also be providing a great team building experience as well as valuable skills that will help to keep company data and personal data safe. Get in touch with me and we can demo the immersive training over a 10-minute teams call – the advantages of technology. To hear more about what Irene had to say with Lets Talk Cyber scan the code.

Knock your Cyber Training Out... 41

Five Steps to improving...

Five steps to improving your Cyber Security Awareness Program Education and behaviour change is critical to keeping your organisation safe. If you want to make your training effective, you need to carefully consider what your program looks like so it can address - Vanessa Porter, Teradata 1. Understand Your Audience Not every user is made equal. The program should be tailored to the specific roles and responsibilities of different employee groups. Your Finance, HR and Procurement teams, for example, should have enhanced levels of training because of the level of sensitive and financial data that they have access to. Your industry will also face specific threats, influencing what is contained in your Cyber Security training program. For example, Financial Services organisations may wish to focus on phishing attacks and insider threats, whilst Educational establishments might consider ransomware attacks and or identity theft or academic fraud to be of highest priority. Equally, the specific legislation for different regions and industries will need to be covered within the Cyber Security training program. 2. Engage your users Too many Cyber Security Awareness programs are, well, just a bit dull. What should be an exciting,dynamic subject is seen as somewhat dry and irrelevant. Users are engaged when they understand the objectives of training, that the training is relevant to them and that it is interactive. Fun is not something that is often associated with Cyber Security, but having fun or experiencing positive emotions is positively correlated with how memorable the training is, a concept known as “ emotional memory”. This concept states that when you have fun or experience positive emotions during a task, your brain releases neurotransmitters like dopamine, which can enhance memory consolidation. Interactivity encourages active participation which can also enhance the recollection of key learning points. This could include quizzes, discussions and simulations. 3. Embrace Different Learning Styles Everyone learns in a different way. Learning styles outline the way that different people process information, and embracing different learning styles in a training program makes learning more inclusive, Cyber News Global

engaging and effective, ultimately leading to a more successful training initiative.There are different models that describe learning styles. One of the more popular and easy to grasp models categorises learning styles into three main types: visual, auditory, and kinesthetic. Visual learners understand information best through visual aids such as diagrams, charts, and written materials. They benefit from seeing information in a clear, organized format. Auditory learners, on the other hand, prefer learning through listening. They grasp information effectively through lectures, discussions, and verbal explanations. These learners often benefit from participating in group activities and engaging in conversations to reinforce their understanding. Kinesthetic learners learn best by doing and experiencing. They thrive in hands-on activities, experiments, and real-world applications, as physical engagement aids their comprehension and retention of information. What this means in reality is that your Cyber Security Awareness program should be multi-media and multi channel to cater for as many learning styles as possible. This could include hands on learning, newsletters, infographics, simulations and escape room styles “immersive” training.

Five Steps to improving... 47

4. Make it a Priority As the saying goes, what gets measured gets done. There are clear compliance reasons for measuring your program, but it will also help you assess the effectiveness of the training initiative and make informed decisions about its continuation, improvement, or modification. Measuring the impact of a training program provides tangible evidence of its value to your business and to its leaders. Leadership support is critical to the success of the program, not only for budgetary reasons but also for reinforcing the importance of your efforts. If your leaders participate and enforce your program, it will contribute to its success. GVA of the Scottish cyber sector is £426m with £811m generated in 2021 from cyber specific companies across Scotland. With our thriving cyber ecosystem it is clear to see that Scotland should be a key collaboration focus area for any country looking to strengthen themselves in the area of cyber security.

