Our second ‘Critical Conversation’ (the first was with Abbott director Joule Sullivan) is with Robert Hall, executive director of Resilience First, a new, independent, not-for-profit organisation promoting resilience in business communities around the UK.
He brings to the role a wealth of experience accrued in risk, security and resilience from positions in both the private and public sectors. He was therefore well equipped to speak about the need for greater collaboration and information sharing between public agencies and private businesses, as well as how the risk and resilience profession is evolving, the shifting threat landscape, the importance of resilience and redundancy and, inevitably, the possible implications of Brexit.
Robert, who moved into corporate security from the military, has fulfilled the following notable roles:
- Most recently as director of the Security & Resilience Network at London First
- Senior positions in two FTSE-100 companies that specialise in financial services and manufacturing
- Head of analysis at a national intelligence agency
- Founder of an international forum on global security and law enforcement for senior executives in government, business and academia
- Managing editor of security titles at an international publishing company
IFSEC Global: Hi, Robert. Please tell us a bit about Resilience First, its purpose and any notable achievements to date?
Resilience First is led and funded by business to strengthen collective business resilience. Originated by London First, the initiative aims to make the difference between success and failure for any business community facing major challenges or severe disruption.
Through thought leadership and advocacy on better resilience, sharing of best practice, and partnerships, Resilience First will embed resilience into corporate culture.
Drawing on the collective experience and capabilities of our network, it aims to create a template for resilience that is transferable to any urban area, in any country: a way of operating that is designed to bring about local change. The first workstream has focused on the Fitzrovia area of central London.
Since inception in June 2018, the initiative has attracted ‘champions’ like Barclays, Tesco, Intel, Facebook, Stansted Airport, UK Power Networks, and MasterCard.
IG: In what ways is the role of the senior security or resilience professional evolving and why?
The threat scenario is changing and people have to adapt – that’s the key word I would emphasise. The changing nature of the threat demands new skills and better risk awareness.
The rapid pace of technological change – particularly digital and cyber but also AI, robotics, etc – is a big driver. The sophistication of the opposition in terms of hacking, state-backed crime, organised crime, misuse of bitcoin, etc means we have to become cleverer and find new ways to respond.
There is now a growing emphasis on resilience: accepting some threats will get through, but mitigating damage rather than stopping all comers or building fortresses
There is now a growing emphasis on resilience – ‘bouncing forward’ – in accepting some threats will get through, but mitigating the damage rather than stopping all comers or building fortresses,
Security professionals have to get to grips with this new world.
Security professionals have traditionally entered the sector via the police or military. Is this changing or likely to change? Are those transferable skills still appropriate and sufficient?
That’s always been the traditional route and I think that will continue for a while, because those people have the experience of security and risk in their portfolios.
However, I think people are awakening to the idea that the profession needs to broaden its horizons beyond those rather narrow professions. A lot of people now taking up masters degrees in risk, resilience and security are bringing new perspectives.
The broader the church there can be in any one organisation, then all for the good – but it will take some time to change tradition.
How difficult is it getting up to speed with cybersecurity and the connectivity of modern security technologies for security professionals who don’t often come from an IT background?
I think there’s a difference between being an IT expert and understanding how to use sophisticated IT systems that we need for forensics and investigations and that sort of thing.
Both government and the private sector need people who are professionals and aware of the technology, but not intimately involved as to which wire connects with which wire – and there is a distinction.
It’s too easy to say: “It’s an IT problem so I’ll throw it to my IT experts”. Many of the issues are much bigger than that, because they affect reputation, strategy, resourcing, the supply chain… So we need that common understanding of the implications, the challenges, the vulnerabilities, without necessarily being an IT expert.
And we need to combine functions under one banner – become holistic – and to demonstrate value/ROI.
To what extent is protecting critical national infrastructure (CNI) and cities harder than ever given the cybersecurity and terror threats?
By virtue of becoming more complex, cities have become more vulnerable – to disruptions both of a physical and cyber nature. As we get more Internet of Things, connectivity and data transfer, systems will be more subject to disruption, and there are states and individuals out there wanting to cause that disruption in a host of new ways.
So cities and critical national infrastructures are becoming a real headache for authorities to protect, when threats are mounting and challenges are changing.
We have government security classifications, lots of strategies and plans, we spend lots of money on cyber defence, but the fact is that around 80% of CNI sits in the private sector.
The government appears unwilling, for understandable reasons, to simply tell private companies that “you must do this” – even when it comes to national security or societal protection.
On the other side, the private sector, also for understandable reasons, is very reluctant to accept responsibility and liability for national security. Primarily, it needs to look after its own business.
You have this dichotomy between the government prioritising national security and private companies prioritising their bottom line
So you have this dichotomy between the government prioritising national security and private companies prioritising their bottom line. There is a tension between what one side wants and the other side can give.
Google and Amazon now provide a lot of subsea cabling around the world. Not only is that vulnerable to foreign disruption, but they’re running networks and cloud services from a financial point of view – not to protect nations.
So who owns the subsea internet connections? They’re not owned by a specific country. So it’s very difficult to identify who owns any one critical national infrastructure.
Companies like Amazon and Google also have a vast wealth of data that governments do not control. It’s very difficult to balance authority and responsibility, when politicians don’t want to introduce laws and regulations, but they want the private sector to take some responsibility, some liability.
