Having worked in cybersecurity within both the NHS and charity healthcare sector, this saddens, but doesn’t surprise me.☹
Ransomware is not new; not to the world, and not to the NHS.
On Friday 12 May 2017 a global ransomware attack known as 'Wannacry' was unleashed on the world; the NHS was one victim among many across over 100 countries.
Here we are, more than 5 years later…
Why is it still able to cause so much damage and disruption to patient care that can result in physical and mental harm - to staff as well as patients? 🤷🏾♀️
There are many contributing factors which could fill a book, and my top 3 are: complexity, budget (lack of) and change.
➡ Cybersecurity and complexity
Many people in the UK mistakenly believe that the NHS is one entity; it's not. It's actually a complex ecosystem of hundreds of individual organisations and governance structures, supported by many service providers and suppliers, that all need to work together to deliver patient care.
These structures are ever-shifting and typically add more complexity instead of reducing it. This is particularly true when it comes to securely sharing information between organisations. Contrary to popular belief, there isn't a single patient data system and secure interoperability between them increases the level of complexity.
➡ Cybersecurity and budget
Every day we hear on the news that the NHS is cash-strapped and struggling to find staff. It's no surprise then that whenever we ask for budget to improve cybersecurity, prior to Wannacry the response was typically 'No, we need to spend it on patient care'. Thanks to the disruption of Wannacry and other cyber-attacks, NHS leaders now realise that failure to spend on cybersecurity can result in failure to deliver patient care.
➡ Cybersecurity and change
Delivering change in the NHS pre-covid has historically been a slow and lumbering vehicle. During covid, rapid change across the health and social care sector showed just how quickly things could change if there was the will, capability, and legal gateways to support it. Inevitably, the pace of change introduced more suppliers and more risk into the system with information governance and cybersecurity professionals struggling to keep up with risk assessments and mitigations.
There are two Cybility Savvy episodes in conversation with change managers that shed more light on VUCA (volatility, uncertainty, complexity, and ambiguity) in general.
- All change… In conversation with Amy Tarrant
- A Change manager's view on digital transformation and cybersecurity
Cybersecurity in the NHS - some background
When Wannacry happened, the government and some in the NHS were aware of cybersecurity risk and work was well underway to improve it. In 2015 things were already changing. The government invested £50m in the creation of CAREcert (sector-specific national cyber support service). There weren't many of us employed as cybersecurity professionals by NHS Trusts back then; I recall contributing to Dame Fiona Caldicott's National Data Guardian review into data security ('Caldicott 3') which was eventually published alongside the Care Quality Commission's (CQC) 'Safe data, safe care' report (see references below). Appendix 3 of the Lessons Learned report provides a 'Timeline of Data and Cyber Security measures before WannaCry'.
More reports and recommendations followed after the attack which did result in positive changes. In particular, the government released funds for the NHS to continue investing in cybersecurity enabling the NHS Data Security Centre to offer cyber security services to other NHS organisations.
Cybersecurity in the NHS is not an easy problem to solve; however, it is a vitally important one.
If you need help with cybersecurity in your health and social care organisation get in touch
- NDG Review of Data Security, Consent, and Opt-outs https://www.gov.uk/government/publications/review-of-data-security-consent-and-opt-outs
- CQC Safe data, safe care https://www.cqc.org.uk/publications/themed-work/safe-data-safe-care
- National Audit Office: 'WannaCry cyber attack and the NHS' https://www.nao.org.uk/report/investigation-wannacry-cyber-attack-and-the-nhs/
- Combined report from Department of Health and Social Care, NHS Improvement and NHS England: 'Lessons learned review of the WannaCry Ransomware Cyber Attack' https://www.england.nhs.uk/wp-content/uploads/2018/02/lessons-learned-review-wannacry-ransomware-cyber-attack-cio-review.pdf
1 year ago, I excitedly stared at the paper before me: a certificate from Companies House confirming that I was now founder of Cybility Consulting Ltd - my very own cybersecurity consultancy company!
Reflecting upon the past year, I thought I'd share some lessons I've learned on my journey, things I'm glad I did and others I wish I had done sooner.