About Vanessa Porter Vanessa has been helping enterprises to use data and analytics effectively and responsibly for more than 25 years. She develops & delivers memorable data and security engagement programs that increase technology adoption, safely and securely. She lives with too many dogs in rural Oxfordshire 5. Create a Habit Being safe with data is a habit. Developing any kind of habit involves creating a consistent routine and making gradual, sustainable changes. For Cyber Security Awareness, you should consider regular training, rather than an annual “one and done”. Encourage users to think create habits around being safe online, taking time to make decisions about sharing data or disclosing information. Visual cues such as posters or notes will help to reinforce the habit, as will regular practice.Phishing simulations have a useful place, as does regular microlearning. Celebrating achieve ments can also be a useful tool in creat ing new patterns of behaviour. Consider an annual “Data Safe” Award ceremony or Cyber S e curi t y team building event. By considering these factors, you can de sign a cybersecurity awareness program that is tailored to your organization’s unique context, encourages a security-conscious culture, and effectively mitigates therisks associated with cyber threats.

WEALTH UNDER SIEGE: Family Offices and the Rising Threat of Cyber Breaches Andy Miles, CISO, Quantum Resilience International (QRI)

In the world of high finance, where family offices safeguard the fortunes of the affluent, the allure of vast wealth also attracts the attention of cybercriminals. Family offices, responsible for managing the intricate financial affairs of high-net-worth individuals and families, have become prime targets for sophisticated cyberattacks. In this exploration of family offices and cyber breach stories, we uncover real-world incidents that underscore the urgent need for heightened cybersecurity measures within these bastions of wealth. 1. The Elusive Enemy: Social Engineering Unleashed In a case that sent shockwaves through the financial community, a family office fell victim to a cunning social engineering attack. Cybercriminals, adept at exploiting human psychology, posed as trusted vendors and manipulated unsuspecting employees into divulging sensitive information. The attackers crafted convincing emails, mimicking established communication patterns, and creating an illusion of legitimacy. The result was a breach that exposed confidential financial data.

To counter insider threats, family offices are now implementing stringent access controls and following the principle of least privilege. Regular reviews of access permissions, coupled with advanced monitoring systems, help identify and mitigate potential risks posed by disgruntled employees or those susceptible to external manipulation.

5. Phishing in Trusted Waters: A Family Office’s Unwanted Catch

This incident serves as a stark reminder of the human element in cybersecurity. No matter how advanced the technological defenses, the weakest link often remains the individual behind the screen. Consequently, family offices are now placing a premium on continuous employee training programs that simulate real-world scenarios, teaching staff to identify and thwart social engineering attempts.

A well-established family office found itself ensnared in a phishing attack that exploited the inherent trust relationships within the organization. Crafted with precision, seemingly legitimate emails requested sensitive information, leading to a data breach that exposed confidential client details. This incident highlighted the pervasive threat posed by phishing attacks, where cybercriminals exploit trust to gain unauthorized access.

2. Ransomware’s Gripping Hold on Family Fortunes In a chilling episode, a European family office found itself in the clutches of a ransomware attack that paralyzed its operations. The attackers encrypted critical financial data, rendering it inaccessible, and demanded a hefty ransom for its release. This incident highlighted the vital importance of robust backup systems and a well-thought-out incident response plan.

To counter such threats, family offices are investing heavily in continuous cybersecurity education and awareness campaigns. Simulated phishing exercises serve as a proactive measure to inoculate staff against deceptive tactics, ensuring that employees remain vigilant against the evolving landscape of cyber threats.

Family offices, recognizing the potential devastation of ransomware, are now doubling down on cybersecurity measures. Regularly backing up essential data, coupled with routine testing of restoration procedures, ensures that family offices can recover swiftly without succumbing to extortion attempts. This strategy not only protects financial assets but also safeguards the reputation and trust placed in these institutions. 3. Third-Party Perils: When Trust Becomes a Vulnerability In a testament to the interconnected nature of the financial world, a family office faced a cybersecurity breach through a seemingly trusted third-party vendor. The vendor, entrusted with specific responsibilities, had lax security measures that became an unwitting gateway for cybercriminals. This incident emphasized the critical need for robust vendor risk management. Family offices are now placing greater emphasis on thorough due diligence when engaging with external partners. Rigorous assessments of the cybersecurity protocols of third-party vendors ensure alignment with internal security standards. As these breaches often exploit weak links in the supply chain, family offices are working towards creating a comprehensive ecosystem of security, extending beyond their immediate walls. 4. Insider Threats: Breaches from Within In a betrayal of trust, a family office faced a significant breach when a disgruntled employee, armed with privileged access, intentionally leaked confidential financial information. This case highlighted the ever-present threat of insider attacks, where individuals with intimate knowledge of the organization’s operations become adversaries.

