Let's Talk Cyber Ep3: Trust, Cyber and Governance

Show Notes

 Host: Thomas McCarthy, Cyber News Global

Guest: Richard Preece, DA Resilience

Join host Tommy and guest Richard as they explore the meaning of trust, cyber and governance; why this is important for board and executives to consider; and what you can do as an individual or an organisation.

Chapters

• 0:00: Introduction
• 3:14:00: Unpacking Trust, Cyber and Governance
• 6:23:00: Importance of Trust, Cyber and Governance for Board & Executives
• 9:17:00: What you can do as an Individual or an Organisation
• 14:05:00: What does Good look like?
• 17:45:00: Wrap up

Transcript

Thomas (00:09.21)
Welcome back everybody. My name is Tommy McCarthy. We are Cyber News Global and this is Let's Talk Cyber. And I'm delighted today to introduce somebody I've known for quite a number of years, Richard Preece. Richard's the managing director of DA Resilience. He's also the chief training officer at OSP Cyber Academy. But he's got much more to his moniker than that. Richard's had an amazing career. And before we get into his subject,

subject today incidentally is going to be trust, cyber and governance. I'd like to ask Richard to give us a little bit of a brief background about who he is, where he's come from and what he's doing now. Over to you Richard.

Richard (00:49.033)
Hi Tommy and thanks. I'm not sure I'll meet your billing of a remarkable career. So I've been working in this space for probably in one form or another 30 odd years. I started off in the army, did 24 years in the army. Along the way around about the millennium,

Someone had a bright idea to send me off to Advanced Command and Staff course, which was great, even better they sent me to Australia. But they then said my penance was I had to do an MSc in design of information systems. And really the second half of my military career and subsequently I've been involved in various aspects of digital transformation, cyber security and resilience, including everything from how we think of societal resilience, down to but primarily organisational resilience and the different aspects of that including cyber and operational resilience.

Thomas (01:57.218)
Now I guess Richard one of the things I'd also like you to elaborate on is where you currently are now in relation to education and training because you play a big part in the OSP Cyber Academy delivering obviously corporate governance in data protection and cyber. Where do you see the education need more than anything else right across the spectrum for business leaders?

Richard (02:19.871)
So I think the first thing is to really make clear all the training and education that we do in OSP is based on the real world experience of working across multiple sectors. So my consulting engagements take me financial services, oil and gas, energy, education, local government, and various other sectors in different guises. And so the training

that and the education we put together builds on that real world experience. It also builds on my experience as a member of the British Standards Institute's governance standards panel and the various work I do in that area. So what we try and bring is the recognition of the real world challenge combined with some of the leading practices that we observe and help implement in the real world.

Thomas (03:18.712)
Great Richard, that really puts a lot of meat onto the bones for want of a better word. Today's subject, Trust, Cyber and Governance, is quite an interesting one. I guess what I'd like you to try and do for us is to unpack what you mean by trust, cyber and governance, just to give a bit more context to that title, that subject, if you don't mind.

Richard (03:40.189)
Yeah, trust is really important. And I've been looking at this issue for decades now, quite frankly. And when you boil it down, trust is pretty central to the way society works, the way organizations work, and the way we work individually. In our daily lives, we trust things. We

expect them to work in the way we want them to. We expect people to behave in the way we want them to. And trust is ultimately based on credibility of your actions, the authenticity, do you believe it, are you being truthful, and ultimately, are you competent to do what you're doing? You know, do I trust the pilot I jump on the plane with? Well, I do if he's with a reputable airline and I trust that they

do all the right training standards. And it's in their interest to have a well -qualified and experienced air crew when I jump on that plane. So trust is central to everything because if you're a business trying to sell something, people want to trust that the product or service you're selling works. If you're in government at whatever level, people want to trust that you're going to deliver what they need. And when we now get into an increasingly

digitized world or a cyber world, a cyber landscape that is far more than just IT technology. It's got a physical element, it's got a network element, it's got the data itself and the information involved. It's got multiple personas. No one knows you're a dog on the internet. Ultimately, it's about people and the way they socially interact and

the fact that their personal and professional lives are increasingly overlapping in the way we work, from home, while we're traveling, and the fact that we're often using devices, the same passwords in multiple spaces. And so when we get down to governance, it's about who is accountable for this new digital enterprise and making sure that

Richard (06:04.57)
as we use digital technologies which bring huge opportunities and help us address many of the challenges every organisation and globally we have, that we're doing it in such a way that we enable those opportunities but we protect it and that people can trust that it's done ethically and securely.

