Introduction: IL7 in 2021
Now IL7 Security is able to meet the requirements of numerous contracts, we have developed and matured a risk assessment methodology called SWIFT which accelerates the process without abandoning adherence to ISO standards. We have also further developed policies that comply with NIST and continue our commitment to ISO 27001, NIS and GDPR. IL7 proposes to be a partner to those clients in the Transport Industry that want to be Cyber Secure.
IL7 came about after I left BT in 2012 Before BT, I had undertaken consultancy roles for the Met Police, Thames Valley Police, the Charity Commission, DWP, HO, ONS, HMRC as well as Banks and other Private Sector blue-chips often at the same time. After BT, IL7 consulted to the Passport Office, BAE, MOD Air ISTAR and the Rural Payments Agency. While great contracts, my consultancy ambitions sought a wider client base and I believe that I can support customers on both a full time and part-time basis as well as in collaboration with other consultants. In 2016 I brought my family in to support me with the creation of IL7 website and to provide business and technical support. In 2017, I led 1L7 to support Barclays Bank, the Cabinet Office, the Defence Infrastructure Organisation and Rolls Royce. It is my intention to gradually grow the capacity of IL7 to provide excellent advice through partnership and recruitment. To this end IL7 have provided Risk Assessment and Cyber Security consultancy to Govia Thameslink (2018-present), the Home Office (2019), Disclosure & Barring (2020) and Sellafield (2021-present). In addition I (under IR35) have provided consultancy on policy and risk assessment to the DfT and continue to do so to the MOD through Atkins.
I started working life as an application programmer (Home Office) and moved into network project management with the MOD in the mid-eighties for the MOD. I left the MOD as an acting grade 6 in 1997 and travelled extensively (US/Australia/Germany/Saudi/Belgium) until returning to UK in 2005 when I applied for CLAS. I have been CLAS since 2005, becoming CCP SIRA in 2017.
My priorities are now in risk, policy and cloud security while I am deeply interested in Operational Technology. I have conducted risk assessments on Ships, Submarines, RAF Surveillance Aircraft and modern trains such as the C700 Thameslink for GTR.
I have presented of safety and cyber security to the Rail Information Exchange and the Cyber Senate and have had many articles published in Railway News and like publications on Cyber Security and compliance with NIS, NIST, ISO 27001 and the use of IEC 62443 in OT Risk Assessment.
IL7 accept a wider audience
Il7 recognises that NCSC, as the technical authority, has obligations beyond the limited fields of central government and can no longer confine its recommendations to standards that suit the HMG community. Even the world of central government has changed widely since the early developments of domain based security (DbSy). We are now faced with the digital economy, digital government and the plethora of new threats associated with embracing the opportunities and risks of cyber.
Threat actors are different, more organised, more technically proficient and the technology in their hands more powerful and sophisticated. IL7 recognises the need for more flexibility in getting the risk message across.
Whether it’s the cyber threat or the insider threat, the risk needs to be quantified and communicated clearly. Areas of local government and health need faster less bureaucratic methods of risk assessment. Others have different control contexts to address and face different regulations and frameworks of compliance. While HMG IA governance is still underpinned by the accreditation cycle whereby SyAc and Accreditor both know the process, this is not guaranteed to continue. Nor, necessarily, does such governance exist universally outside central government. Stakeholders in the risk decision are no longer IAOs, SIROs or Accreditors. The Business Case for risk, the Security Case in IS1/2 terms, needs to be made to the business mover, the one that will pay for the treatment, and suffer the consequences for not doing so. They might not understand IS1 terminology and therefore they need to be spoken in the business language and context they understand. IL7 also recognise that this flexibility in communication needs to be consistent and repeatable so it needs to have a framework. The frameworks offered by ISO 31000 and ISO/IEC 27005 appear to meet these requirements.
Risk is a business concept - the concept is UK.
Successful risk management can affect the likelihood and consequences of risks materialising, as well as deliver benefits related to better informed strategic decisions, successful delivery of change and increased operational efficiency. Other benefits include reduced cost of capital, more accurate financial reporting, competitive advantage, improved perception of the organisation, better marketplace presence and, in the case of public service organisations, enhanced political and community support. CESG were right to acknowledge that risk management in HMG has become tired over the last few years. Methodologies can be too restrictive and need more business focus. IL7 recognises the value of risk management and will seek to inject new positivism and energy into its practice.