Cyber News Global

6. The Cost of Delayed Detection: A Family Offices Wake-Up Call In a narrative that unfolded over months rather than days, a family office faced the harsh reality of a cyber intrusion that went undetected for an extended period. The delayed discovery allowed cybercriminals to navigate through the system, causing significant financial losses and irreparable damage to the institution’s reputation. This incident underscored the critical need for continuous monitoring and prompt incident response. Family offices are now investing in advanced threat detection systems, conducting regular security audits, and implementing real-time monitoring to identify and address vulnerabilities swiftly. The focus is not just on prevention but on creating a resilient cybersecurity framework that can adapt to evolving threats.

Conclusion: Learning from the Frontlines These real-world stories of family offices grappling with cyber breaches serve as both cautionary tales and invaluable sources of learning. As family offices navigate the complex intersection of wealth management and digital security, the lessons gleaned from these incidents become guideposts for a more secure future. The battle against cybercrime is ongoing, and family offices must remain vigilant, continually adapting their cybersecurity strategies to match the evolving tactics of cybercriminals. By investing in employee education, securing third-party relationships, implementing robust access controls, andfortifying defenses against emerging threats, family offices can not only protect the wealth entrusted to them but also uphold the trust and confidence of their high-net-worth clients in an increasingly digital age.

QUA N TUM – T H E POWER BEHIND WO R LD- C L ASS FINTECH AND CYB E R SECURIT Y. Quantum Group is a leading fintech and cyber security investment incubator, delivering world-class, practical solutions through a range of core products and services. Our companies deliver real world support for our clients, combining integrated hardware and software solutions with first-class customer service

and product delivery. From state-of-the-art technology to unrivalled expertise, Quantum provides our teams with strong governance, leadership and investment to optimise performance at every level to guarantee the quality and consistency of service from all our member companies.

WWW.QUANTUMGROUP.UK | INFO@QUANTUMGROUP.UK +44 (0) 207 409 1888 | 15 BELGRAVE SQUARE, LONDON SW1X 8PS, UK

INSIGHTS FROM A VIRTUAL CHIEF INFORMATION SECURITY OFFICER (VCISO): Top 10 Tips for Securing Today’s Digital Landscape In the dynamic and fast-paced realm of cybersecurity, Chief Information Security Officers (CISOs) serve as the vanguard against an ever-growing array of digital threats.

attacks and other threats. Encourage employees to raise the alarm if they spot a problem or suspect an issue, it may just save the company.

Drawing upon a wealth of firsthand experience and hard-won knowledge, a seasoned CISO imparts invaluable insights to help organisations stay abreast in the modern digital era. The following top tips serve as a starting point for organisations striving to safeguard digital assets in an era of constant evolution and persistent threats.

A single security measure is rarely sufficient in any scenario and in cyber security it’s vital to deploy multi-layered defences and mechanisms. This involves integrating various technical security measures such as firewalls, intrusiondetection systems, antivirus solutions, and encryption protocols.

1. Prioritize Risk Assessment and Managements: The foundational role of comprehensive risk assessment and management in any effective cybersecurity program cannot be understated. By identifying and prioritizing potential threats, organisations can assess and allocate resources accordingly to proactively mitigate vulnerabilities. However, it’s important to stress that a risk assessment is not a one-time task, it should become a living document and process that is frequently reviewed and updated.

Cyber News Global

This will help to address any gaps in the cyber defences, and ensure actions are implemented to manage the risks accordingly.

