10 minute read
Secon Cyber Leadership Interviews
by Secon
Janakan Nadarajah in conversation with Gerry Grant, Cyber Security Manager, NHS Tayside
JN: Tell me a bit about your role and what you do.
Advertisement
GG: I’m the Cyber Security Manager for NHS Tayside. It’s my responsibility to look after the cyber security of pretty much everything within NHS Tayside, so that goes down to the endpoints, the laptops, the desktops the majority of my colleagues use all the way to MRI scanners and all the other various bits of technology that may be used in hospitals to monitor patients and help save their lives.
It’s quite a wide and varied type of thing that I’ll see on a daily basis. One day I might be looking at a proposal for a new piece of equipment in A&E and the next day I will be trying to get somebody update their iPad, so a whole variety of different things. For me, it’s that diversity that makes it interesting and was one of the reasons that I wanted to come and work in this environment.
JN: So how did you get into working in cyber security?
GG: I’d like to say it was a long time ago, but it wasn’t really that long ago. I had a bit of a mid-life crisis and wasn’t sure what I wanted to do with my life. The more I thought about it, I’ve always been interested in technology, and I just saw the way the world was going and that we’re becoming more connected and the internet of things is beginning to take over our lives.
That’s a fantastic opportunity, there’s loads of things that we can do with it, and part of me loves the prospect of being able to turn an oven on when I’m on my way home, but part of me is nervous because how secure is it? And who thinks about the security of these things? That’s what started to get me interested in cyber security.
The more I investigated it, the more curious I became and as time has gone on, I’ve learned and understood more about cyber security. I feel that I’ve got an obligation to try and pass that knowledge on to other people and to try to make people aware of what the consequences of their actions are and how we can make a safer world. I love the technology. I love what it can potentially do. I just want people to be aware of the drawbacks and think about how that might actually affect not just their business life, but their personal life as well.
JN: What do you love about working in cyber security? And what do you not like about it?
GG: I like most of it. I love the challenge, every day you’re faced with different challenges. For me, cyber security is about managing risk and making people aware of what the risk level is. In an organisation a big and diverse as the NHS, that can be difficult because what I might consider very risky, a doctor might think is not risky at all.
I get to communicate and speak to people at board level and I also get to speak to the doctors and all the other people within the organisation so I kind of feel like I have an impact on everybody, not just on one department. And yes, I’ve got reports to write and I’ve got meetings I need to go to, but I’m still thinking about different things all the time and that’s what I really like.
One of the challenges is it changes so quickly and the types of attacks you’re getting are changing all the time, so it’s trying to get that buy in from staff as well. People go ‘Cyber security is really important, but I already understand it so I don’t need to listen to you.’ It’s trying to do something to spark reimagination to make them engage with you a little bit more.
Trying to get doctors to come to a cyber security awareness training, good luck with that because they’re way too busy actually saving somebody’s life. They don’t want to sit and listen to me drone at them, so it’s trying to find different ways and that’s really the challenge that keeps coming.
But I enjoy even the difficulties when I reflect on them. 99% of the time I would say I love it, it’s just the 1%, and that’s probably just before I go on holiday.
JN: How did the events of 2020 affect your organisation, its digital transformation, and cyber security agenda?
GG: 2020 was a difficult year for everybody and I’ve only had just over a year with the organisation. I joined right at the peak of the crisis and you know the NHS is unique in terms of how it impacted us and the response that we had to come up with. It certainly made us transform a lot quicker than we would have done in terms of digital transformation.
I think we’ve been on a higher level of alertness when it comes to cyber attacks and the impact that would have on us. In the last year, the number of conversations we’ve had around cyber security has been increased. It’s something that’s higher up on the agenda now than it previously was because they know now how reliant we are on the technology to ensure that our staff can keep that constant line of communication going.
It put a lot of pressure on the IT departments to make sure that everything was in place. We were made acutely aware of how important we were, and I think if you’re to take a positive out of it, it’s shown the organisation how quickly we can adapt and how important the work is that we do and how important the infrastructure is that we have in place.
