Wendy Barnes, Director at Practiq Consulting Ltd has worked across a range of industries, including national security, defence and utilities.. In the last 15 years Wendy has developed significant expertise in Information Risk and Cyber Security, and her recent experience in building awareness at Board level has made her a leading figure in the modern day Cyber Security field. Ahead of her talk at the Cyber Security Summit and Expo, we sat down with Wendy to discuss the state of the industry, her experiences and the attitudes towards Cyber Security that Wendy has witnessed.
Explaining her route into the Cyber Security field, Wendy drew upon her roles as non-executive Director at several of the government security agencies, working in the information protection and assurance fields – the now commonplace term Cyber Security came later. Later roles as non-executive Director in private and public sector drove home the importance of resilience with regard to Cyber, and the value of such to organisations experiencing data losses. Bringing us to the modern day, Wendy says she now “does all she can to redress the balance and help Boards and organisations become cyber-savvy”.
Board room attitudes towards Cyber Security are rightly seen as critically important in successfully combatting cybercrime and losses of data and information, and ensuring organisations are prepared for the threats they increasingly face. Referring to her experience dealing with Boards in the past, encountering a range of attitudes towards Cyber Security from denial, to unwarranted optimism through to sheer panic, Wendy directs significance in the direction of high-profile breaches in enforcing the point to Directors. The recent Wannacry and Talktalk attacks, she claims have stimulated more discussion around Board Rooms, through the realisation of organisational exposure to similar attacks. Boards that have a member, at an executive or non-executive level who has cyber resilience knowledge and experience to champion the importance of this to their colleagues, Wendy claims, is a significant bonus in achieving buy-in from a Board Room level. Offering an insight into her work with Board Rooms, Wendy suggests that “the trick is getting the Board to understand the threat and vulnerabilities and then to embed the action into their governance and processes, so it becomes the way to do business, rather than an add-on activity”.
Staying with the topic of Board Room and looking to the future, Wendy states her belief that attitudes in general across business have notably started to change for the better, Information Risk and Cyber Security now more than ever in the headlights for Directors and Executives and their businesses. Wendy points to the Defence and Finance sectors as examplars of effective practice in the Cyber Security field for use as benchmarks going forward. When asked about the methods of adopting Cyber Security throughout a business, Wendy was vocal on a holistic approach of both top-down leading, and bottom-up buy in in order to successfully adopt best practices. Strong leadership, as well as support throughout the organisation is crucial – “If a command and control approach is taken from the top without the necessary buy-in throughout the organisation, there is a risk that people, usually with perceived good intention, will find a way around it”. Referring to cultural views on Cyber Security, Wendy pointed out that we should strive for an embedded culture, in the same way as health and safety has been embedded in all industries.
Finally, Wendy spoke about the trends in Cyber threats and Technologies to counter them that she has seen as an expert in the field – which she broke down into three distinct categories. Firstly, threats and technologies to which the industry is aware, but may perhaps be neglecting in terms of the necessary attention to develop solutions, which she used Industrial Control Systems as an example of. Secondly, emerging technologies and threats that are yet to become commonplace, areas where further research must be done to properly understand the benefits and risks, for example Blockchain technology and the wide-reaching Cyber Security related consequences of the Internet of Things, both positive and otherwise. Finally, she talks of threats that cyber criminals are developing which the industry at present is unaware of, only to be understood when an attack takes place – it is this ever changing nature of the threat that means Cyber Security professionals must not stand still, but rather continue to remain vigilant and develop further methods of protection going forward.