First, why did I decide to start my company?
I had been leading information governance and security programmes in the not-for-profit sector for over a decade. In 2020, I left my job at a nationwide charity for both mental and physical health reasons. I took the time to recover from burnout, thinking that, when I was ready to work again, I'd apply for a full-time CISO role somewhere. However, thanks to fair challenge from my coach, Tim Sims, I took the opportunity to redesign my life and working for myself felt like the natural choice. I realised I could help more organisations improve their information governance and increase their cyber resilience in this way than I could whilst working in-house.
So, here are some of the lessons I’ve learned this past year...
Preparing to run your own consultancy
🎯 Vision and Mission - The process of burnout recovery included finding a new sense of purpose for myself. Take the time to clearly articulate your vision of what the business could look like in the future, the mission driving you to achieve it, and your rationale for both.
- Motivation - Your 'why' has to be sufficient to motivate you when things aren't going how you expected (and nothing in life ever goes exactly how we expect).
- Values - These will inevitably reflect personal values when you run your own business. However, they are not necessarily identical. This is especially true as you start to employ other people. Which leads me to…
- Behaviour - What is acceptable? How do we demonstrate and 'live' the company values?
📄 Business planning - do your research
- Talk to other entrepreneurs and found out what working as a consultant really entails.
- Run ideas past different people, e.g. friends, family, former colleagues, people working in your target sector.
- Get lots of different views and evaluate for yourself.
- There are also a lot of public resources and courses for budding entrepreneurs.
- Check out at local business hubs including the chamber of commerce.
- Use your local library as they have access to all sorts of current information about trends in different sectors.
🤳 Know yourself - If you weren't already, it's time to get real with yourself.
- Inventory - Do you have the skills, traits, abilities and knowledge to achieve your goal? If not, can you live with the level of risk that remains due to the gaps? Do you need to find ways to fill them or do you accept that it may not be for you?
- Professional expertise and knowledge - Whilst this will be primary reason that prospective clients need your services; it's unlikely to be the thing that differentiates you.
- 'Soft skills' (which in my view are harder than hard skills) - are crucial to working as a successful consultant.
- Credibility - the ability to quickly take the pulse of an organisation and adjusting your approach sufficiently to fit within it is key to this.
- Be open - you will learn new things about yourself. For example, I never would have imagined that I'd start 'Cybility Savvy', my own podcast and YouTube channel!
🛌 Look after yourself - as your own boss there is no one else that is going to be looking out for you.
- Making connections - It is really important to connect with people you trust that you can speak to in a professional capacity that know the challenges you face and can share how they have dealt with them. It can also afford you opportunities that you wouldn't have otherwise.
- Keep learning - protect time for your own professional development. Your clients pay for your expertise; they expect it to be current and reflective of good practice.
- Have fun - Engage in your hobbies and with your friends; you are more than your job.
- Protect your time - For whatever and whosoever is important to you; actions trump words.
- Sleep - Get enough; it's that simple (yet so hard for some of us).
🤹 Jack-of-all-trades - Inevitably in the early days of running a business, you can't afford to take on staff or outsource tasks to others finding yourself as both manager and staff of each department. Be prepared to wear different hats, and be willing to learn things beyond your area of specialty.
That said, it is important to know what you can and cannot do, and what you should not do even if you think you can. Sometimes spending the money to engage a specialist is the right option.
💰 Finance - It all adds up…
- Accounting software - Don't do like I did and start using a software package before getting a good accountant. Most will have a relationship enabling you to get a discount; then there are always the free options via decent business bank accounts.
- Grants - Initial research suggested the availability of grants for me as a black woman in cybersecurity. What I found was that often I didn’t meet all the eligibility criteria.
- Lines of credit - I found that as a new business starting up in the throes of the pandemic, banks weren't really lending. Trying to get an overdraft to help manage cashflow; funnily enough customers like to leave it until the last possible day to help with their own cash flow! 😂
- Beyond a team of one - Making the decision to employ staff is never an easy one when you're on a budget. However, as I said above, it's important to recognise what you can and cannot do (both in terms of knowledge and skill as well as having enough hours in the day) and what is needed to progress towards that vision.
