Max Wigley (MW): Thank you for taking the time to speak to us today. Cyber Awareness Month makes me reflect on a career in cyber security. What got you into cyber security originally?
Christine Maxwell (CM): I initially trained as a Chartered Accountant, but the finance side was not for me. As I was in the accountancy world, I joined KPMG when they created a new division called Information Risk Management as IT was becoming an important part of business. Makes me sound very old! I stayed at KPMG for 13 years and moved from IT Audit to IT Advisory to IT Security.
MW: I imagine you have been in high demand in the last few weeks. What have you been focussing on this month?
CM: Yes – it has been busy but very productive. We are now in week 4 where we are tying together the three core themes we have focussed on during weeks 1 -3 around Prevent, Protect and Report. I have also been involved in a couple of joint MOD/industry events which has been great. I think it’s powerful that we can share across the defence industry as we are all promoting the same messages.
MW: As part of Cyber Awareness Month, Leonardo has been running our own campaign across our UK business linked closely to these three core themes – trying to raise awareness within our organisation. You’ve been in post now coming up to four years, during which time an awful lot has changed in the background, so you have not had an easy environment to work in! How do you reflect on progress and achievements in that time?
CM: It has been a journey, but a positive one from my perspective. We started without a published strategy or transformation team, and now we have a strategy and new Cyber Resilience Programme and an Identity Access Management Programme. It is fair to say that we have laid the foundations, working across Top Level Budgets (TLB), and now it’s time to continually deliver and drive down risk. Covid affected things in many ways and we had to adapt; we’ve also seen a changing focus on cyber in military operations. This ability to change and adapt is key and perhaps something we would have struggled with previously, so that gives some indication of progress.
MW: One of the main challenges I see is that cyber security in MOD equipment programmes is often seen as a tick box exercise, rather than a set of activities to ensure that risks are understood and managed appropriately. I know this is a key focus of some of the initiatives you are championing such as ‘Secure by Design’, but given we are now in Cyber Awareness Month, what would be the key message you would want to get across to people involved in industry who are in programme/project delivery?
CM: Defence historically has a very entrenched way of doing cyber security that can encourage tick box compliance and a lack of accountability by Senior Responsible Owners and delivery teams. This is not true in all cases, but overall the system is not delivering what we need to compete. We are changing and need the support of industry to drive this change through. I think companies like Leonardo can help me support MOD teams as they are more experienced in embedding security from the outset. This is one of the most important strategic outcomes within the cyber resilience strategy and what I am trying to deliver under Secure by Design.
MW: So, is this more of a culture change in your view, rather than anything technical?
CM: There are of course aspects where we need to get better at designing and implementing technical solutions. However, I agree with you that this is a cultural change. Secure by Design is really about empowering programmes to own the cyber security problem. It will allow cyber security solutions to be much more mission focussed – rather than what has sometimes happened historically where there is a mythical ‘security person’ who comes along at various points and tells projects they haven’t done the right thing. Resourcing security properly is critical and that will often mean using the security professionals in industry in a different way, and therefore the criticality of industry being supportive of Secure by Design.
MW: Why is this change important?
CM: There has been a well-documented change in the threat posed to defence as for wider government, but also change in the way MOD functions due to its focus on digital transformation. Defence capabilities can be much more joined up, with data and information critical assets across all domains. What this means is that our future capabilities and systems – both IT and OT – need to be cyber resilient like they never had to think about in the past. We are seeing this play out as we change our focus on to Cyber Mission Assurance, for example in Ukraine at present. A focus on Cyber Resilience and Secure by Design is critical to enabling us to continue supporting defence capabilities going forwards.
MW: I think that the Tempest Future Combat Air System (FCAS) programme, which Leonardo is part of, is a good example of this. FCAS will be the most connected defence capability ever. Understanding how we can design something now which can be resilient to the cyber security threats of the 2040s and 2050s is a fascinating challenge to be involved in. Do you think defence has grasped the scale of the challenge?
CM: Yes – the work we are doing is building awareness, but there is more to do, and communication is key to this. As you say, the key challenge on these generational programmes is how to look forward into the future and don’t just design the capability as past capabilities. That is why the Secure by Design approach is so important; we are focussing on delivering effective risk management outcomes rather than checklists of controls.
MW: Critics may say that the term Secure by Design is not new and that this initiative is no different to previous cyber programmes. How would you respond to that?
CM: It is absolutely not new; it’s a term that has been around for years. But it hasn’t been a priority in MOD. There is desire across MOD for genuine change, and more widely across UK government. This is reflected in the UK Cyber Strategy and the Secure by Design work we have been doing in conjunction with the National Cyber Security Centre. However, I don’t agree that the cyber programme is just more of the same; you only need to look at some of the outputs - specifically the Secure by Design alpha phase, and the feedback from projects and programmes - to see that.
MW: And finally, if you could click your fingers and magically make one change, what would it be?
CM: That all the systems developed, managed and operated by industry adopt the MOD technical rules of the road. This would include ensuring critical cyber security protections are embedded by design and are aligned with MOD security protections. For example, security monitoring via the Cyber Security Operations Centre (CSOC) federation and using standard MOD tooling and processes such as Identity and Access Management (IDAM).