Look at the battle going on with Google and Facebook, [who are resisting government pressure to] reveal data. This tension will continue while these companies operate internationally pretty much in isolation.
Some have argued that even if the government had unfettered access to such data it would simply drive criminals and terrorists onto the dark web…
They’re on the dark web now, using increasingly complex encryption in messaging. There’s an argument about how much governments can force companies to reveal about their encryption devices. Some say we can’t because it’s just not possible.
It’s a very complicated issue, but it just makes my point that the world is more complicated and it’s not easy to keep a handle on every threat and challenge.
We also need to combine top-down (strategic) and bottom-up (tactical) approaches – if possible.
There is a strategic component that likely comes from government to determine priorities and resources, plans and strategies. But delivery of these plans and strategies comes from people and organisations on the ground.
It’s quite difficult sometimes to make both elements meet in the middle.
Often we think about strategies and plans – for example with the government and cyber –but actually it’s down to people like you and me changing our passwords – and embedding that behavioural change is not easy.
Resilience and redundancy are seemingly very important words in the modern senior security professional’s lexicon…
Resiliency means having the capability to be flexible. So if a system goes down you’ve got something in reserve to fill that gap.
In this complex world we tend to focus on ‘just in time’ systems, off-shoring and outsourcing, which are all very good at saving money, but when a system breaks down, it’s actually very helpful to have an alternative or reserve capability.
A good example is where the government has closed one of the biggest gas storage facilities in the North Sea, called the Rough Facility. Therefore, the buffer storage capability for UK gas is diminished.
Now I understand that reserve storage capacity comes at a cost. But if you strip it out you potentially incur much larger costs if something goes wrong.
So there’s always this balance between ‘just in time’ and having a reserve.
The Fukushima disaster was one example where fail safes and contingencies had not been adequately built-in…
Yes. The sea walls could have been another 10ft higher to stop the tsunami. It’s always [a case of] how much is enough? When the worst case happens, it’s obviously never enough.
But the principle the military always operates under is to never go into battle without a reserve for unforeseen circumstances. And if you deploy the reserve you find another reserve.
That mentality is not easily transferable to the cost-conscious commercial environment. They don’t want reserves sitting around doing nothing. But there needs to be a balance between the two [mindsets].
Critical national infrastructure is not as simple as worrying about a ‘one in a million’ event. These events happen with increasingly frequency
When talking about critical national infrastructure it’s not as simple as worrying about a ‘one in a million’ event. These events do happen with increasingly frequency.
Texas has experienced two 1-2,000-year flooding events in the past 50 years. So past probabilities cannot always be used as predictors of future risk.
With a critical system, you must have a redundancy reserve, a failsafe.
You mentioned ‘horizon scanning’ in our conversation in advance of this interview…
There is one argument to say we can’t look into the future – it’s just too unpredictable.
I would argue the contrary. Because it’s becoming so volatile, you need to start thinking about possibilities even more than you have in the past. And you can’t just rely on past trends.
So I think horizon scanning needs to be more ambitious – accepting that it won’t always be right –stretching those horizons out to 10/15/20 years, as we do for climate change.
How important is intelligence/information sharing between government agencies, between governments, between government and business etc given the threats we face?
There’s sometimes a reluctance by the public sector to reveal what they know when they have the unbridledauthority over the intelligence, whereas business needs to know practical, consequential information that may be useful to prepare staff. This should be action oriented, without the finer intelligence of sensitive names and phone numbers.[
I think the Americans are ahead of us in many respects here. It’s a cultural difference. They are traditionally more willing to share details with to business, and to let business take responsibility. .
We are much more government-focused and government gives the lead.
But I think as resources become more stretched because of monetary restraints, the only way for governments to help themselves is to involve the private sector more. There is talk of the private sector helping the military in non-combat roles, as the armed forces are also under resource pressures.
In the same way intelligence, whether gathered by police or agencies, has resource constraints. Therefore the private sector can help if it’s invited to open its arms a little further.
To what extent is the UK a world leader in security and why?
I think we are recognised as being pretty good at security. A lot of people come to the UK for best practice and I don’t wish to retract from that.
But I think in certain areas we aren’t as good as we think we are – and information sharing between the public and private sector is one of them.
We’re getting better. Overall I think we’re probably in the top 10, maybe top five, of countries that know what they’re doing when they talk about security..
Alas, we could hardly finish the interview without mentioning Brexit…
We are potentially in danger of cutting ourselves off from a lot of information sourcing, from databases held by the EU. But until the negotiation is complete, it’s difficult to know how badly we will fare as a result.
Clearly, we don’t want to spend a lot of money replicating those services or manning our border force to 10 times their current strength and to pay for it when we don’t absolutely need to. We’ll give some sensible comment when we see what the final deal looks like.
From the growing quantity of data to new innovations like Artificial Intelligence (AI) and machine learning, the surveillance and security landscape is changing. The Seagate Surveillance Storage Survey 2018 is a look at what the industry challenges really are—and what businesses, security industry professionals, installers and integrators need from their storage moving forwards.
Discover the challenges now by clicking here.
The following content is provided by IFSec Global, you can view the original article by visiting the IFSec Global Website