When I took the job last May, I thought long and hard about it. I knew it would be a challenge and it has been the challenge that I expected. It’s a totally unique organisation that has unique challenges and you know, people talk about end life software and legacy systems, but it’s not cheap to go buy a new MRI scanner and you’re not going to do that every five years just because part of the software’s reached end of life. You have to put other mitigating measures in place, and I knew it was going to be hard.
In a public sector organisation, things move a little bit slower than they do in the in the corporate world and budgets are little bit tighter. You’ve got to fight for every single penny, but it was the challenge that I wanted, and I think going forward, it gives me such great experience you wouldn’t get anywhere else.
I’m never going to be a doctor, there’s no way I could stand the sight of all that blood. The only way for me to give back to the NHS is to take on a role like this. I want to make the NHS more secure for all the people that work here, but I want to make sure that all the patients’ data is safe, and I want to make sure that we’ve got systems and process in place that give the best patient experience. Cyber security is there not just to protect NHS Tayside as an entity, but to protect their customers, which is everybody that lives in the area.
JN: What do you think organisations need to do to increase cyber security awareness and understanding amongst employees?
GG: I don’t think there’s an easy answer, but it’s about communication and it’s about creating a nudge culture that is showing the end user how it benefits their personal life. Generally speaking, the user doesn’t particularly care that they have to have a 12 character password to keep the company safe, but if you explain to them why it’s good to have a 12 character password for their personal banking, they understand it a little bit better.
You really need to get buy in from board level, it has to come from the top down. It’s about making the board aware of what the risks are and how it can affect their organisation and them personally.
It’s difficult because you don’t want to create a fear culture. It’s more about explaining how we can protect ourselves and the steps that we can take. If we can teach that and get our users to understand that from a personal level, they’re not upset about it.
It’s about just that constant drip of awareness in the same way that health and safety was a big, massive thing in sort of the 90s and the early 2000s. We need to try and follow a similar sort of thing. It’s about trying to get people to understand the risk and the consequences of the things that they do.
JN: Focusing specifically on the NHS and healthcare, what do you see as the greatest security threat or challenge for the healthcare industry?
GG: One of the biggest challenges is making the clinicians understand the risk that they bring to the business. It’s not always the clinicians’ fault, I think vendors have got a lot to answer for as well when it comes to pieces of medical equipment. They sell pieces of equipment that are not built in a secure manner.
It’s trying to get that understanding from the clinicians that they need to ask the right questions and we as cyber security professionals need to provide them with the questions to ask. It’s about creating the right culture within healthcare.
We’re a public organisation, there’s not buckets full of money set aside for us to pour into cyber security and even from a public perspective, if we were to turn around and say we’ve spent x millions of pounds on cyber security, I’m pretty sure there’s a few people in the public that would be like ‘How many nurses and doctors could that have paid for?’
We need to speak to the vendors and get them to understand that they need to have security in at the beginning. It’s getting better, but they need to think about the life cycle of these bits of kit as well. How long are they going to support it for? What are the plans if the operating system does reach end of life? Do they have a backup or is there something different that can be put in place that’s not going to be too expensive?
There’s a lot of challenges, especially getting a doctor whose primary job is making people better and saving lives to think about cyber security even though they’ve got 101 other things to think about. I claim it’s important and they’re like yes, but how does it save somebody’s life? They need to begin to understand the risk they bring in and how we’re trying to help them mitigate it.
JN: What are your key cyber security focus areas for the next 12 months?
GG: We’ve touched on cyber security awareness and training, so I’ve got whole strategy put in place around awareness and how we can roll that out across the organisation to begin that cultural change to get people to start thinking about cyber security.
Other focuses are around visibility of what’s happening on the network, how can we improve our alerting to any potential incident that’s come up, and how can we start to be a lot more proactive in looking for issues before they actually become an issue.
We’ve got different tools in place that should mitigate it should it happen, but we need to make sure that it’s a strong point for us. We can only do that with added visibility and the extra ability to see what the endpoints are up to.
They are the key objectives and I think if I got those in place over the next 12 months, I’ll be pretty happy and will definitely feel that we’ve moved forward.
