Critical public sector organizations, like the UK’s National Highways, face rising cyber threats combined with complex supply chains and a global cybersecurity skills shortage.
Compared to private sector counterparts, these organizations have unique challenges that necessitate novel approaches and out of the box thinking.
National Highways, a UK government body responsible for operating and maintaining the country's motorways and main A roads, is a critical national infrastructure (CNI) entity that has a major duty to be resilient against cyber threats.
A successful cyber-attack has the potential for enormous disruption to travel and the potential to cause risks to the safety and wellbeing of drivers and passengers.
Keith Price, Chief Security Officer (CSO) at National Highways, spoke to Infosecurity about some of the initiatives being taken by the organization to boost its cyber resiliency.
This includes a novel plan to secure National Highways’ complex third-party supply chain and wide-ranging approaches to recruit and retain staff amid heavy competition from the private sector.
Price also offered advice for security leaders on how to overcome common cybersecurity challenges.
Infosecurity Magazine: In early 2024, you posted about an idea you had around providing non-profit security operations center (SOC) services to small and medium enterprises (SMEs) in the National Highways supply chain.
Could you tell us more about this idea and if any progress has been made in setting up such a service?
Keith Price: The story goes like this. In my first few weeks at National Highways, I took part in an executive event where we were discussing the transformation of Highways from a “build and maintain” company into a “service provider” company.
Perhaps it was the eight years I had spent in consulting and advisory, but I immediately got excited by this prospect and my braincells started whirring: could the Highways internal security team provide services to our major projects and possibly our SME supply chain? This service could both provide affordable security services and reduce supply chain risk from SMEs.
The idea was welcomed within the security team, and we were looking to onboard our first customer which was the IT service provider for the A303 roadworks project. We completed some internal business development work, including establishing T&C’s, contracts, service level agreements (SLAs) and a service catalog. We had scoped and done a proof of concept of the customer environment and required onboarding professional services. We then hit a few small speedbumps.
The first was our legal department determined we could not drift from our government license to operate (LTO) by charging for services, even though the charges would be “at cost”. The second was the cancellation of the A303 project.
Highways is now looking into applying to adapt our LTO to allow for charging for costs more broadly. There is also some interest from potential customers across the UK government who like the idea of a more cost-effective security service built in-house, as well as the supply chain risk visibility that SOC monitoring could provide. So, watch this space.
IM: What strategies have you found most effective in recruiting for cyber professionals amid the current skills shortage?
KP: We have been quite fortunate in our recruiting efforts for our security team. Our staff turnover has been very low, to the tune of 4% for the entire year of 2024. I chalk this up primarily to a few factors.
First, we offer flexible and hybrid working to all our employees. We have a 40% in-person requirement where our employees can work together in various environments, whether it be one of our many Highways offices or supplier workplaces across the country. As other companies are mandating a five day a week return to office, we continue to see the value in flexible working.
Second, we offer leadership that has integrity, empathy, compassion and is committed to the development of our teammates. It is no secret that public sector compensation lags behind what our private sector competitors can offer. This is why we pride ourselves on the inclusive and supportive culture we have built, as well as providing the opportunity for our security teams to work on exciting cutting-edge technology programs, such as autonomous and connected vehicles and environmental and sustainability projects.
We also have a center of excellence team called Cyber Futures (or CyFu “our CyFu is strong!”) that works with future-looking programs within Highways, the wider UK government and academia.
Finally, we offer part-time roles that are well suited to stay at home parents, neurodiverse, disabled and carer employees. These roles typically focus on research and development, authoring papers and admin support such as budgeting, HR and business planning.
"There are plenty of junior talent and career changers who are ready, willing, able and excited to join our profession given the chance"
They can also work across all our security functions, including SecOps, threat intelligence, governance, risk and compliance (GRC), security architecture, education and awareness and identity management. These roles can work from anywhere and at any time, to accommodate employees’ personal schedule requirements. These roles are also perfect for entry-level or career changers, and we expect to expand this offering soon.
Our recruitment process is also very light weight and streamlined. Most of our hiring actions are started and completed within a month. We don’t require an overly burdensome hiring experience. This way, we make an offer to our top candidates months before our competition can.
IM: What are your biggest concerns in cybersecurity today?
KP: One concern of mine that has resurfaced recently is the gatekeeping of our profession. I understand that there have been tens of thousands of redundancies globally in the security profession, notably across cyber, and this has predictably led to a belief that “cyber isn’t an entry-level profession”.
To re-balance the security function, in both talent pipeline and costs, we must be prepared to recruit, hire and develop in-house the future generations of security professionals. This is especially true when we explore the talent shortage in niche skills such as operational technology, Internet of Things (IoT), cloud, quantum and AI.
A solid strategy would be to hire good people, and then spend the years developing them into specialists, as opposed to the current strategy of spending years hiring the unicorn or perfect candidate (that likely does not exist).
Many will argue against my strategy with claims that once trained and developed, cyber experts will then be off to the nearest competitor, and we will be right back to square one. That tells me you have a “you problem not a me problem” in so much as that is precisely how free markets operate.
There are plenty of junior talent and career changers who are ready, willing, able and excited to join our profession given the chance. “You are not worthy” sends a message that our profession is elitist and old-fashioned and will turn away many superb recruits.
IM: What are the biggest successes the cybersecurity industry is experiencing today?
KP: Some of the biggest successes in cyber today relate to what would be known as the “non-technical” areas. Specifically, within the cyber education and awareness function, we are seeing great progress in employees’ general improved awareness of cybercrime and scams.
While criminals are leveraging AI to great effect in crafting phishing emails, the cyber function is continually improving its ability to inform the general employee population. A strategy we use at National Highways follows a “grass-roots” effort whereby we hold monthly Cyber Coffee events where we discuss cyber security and safety with our employees, but the focus is on their family and friends, not the corporate focus.
We find that by first addressing our employees’ private concerns, we build trust with the community, and this then translates into those same employees bringing good security hygiene and practices back into the workplace.
IM: If you could give one piece of advice to fellow CISOs, what would it be?
KP: I am seeing the lines blur between CISO and CIO/CTO, which means there may be some opportunities for CISOs to market themselves as tech leaders with security chops.
Another thing to consider is to seek leadership of all thing’s security within your organization. As the CSO for Highways, the buck stops with me for all security, not just the cyber part.
This builds our value and brand within the company and grants greater alignment and leadership of the security function.
Also, look to join and contribute to the already well-established safety and quality communities at your organization. By helping to solve these big problems, you will find security is also an outcome, and your value again grows. “How can I help?” is not a question many folks hear from their CISO. But by putting in the work, and leading your teams in a customer first approach, you will soon see the results.
The most important metric by which I measure my own and my team’s success is whether we being invited to other teams’ meetings, or for coffee and lunch to provide guidance and advice. My second metric of success whether my slot with the executive committee and Board is early in the meeting and not last on the agenda.
Image credit: Jarek Kilian / Shutterstock.com