- Tone from the top - as the owner this comes from you. No longer can you say something about the importance of senior management buy-in; the buck stops with you.
- Learning - I find it important to reflect on my own behaviour as a manager.
- Email and Website domains - Whist I had no intention of creating a website yet, one of the first things I did on choosing the name was to purchase the domains for email and future use.
- Business v Personal - Whilst overkill for someone people, it's always been important for me to have clear separation between my personal and work. This applied from applications, devices, systems, and phone numbers.
- 💡 If like me you can't have 2 SIMs in your phone, there are services that allow you to pay as you go or pay monthly for additional numbers. Cybility has a landline and I have a work mobile.
- Cloud-native - I had no desire to setup and maintain servers at home (space is at a premium). You can get a decent deal from Microsoft with their business premium offering; in my case I also added some security addons because, you know, I work in cybersecurity!
- IT support and Cybersecurity - Going from working in a large nationwide organisations with large IT and separate cybersecurity team going back to hands on was a shock. I'd forgotten how long it can take to deal with things which took me away from billable work. This was one place I opted to outsource.
⚖ Legal - Unless you happen to be a qualified solicitor, I strongly recommend that you look for a service to support you.
- Advice - Benefits of professional industry and trade bodies such as the Federation of Small Business (FSB).
- Contracts - I found Rocket Lawyer and FSB to have reasonable options for starting templates.
- Don't underestimate how long it takes to think through the different scenarios and ways things can go wrong that is key to choosing applicable provisions.
- Getting a good solicitor with experience in working with IT / management consultancies. Intellectual property and commercial contracts will pay for itself when things do go wrong.
- Insurance - From employee and public liability to professional indemnity, and so on. Establish what is the level that your clients expect to see in contracts and ensure you have the appropriate cover with a reputable provider.
- It takes time - a focused marketing effort is more effective to win new custom than working the traditional sales pipeline. However, it takes time to create and review content, add graphics, post to different channels, and so on
- Branding - Define the company brand.
- As the front face of a business, get someone experienced to assist if you can afford to do so.
- Also consider whether to trademark the name and logo or not (will depend upon services).
📈 Sales - People buy from people.
- Know (and believe) the value you have to offer. Be clear on what makes you different from others.
- Define your ideal customer's profile and, contrary to what one might think, be narrow and specific.
- What are their pain points? How and why can you help them better than anybody else in your competitive space? Where do they hang out?
- It is better to get a handful of quality customers that appreciate you, than lots that don't.
- That said, it's also important to diversify your customer base.
📥 Service Delivery
- Business Model Canvas - this is a great technique for looking at the business from a high level
- I've found them to be so helpful whether running IG & Cybersecurity in-house or as an external consultant; both for clarity for myself and as a tool to explain to others.
- Business Processes - Ensure that you identify and create streamlined processed for onboarding and offboarding clients; think about customer service reviews, invoicing, and so on.
🛒 Products and Services
- These don't magically appear. Don't underestimate how much time it takes to create a product or service. What is it? Who is it for? Why will they buy? How much will it be? How will you deliver it if you are sick? Consider partnering with other consultants, subcontracting and white label work (working for another consultant yourself).
- Remember that your friends are also likely professionals in their own right; whilst I don't advocate for freebies (as professionals they deserve to be paid) - do invite their input; they may be opportunities to work together that you hadn't realised.
💲 Pricing Strategy
- All the books (and mentors) said, 'don’t charge for time, charge for deliverables'. Rookie error, I learned that the hard way.
- Don’t price yourself too cheap to start; you can always shift prices down. It's harder to increase them - even accounting for inflation.