2. Establish a Culture of Security: It’s often recognised that the human element is typically the weakest link in cybersecurity, however this component can also become the greatest strength if a culture of positive engagement and learning can be adopted by the organisation. Regular training sessions and awareness programs become instrumental in ensuring that every member of the organisation understands their role in maintaining a secure digital environment. This cultural shift towards prioritizing security awareness creates a collective resilience against social engineering

3. Implement Multi-Layered Defence:

These technical controls should be utilised along with robust processes and clear user awareness to avoid any single points of failure. By creating a sophisticated web of defences, organisations can better with stand the relentless and evolving nature of cyber threats.

4. Embrace Advanced Authentication Methods: In response to the ever-growing sophistication of cyberattacks, we need to move beyond traditional passwordbased authentication. Instead,

Top 10 Tips : CISO 52 cybercriminals. By staying informed, organisations can adapt their cybersecurity measures to evolving threat landscapes and pre-emptively address potential risks.

10. Conduct Regular Security Audits: Regular security audits serve as a cornerstone for evaluating the effectiveness of the cybersecurity program. To assess how well the company have implemented security controls, organisations should conduct thorough audits, both internally and through thirdparty assessments. These audits identify gaps and weaknesses that may have been overlooked, offering a comprehensive view of the organisation’s security posture.

11. Emphasize Data Privacy and Compliance:

Kurtis Toy CEO and Lead vCISO for ONCA Technologies Ltd organisations should adopt advanced authentication methods such as biometrics, multi-factor authentication, passkeys, and other leading technologies. These measures not only bolster access controls but also provide an additional layer of defence against unauthorized access. Checking for unrecognised sign ins should also form part of your cyber resilience

5. Keep Software and Systems Updated: Any IT professional will highlight the critical importance of regularly updating software and systems to patch vulnerabilities and protect against known exploits. Outdated software and unpatched systems are common entry points for cybercriminals. The recommendation extends to the implementation of automated patch management systems, streamlining the process and ensuring timely updates across the infrastructure.

security objectives, creating a unified front against

7. Monitor and Analyse Network Traffic: A proactive stance against cybersecurity threats involves the continuous monitoring of network traffic. Implement advanced network monitoring tools and intrusion detection systems to promptly identify and respond to potential security incidents. This real-time analysis is crucial for detecting anomalous activities and potential breaches before they escalate.

8. Develop and Test an Incident Response Plan:

6. Foster Collaboration Between IT and Security Teams:

Despite proactive measures, security incidents may still occur so it’s important to have a well-defined incident response plan in place. Regular testing and updating of the plan ensure that the organisation can effectively mitigate and recover from security breaches. This strategic preparedness minimizes the impact of incidents and facilitates a swift return to normal operations.

Silos between IT and security teams can create vulnerabilities that cybercriminals may exploit. By fostering a collaborative approach, organisations can ensure that IT decisions align with overarching

To stay one step ahead of cyber adversaries, organisations can take proactive use of threat intelligence services. These services provide

9. Leverage Threat Intelligence:

In an era marked by stringent data privacy regulations, the importance of prioritizing data privacy and compliance is apparent. Adhering to relevant regulations not only protects sensitive information but also mitigates legal and reputational risks. A comprehensive approach to data privacy involves implementing robust data encryption, access controls, and regular compliance assessments.

12. Stay Informed about Emerging Technologies: Within the world of cyber, there is an enormous need to stay informed about emerging technologies and their potential impact on cybersecurity. Understanding the implications of technologies such as artificial intelligence, blockchain, and the Internet of Things enables organisations to proactively address new security challenges. By staying ahead of technological advancements, organisations can integrate innovative solutions that enhance their overall security posture.

In conclusion, the insights from an experienced Chief Information Security Officer, or an outsourced equivalent, will provide a roadmap for organisations seeking to fortify their defences in today’s digital landscape. By prioritizing risk assessment, cultivating a culture of security, and embracing advanced technologies, organisations can navigate the intricate cybersecurity landscape with resilience and effectiveness. If in doubt, ask your CISO!