1TRANSPORT SECURITY EXPO 2015www.transec.com

2-3 DECEMBER 2015 / OLYMPIA LONDON

@trs_expo

Q. How would you describe the business of Templar Executives?

A. Everyone has heard of cyber security but not many people at board level fully appreciate what it means for their business. So one of the key things we do is demystify the concept. By bringing clarity, we can then help them to optimise all of their operations to deal with potential threats. Cyber security isn’t just about information systems; it’s also about people, processes and culture.

Q. How did you become involved in the business of cyber security?

A. I spent 18 years in the armed forces specialising in command & control elements around planning for and conducting military engagements. This also included the employment of secure communication systems such as digital data links. My work made me very aware not just of the importance of information but the importance of protecting the integrity and security of that information.

Subsequently, I went to work at GCHQ and that led me to the Cabinet Office where I was involved in formulating national strategy on cyber security. It was whilst I was working there that HMRC lost the 25 million child support records and that led to my authoring the Review of Data Handling Procedures in

Government (on behalf of the Cabinet Secretary) which made a series of recommendations on how Government departments should manage their data.

Q. How do you think your background has shaped what you are now doing with Templar Executives?

A. One of the problems affecting Government depart-ments was that they had not kept up with the rush of technology. People were looking at how to fit the new technology into what they were doing rather than looking at what technology they needed. Whilst there has been a certain rebalancing since then, it’s an analysis that extends to the work we are now doing with FTSE 100 companies. Most of them are operating internationally, which adds a new dimension, and we can help them to look after their information, protect their IPR, and ensure they ‘re competitive – that’s what Templar Executives does.

Q. What does that mean in practice?

A. Well, the first thing we do for a company is a health check on their holistic cyber security – people, processes culture and ICT. We measure what they are doing against a number of criteria, starting with their own policies which are often outdated and unsuitable for the current environment. We also check for compliance with accepted standards such as ISO 27000 2013 for Information Security.

But fundamentally, we’re more interested in maturi-ty and a programme of continuous improvement at every level. Level 1 of most maturity models – for example, CMMI, NIST and the UK’s IAMM – is concerned with legality. Are you operating within the law? CRM systems these days are collecting huge amounts of personal data and, under proposed legislation in Europe, the mishandling of that data could lead to very large fines – 5% of annual turnover or up to 100 million euros in some as well as, depending on circumstances, a jail sentence. So it’s something all organisations, including govern-

ment departments, need to take very seriously.

We then fill in the gaps in their existing policies, assess their risk appetites, and provide training. Training is very important to us. We have our own Cyber Academy which runs a wide range of courses, five of which are GCHQ (CESG) accredited. Indeed, we are the only company in the world to offer such breadth and depth in the cyber security training field.

We run courses on cyber security awareness, ‘the insider threat’, cyber security for information specialists and a particularly important course for board-level champions. This particular course is tailored to the individual and sector and can last anywhere from 3 to 6 months and involves a blend of training and mentoring from an experienced expert whom themselves have practical experience in the same business sector as the client.

Q. So what are your main reasons for deciding to exhibit at Transport Security Expo?

A. We believe the transport sector needs to develop a much greater awareness of the cyber threats that it faces. Most cyber-attacks so far have been against financial institutions and, as a result, they are rapidly developing better cyber security. The risk is, therefore, that attackers will now move to softer targets.

An interview with Andrew Fitzmaurice, CEO, Templar Executives

“The transport sector needs a much greater awareness of the cyber threats it faces”

TRANSPORT SECURITY EXPO 2015

2-3 DECEMBER 2015 / OLYMPIA LONDON

2www.transec.com@trs_expo

We have already done some work in the maritime sector and we know there is a potential cyber securi-ty threat there. The principles of cyber security are sector-agnostic and we see Transport Security Expo as a good opportunity to promote what we can do for the transport sector even if they don’t think they’re a target yet.

A few years ago, I was known as ‘the dentist’ – people only called me when there was a problem – and they also didn’t want others to know they had called me – and once fixed they hoped they wouldn’t need my services anytime soon. Whilst that attitude has changed in many sectors because people want to get ahead of the threats, I feel the transport sector’s knowledge of cyber security and the potential consequences of not addressing cyber security proactively is under-developed.

There’s a lot of low hanging fruit in the sector and we can raise the bar against those who might want to launch an attack quickly, easily and at low cost. The costs of not doing so could be phenomenal.

Q. What do you see as the main threat areas?

A. Looking at the whole transport sector, one of the

critical issues is the ability to keep operating after an attack. Take the aviation industry, for example; do air traffic control systems have the equivalent safety and back-up systems that modern aircraft have? And what about the systems that control traffic lights? A cyber attack of that nature could bring mayhem to a city like London.

To equip the whole transport industry with the necessary level of cyber resilience, it’s essential that the right education is in place from the top to the bottom of the organisation. At the most basic level, everyone needs to aware of the potential risks including exposure to social engineering.

Q. And what do you see as the big trends in the cyber security arena?

A. There are three big trends we’re expecting to see next year. Firstly, a growing awareness of the significance of third party suppliers. Weak links in the supply chain can provide the easiest route for those who want to attack a large organisation.

Secondly, the ‘insider threat’; attackers have learnt how to use people inside the organisation – we call it the ‘mosaic effect’ – to build up a picture from

seemingly innocuous social media post, press reports, engaging employees and discussing their work in a social settings. This and other open sources of information can be used to build up a comprehen-sive picture of how a particular organisation works and what its strategy is going forward.

And finally, there is a real concern about the number of organisations still using legacy systems such as Windows XP which is now unsupported. These systems represent a time bomb because of the ease with which they can be infiltrated and compromised. Organised criminal gangs and foreign intelligence services don’t necessarily want to destroy organisa-tions, they want to continually skim off money or information and remain undetected. Legacy systems with little or no monitoring provide an excellent gateway for such activity.

@templarexecs

templarexecs.com

enquiries@templarexecs.com

Templar Executives