Thomas (06:28.73)
You've got me smiling there Richard about the analogy there about trust. What a great way to reinforce the importance of trust with the pilot on an aeroplane because we all travel so often on planes without realising sometimes we don't stop to think about the credibility of the airline and the training the pilots go through. So a really good analogy that drove it home to me. That's really, really important for most people to understand. I guess if I was a board member or an executive,

I wanna know why these issues are important. I guess what would be in it for me, or more importantly, what would be in it for my organization to understand about these issues you've just touched on?

Richard (07:08.281)
So if you're a board member, senior exec, senior manager, if you're not using digitalization, i .e. using better use of data, better use of technology, then you're probably not, your organization is either very niche or you're not waking up to the real world. In the real world, data and technology enabled transformation is central to future success.

And this is looking forward, not back. So you've got to work out how you are going to enable your strategy to achieve what you want to achieve as an organization, whether that's commercially or in the public sector or third sector. And if that's the case, then you've got to recognize that you're potentially amplifying existing risks, which used to be just a problem in the IT world, problem with the security guys and girls.

But now is actually it is your business. It is your organization. So if you don't take clear understanding, that doesn't mean you have to be the expert, but you need to be able to understand and challenge the expert and see how this impacts on your organization. Then you are not fulfilling your overall duties to show due care, skill and diligence.

and look after the well -term, long -term, sustainable future of your organisation, be it commercial or public sector or third sector.

Thomas (08:46.362)
You know what Richard, you've reinforced that point so well because seeing the amount of work that you're currently doing in the public sector with the Cyber Centre of Excellence, it's pretty obvious that these are issues now that face just about every sector and every individual. And I guess on that point what I'd be asking you now is where would you suggest that individuals or more importantly organisations start? Where's a good starting point for them to look at the governance and the risk?

Richard (09:14.998)
So I think hopefully we've now got off all the fear and uncertainty and doubts that was swirling around and people do. And in my experience, most people are now recognizing the challenge and are trying to work out how to systematically and effectively do it. And I think the way to do this, because everyone's different, the context is changing and it's, you know, the

The nature of the environment is we're working increasingly volatile and certain complex and ambiguous environments. So that means we need challenge questions. And there are three governance challenge questions, and I think there are three risk challenge questions. So the first thing from a governance perspective is what information do you actually need to support your

critical decisions, what are your big decisions? But most of these are really cross -cutting decisions because that's the nature of the cyber landscape. It cuts across everything because it is your business. So what do you need to make your decisions and further down the chain? What expertise do you need? What expertise do you need and what expertise do you need within your organization? And that might be including specialist advisors who you can call in.

to provide appropriate challenge. So I spend a lot of time providing that critical thinking, that challenge and helping on both board members and executives and further down the chain, really to have honest and open conversations about the challenge and navigate those sorts of issues. And then the final thing is you need to think about what's the

risk impacts of things both going right, but also going wrong. Because this is, because it's now pervades the whole organization, you're going to have impacts across reputation, across your operations, across your commercial arrangements. You're going to have impacts with your legal and regulatory potentially, depending on where you're operating with.

Richard (11:40.082)
And then finally, all of this has a bottom line impact. It all costs money. And sometimes it costs money, a pound of prevention to prevent considerably more long -term impacts. And that's a challenge. And there's always going to be really challenging decisions to understand and think through. And the only way you can then start really nailing down those investment decisions.

and those wider decisions is to start looking at your risk challenge questions. And that's about knowing yourself as an organization. So it's understanding what you have no or very limited control. So your suppliers absolutely on point as a target for supply chain disruption, both in the physical world, we just need to see what's going on in the Red Sea, but actually in the digital world. And that's again,

one of the key trends, if you want to cause harm, and if you're a bad person, you want to get maximum bang for your buck, you go for the supply chain, which is hitting multiple customers. So supply chains and other things outside your control, what are those things and what's your plan if they get disrupted? The second issue is, what are the inherent risks in your organization, in the way you operate? And, you know,