👨👩👧👦 It takes a village - Take opportunities to shadow professionals you admire, find mentors and learn from their mistakes so you don’t need to make the same ones. In my experience, everyone was so giving of their time, and happy to share what they learned. I’m very thankful to the following people in particular (in alphabetical order by first name):
- Carol Stewart
- Christopher Tait
- Elizabeth Curry
- Graham Walden
- Ian Andrews
- Ian Henderson
- Ian Shorten
- Ivan Delany
- Jackie Freeman
- James Pearson
- Jon Ashford-Clark
- Kane Sterling
- Karl Goatley
- Les Pritchard
- Lisa Ventura
- Mark Rivera
- Peter Dawes
- Phil Puddefoot
- Rob Horne
- Runli Guo
- Stephen Massey
🙏 My final thanks go to:
- Jane Frankland for her crash course in sales and marketing and suggesting that I start my own podcast which was way outside my comfort zone. From fear and trepidation, to learning new skills and the excitement when I get the notification that there is a new episode of 'Cybility Savvy'.
- Peter Sharpe for expertly extricating information from my brain and teaching me (and Ana) how to turn it into a powerful value proposition, and his unwavering support over the past year.
- Tim Sims for accepting the daunting challenge of working with me in my darkest days, helping me to rebuild my confidence, encouraging me to be open to opportunities, asking thoughtful questions, posing challenges, and sharing his wealth of experience with me. In our journey from the depths he has, metaphorically, held a mirror up for me, asked what I see and told me what he sees - gradually reframing how I see myself (the scene from Cool Runnings with Yul Brenner and Junior Bevell at the mirror comes to mind). I feel truly blessed to have him guide me up this stretch of the mountain.
- Each of our guests on Cybility Savvy - Jackie Freeman, Laura Dawson, Amy Tarrant, Hannah Nacheva, Ket Patel, Sarah Harriott, and Barry Moult. Could you be next?
- Ana Garner - for believing in my vision; bouncing things around with me, you know the rest... I love working with you 😊
There are many others that I learn from every single day via fellow professionals on LinkedIn, twitter and other professional networks such as WiCys.
In this international women’s day, we are called to #BreakTheBias and imagine a gender equal world.
What is the situation in Cybersecurity and what can employers do about to help foster a world that is just, equitable, diverse and inclusive (JEDI)?
Fact 1. Cybersecurity is a field dominated by male (76%) and Caucasian (72%) workers, according to the (ISC)² Cybersecurity Workforce Study (2021). Women in cybersecurity are estimated at 25% only.
In the UK, the Cyber security skills in the UK labour market 2021 tell us that the presence of women, ethnic minorities, disabled and neurodivergent people, is minimal.Image
Fact 2. There is a reported cybersecurity staffing shortage. 60% of participants of the ISC study, said that this places their organisations at risk.
Fact 3. Teams are known to benefit from increased diversity, however, this is particularly true in a field in which the threats and risks are so diverse. Having people from different backgrounds is more likely to increase diversity of thought and, ultimately, better protection against cybersecurity risks.
Increasing the number of women employed in cybersecurity roles would address the shortage and the diversity issues. How can employers do this?
The answer to this will depend on the context of each organisation, but we thought it would be useful to share some of the actions that we are doing as a small business. At Cybility Consulting, we are a small and unique team (women, black, latina, immigrant, disabled) in an industry that needs to be more diverse. As such, we are committed to #BreakTheBias.
These are some ways that we are doing this:
- Upskilling women - It is accepted that employers should hire for attitude and aptitude and then train for technical skills. So, we make sure that our staff have, within their working hours, time to train and study. We invest in subscriptions of Cybersecurity, IT and Professional skills platforms that provide online learning and training.
- Work experience - We actively engage in apprenticeship and traineeship schemes supporting candidates with diverse backgrounds.
- Mentoring - Sharing our experience with those new to the field is an effective way to upskill people, not only in technical skills, but with their career plans, soft skills and networking. We offer this both as a paid service to organisations and free to some individuals (https://bit.ly/CybilityMentor).
- Work your way - we provide flexible working conditions for when, where and how we work.
- Responsible employer - we pay our people above the living wage and train them in our rights and responsibilities under the Equalities Act.
If you are a business leader committed to break the bias in cyber security, check out the Women in Cybersecurity’s resources: https://www.wicys.org/events/wicys-2022/