Banner Default Image

How the La Fosse Pro Bono Advisory Practice is helping to secure the Natural History Museum

Ross Tanner

24 January 2020

by Ross Tanner

( Words)

Simon Hodgkinson was among the first five world-class cybersecurity professionals to volunteer their time, expertise and resources as part of La Fosse Associates’ Pro Bono Advisor Practice. Simon’s background in cyber and infosecurity made him the perfect candidate for this scheme. Pioneered by our very own Head of Information Security, Ross Tanner, the scheme is an industry first, providing charities and non-profit organisations with free access to world-leading cyber security executives.

Six months later, Simon sat down with Ross to discuss his motivation for getting involved with La Fosse and the Natural History Museum, his contribution, and advice for other CISOs looking to do the same.

Why were you keen to offer pro bono support to the Natural History Museum?

CISOs provide their companies with a wealth of knowledge and insight, putting them in a very privileged position. Charitable organisations don’t necessarily have access to these resources, and so getting on board with this pro bono practice just felt like the right thing to do.

The Natural History Museum is a fabulous organisation – it’s part of British heritage and a globally recognised brand. However, that makes them more vulnerable to cyber attacks. If an activist group or other external threat were to attack the organisation, it would have the potential to halt the daily influx of thousands of visitors. If drawing on my own experiences could help avoid this, then of course I’d want to get involved.

How have you supported the organisation so far?

We’ve focused more on strategy, rather than hands-on action. I’ve also been encouraging the team to rate their digital assets in terms of confidentiality, integrity and availability – you simply can’t eradicate cyber risks and solve every problem before it’s even happened. First, you need to establish your high-value, priority assets – whether it’s your traditional enterprise IT networks, applications, servers and desktops, or even cameras – then take the essential measures to secure them.

Showing the team how big corporations operate has been really valuable. I think the team found it quite eye-opening to see the vast footprint that we have, and the sheer scale of the threats that we deal with everyday. The Natural History Museum team are very talented and they already knew what needed to be done, but seeing how it actually happens at other organisations has shown them how to maximise the technology they already own.

What advice do you have for anyone considering getting involved with our pro bono practice?

It’s been a real honour to work with the Natural History Museum, and as you’d expect when working with any charitable organisation, I’ve taken a lot away from it, too. The team I worked with produced incredible results with limited resources, which was really inspiring. We’ve shared different perspectives and insights with each other – it’s a rewarding, two-way process.

On a personal level, I’ve also really enjoyed it. I’ve been very fortunate in my career, and giving something back is so fulfilling. Working with Ian Golding, Interim CIO at the Natural History Museum, has been an absolute pleasure, and the organisation has been so receptive to feedback. If Ian has any questions or simply wants a sounding board for ideas, he knows that he’s more than welcome to reach out and have that conversation with me – it’s a relationship I’m keen to continue.

If you’re a non-profit organisation or CISO looking to become a part of the platform in any capacity, please don't hesitate to get in touch with Ross Tanner at ross.tanner@lafosse.com


How would you describe the cyber risk facing the NHM today?

Like any organisation, the cyber risk facing the Museum is complex. Not only is it important for us to protect our employees, visitors, the collection, our technology assets and sensitive information from potential hackers, our workforce is also increasingly mobile. Due to this, as well as having a diverse portfolio of digital channels, our exposure levels are often more wide-ranging than in many other organisations.



Why did the NHM look to on onboard a CISO Advisor?

Having aready set our plans to embed a security-aware culture in motion, we wanted to find someone who could help to accelerate our progress with confidence by providing further guidance. It was crucial for us to find someone who had been through this process before, and at scale.



Why did the NHM choose Simon?

Simon works in a very complex environment – one that’s far more intricate and functions on a larger scale than the NHM. This means he not only has the insight to guide the approach, but more importantly, he is able to relate to the challenge and help our internal cyber specialists accelerate their journey by building on his experiences.

It helps too that Simon has a keen interest in the work and purpose of the NHM as a world-class science and research institution. He is very personable, very open minded, and brilliant at helping others to mould their plans with his suggestions. Simon is also a great communicator; he’s able to engage readily when it comes to difficult topics, whether at technical or C-suite level.



What support has Simon provided thus far?

Simon has been invaluable in both validating our approach and challenging our existing processes to ensure the sequencing of the work had the desired impact, one such example being helping us to capture the risks to prioritise. The insights from Simon’s vast experience have aided the NHM to consider options and review strategies beyond a pure cyber risk perspective.



What has been the biggest learning curve for the Natural History Museum thus far?

By far the biggest skill we’ve had to develop is prioritisation. There is an underlying detail and complexity which must be worked through in order to get a clear ‘bird’s-eye’ view of cyber risks, so we had to find a way to demystify and support this prioritisation.

Maintaining a prioritised risk-based approach like this is vital – not all things can be changed at once, so we must be pragmatic. We have also found that this strategy helped increase pace, as it provided clarity about what needed to happen next.

As a result of Simon’s help, the Museum has begun to realise the benefits of greater focus on convergence opportunities between cyber and physical. Our work on prioritisation has brought to light concepts which can be shared between IT and other departments, allowing us to improve security-related communication at all levels – we are already seeing advantages across the wider organisation.


How has that advice and direction affected the NHM?

Since taking part in La Fosse’s Pro Bono scheme, we have already noticed changes in the type of partnerships sought with tech suppliers and partners, often now being based on the clear articulation of requirements centred around modern cyber risks and specific red lines about what is and is not acceptable. The NHM relies particularly on the fantastic support it receives from leading tech firms, and we’re grateful that by clarifying to all parties what is expected from the off, we have a headstart in building further confidence in the relationship.



What advice would you give other not-for-profits looking to tackle the cyber threat we all face today?

Firstly, we must acknowledge the reality of the matter: that all organisations are at risk. Secondly, it’s important to recognise that everyone, either within an organisation or any associated party, needs to be involved in a cyber programme and combine forces with other data or privacy programmes. These types of partnerships can be incredibly powerful and enable better understanding of human behaviours we can employ that help to minimise cyber risks. In short, it’s not just about the technicalities and individual teams (IT or otherwise) implementing their local measures, it’s a team effort.

Thirdly, and something we found particularly useful, be sure to use a clear and methodical approach to understand your own environment, so that the information gathered – such as CIA (confidentiality, integrity, availability) assessments; architecture maps; and mapping of data sets – can be used not only for cyber but also to extend or consolidate capability in other areas of the buiness.

In conclusion, my advice for businesses of all sizes would be to ensure that all work on cyber leads you to a ‘silver lining’ that helps to regulate the ‘mandala’ of any legacy systems. Done correctly, this should ensure benefits in clear data ownership, roadmap prioritisation, and many other areas that benefit the organisation.

What would you say to those considering bringing on an La Fosse Associates Pro Bono CISO Advisor?

There is everything to gain by sharing your existing approach and challenges with La Fosse’s Pro Bono practice. In addition to a wealth of experience, the La Fosse team have a great knowledge of the tech market and many sectors within it.

Simon Hodgkinson was a particulatly great fit for the NHM as Interim CIO, taking us through a new ‘Digital Twin Technology Vision’ and new ways of working. My team and I at the Museum have been very appreciative of having direct access to Simon, as a hugely experienced, world-class cybersecurity professional.



If you’re a non-profit organisation or CISO looking to become a part of the platform in any capacity, please don't hesitate to get in touch with Ross Tanner at ross.tanner@lafosse.com.




Where to next?

Learn more about our Information and Cyber Security team.