All people are vulnerable, all data, all technology, all processes and the facilities and the enabling infrastructure of those facilities are all vulnerable. So what are those inherent risks? What happens? How can you mitigate them? Hopefully preventing them in the first place, but how would you detect? How would you respond and how would you recover? And then finally,

we've made clear digital transformation is central to probably your strategy. So what happens, where are the inherent risks of self -inflicted injury? You know, you decide to do some great change, how could they go wrong? Because the business case will all be how it can go right. And that's great to consider, but what happens on a bad day? So do those pre -mortems, do those sort of scenario tests.

Richard (14:05.647)
where people genuinely challenge where this can do and try and anticipate and cut off in advance.

Thomas (14:13.018)
Richard, I asked you to give me a subject for this particular podcast and you said, trust, cyber, governance. I thought, oh, is that going to be enough? I think we could go on forever more and contextualize this subject. I mean, there's so much to consider, you know, in relation just to those three titles, trust, cyber and governance. I guess what would be important for me to understand is what does good look like, Richard? Could you elaborate a little bit on what would you perceive good looking like as?

As an advisor, as a consultant, when you're speaking to customers to understand what the landscape is for them, what does trust look good look like?

Richard (14:53.646)
So it comes back to context. People always want to say, well, what are my peers doing? And that's important. And you can gain good insights because there's no monopoly of good ideas. But ultimately, what do you need to have? What are you trying to achieve as an organization? What are your values? And then how do you establish trust? And you demonstrate trust.

by being credible in your actions. So do you have a credible plan and strategy for cyber resilience and overall resilience? And are you actually executing that? Do your values, do what you say. Are you being authentic or are you saying one thing and doing something slightly different? I think that the post office horizon scandal is a really good example where you've got that.

Thomas (15:49.902)
Yeah.

Richard (15:52.244)
complete misalignment between what's being stated externally by individuals and by the organisation and what was actually going on in there. And obviously that's still ongoing for the whole story to come out. But yeah, that's the basic story. The trust in the post office has been compromised. And then finally, competence is what you're doing competent and

How do you make sure you're competent? If you're a board member, if you're a senior executive, you don't necessarily need to be over the detail. But like any other complex problem, you need to be asking the right challenging questions and seeking advice from people who will say, yeah, that makes sense, or actually they've not thought about that, or they're really pulling the wool over your eyes. And that means being much more open.

and further down creating a very safe space where your IT professionals, your security professionals, who quite often feel under a huge amount of pressure can actually have an open and honest conversation. So they're saying, yes, we're doing this, but we still are concerned about this aspect. Or, yeah, we don't quite have a full control of this and this is for us. And it's not a blame.

game, it's about really getting to the root cause of the challenges and being clear about that and having an appropriate culture to encourage that. So it's about not treating cyber as a technical issue that's just done by other people. It's treating cyber as part of your overall strategy and for what you're going to do to develop

the trust in your organisation that you're going to achieve what you're trying to achieve.

Thomas (17:56.218)
I I guess listening to the points that we've just covered Richard, it's fair to say that three small subject matters, trust, cyber and governance, requires a lot more consideration at a board level, there's no question about that. And we could go on forever more Richard, but as you know, this was gonna be a short podcast. What I would like to say is a massive big thank you to Richard Preece. First of all, as a consultant through DA Resilience,

You'll see Richard's email address coming up at the end of this podcast. If you need to speak to Richard about anything, reach out to him from a training perspective, Richard, what you're doing right now is revolutionary with OSP Cyber Academy, especially with the Cyber Risk and Resilience Board Training. The progress you're making is tremendous. So again, I can't thank you enough for that. If you are watching this on Let's Talk Cyber podcast on YouTube, please remember to subscribe. If you like what you've seen, big thumbs up and share it again.

All I need to say now is Richard Preece, thank you so much for your time and enjoy the rest of your day. Thanks Richard.

Richard (18:57.737)
Thanks, Tommy.