You can’t hear Dido Harding’s name without thinking about the TalkTalk breach. Three years on, in her new role at the NHS, a member of the House of Lords and a non-executive director at the Bank of England, Baroness Harding is leaving the past in the past and using her experience to make a difference in the public sector
How do you feel about ‘the breach’ three years on?
I no longer think about it every day, but it’s impossible not to still feel emotional about it. We made a conscious decision to be open and honest and once you’ve done that, you can’t go back. I feel like it’s my responsibility to share what I learnt. Part of me feels quite good about it. TalkTalk acted well and honorably towards our customers. So many talking heads and CEOs thought we were doing the wrong thing, but organizations need to be more open and honest and that will create less of a taboo.
In hindsight, what would you have done differently in response to the breach?
I wouldn’t have spent half a day negotiating with Met police about getting data back. Also, going out with the news late at night created more noise and panicked people – I regret that. Of course I wish it hadn’t happened, but there’s no point in wishing things had been different. Instead, we need to focus on what we learnt.
What positives can you take from TalkTalk?
One of the privileges that came from the breach was getting to meet some of the best minds in the industry and getting explanations that I didn’t get before. I loved running TalkTalk, despite the ups and downs. The next phase is taking what I’m good at – guiding large consumer-facing organizations through technology driven change – and using it to help the public sector.
Quick-fire Q&A
Who does the ultimate responsibility lie with when a company is breached?
The chief executive. I was pushed to blame someone else but I knew it was just me.
What is one of the most important considerations when a company is breached?
Go public very quickly to increase your chance of weathering the storm. You always need a plan.
What advice would you give to CISOs for presenting risk to the board?
Get better at speaking truth to power. Be braver and speak in plain English.
As a CEO, what concerns you the most about cybersecurity?
Cybersecurity teams that say everything is OK. Really good people are always slightly dissatisfied and think they can do better.
Should CISOs report into the board?
Sitting on the board isn’t the be all and end all. Boards need to be reasonably small to function best. You want a CISO reporting into the board.