How our pro bono practice is helping to secure the Natural History Museum: Part Two
Six months ago, as part of our new pro bono practice, we partnered with the Natural History Museum (NHM) to help them improve their cybersecurity. as Interim Chief Information Officer, Ian Golding had been carrying out a review in a number of areas including cybersecurity, in the process of creating the NHM new Technology Vision. With that in mind, we introduced Ian to Simon Hodgkinson, a cybersecurity professional with an extensive background, who was able to act as an advisor to the NHM’s cyber security team.
Our Head of Information Security, Ross Tanner, who originally set-up La Fosse Associates’ Pro Bono Advisor Practice, caught up with Ian to see how things had progressed and to discuss how other charities and not-for-profits might benefit from getting involved with the practice.
This is our second article on the La Fosse Pro Bono practice Natural History Museum placement. Read part one, Ross' discussion with CISO Simon Hodgkinson, here.
(Responses have been edited for length and/or clarity.)
How would you describe the cyber risk facing the NHM today?
Like any organisation, the cyber risk facing the Museum is complex. Not only is it important for us to protect our employees, visitors, the collection, our technology assets and sensitive information from potential hackers, our workforce is also increasingly mobile. Due to this, as well as having a diverse portfolio of digital channels, our exposure levels are often more wide-ranging than in many other organisations.
Why did the NHM look to on onboard a CISO Advisor?
Having aready set our plans to embed a security-aware culture in motion, we wanted to find someone who could help to accelerate our progress with confidence by providing further guidance. It was crucial for us to find someone who had been through this process before, and at scale.
Why did the NHM choose Simon?
Simon works in a very complex environment – one that’s far more intricate and functions on a larger scale than the NHM. This means he not only has the insight to guide the approach, but more importantly, he is able to relate to the challenge and help our internal cyber specialists accelerate their journey by building on his experiences.
It helps too that Simon has a keen interest in the work and purpose of the NHM as a world-class science and research institution. He is very personable, very open minded, and brilliant at helping others to mould their plans with his suggestions. Simon is also a great communicator; he’s able to engage readily when it comes to difficult topics, whether at technical or C-suite level.
What support has Simon provided thus far?
Simon has been invaluable in both validating our approach and challenging our existing processes to ensure the sequencing of the work had the desired impact, one such example being helping us to capture the risks to prioritise. The insights from Simon’s vast experience have aided the NHM to consider options and review strategies beyond a pure cyber risk perspective.
What has been the biggest learning curve for the Natural History Museum thus far?
By far the biggest skill we’ve had to develop is prioritisation. There is an underlying detail and complexity which must be worked through in order to get a clear ‘bird’s-eye’ view of cyber risks, so we had to find a way to demystify and support this prioritisation.
Maintaining a prioritised risk-based approach like this is vital – not all things can be changed at once, so we must be pragmatic. We have also found that this strategy helped increase pace, as it provided clarity about what needed to happen next.
As a result of Simon’s help, the Museum has begun to realise the benefits of greater focus on convergence opportunities between cyber and physical. Our work on prioritisation has brought to light concepts which can be shared between IT and other departments, allowing us to improve security-related communication at all levels – we are already seeing advantages across the wider organisation.
How has that advice and direction affected the NHM?
Since taking part in La Fosse’s Pro Bono scheme, we have already noticed changes in the type of partnerships sought with tech suppliers and partners, often now being based on the clear articulation of requirements centred around modern cyber risks and specific red lines about what is and is not acceptable. The NHM relies particularly on the fantastic support it receives from leading tech firms, and we’re grateful that by clarifying to all parties what is expected from the off, we have a headstart in building further confidence in the relationship.
What advice would you give other not-for-profits looking to tackle the cyber threat we all face today?
Firstly, we must acknowledge the reality of the matter: that all organisations are at risk. Secondly, it’s important to recognise that everyone, either within an organisation or any associated party, needs to be involved in a cyber programme and combine forces with other data or privacy programmes. These types of partnerships can be incredibly powerful and enable better understanding of human behaviours we can employ that help to minimise cyber risks. In short, it’s not just about the technicalities and individual teams (IT or otherwise) implementing their local measures, it’s a team effort.
Thirdly, and something we found particularly useful, be sure to use a clear and methodical approach to understand your own environment, so that the information gathered – such as CIA (confidentiality, integrity, availability) assessments; architecture maps; and mapping of data sets – can be used not only for cyber but also to extend or consolidate capability in other areas of the buiness.
In conclusion, my advice for businesses of all sizes would be to ensure that all work on cyber leads you to a ‘silver lining’ that helps to regulate the ‘mandala’ of any legacy systems. Done correctly, this should ensure benefits in clear data ownership, roadmap prioritisation, and many other areas that benefit the organisation.
What would you say to those considering bringing on an La Fosse Associates Pro Bono CISO Advisor?
There is everything to gain by sharing your existing approach and challenges with La Fosse’s Pro Bono practice. In addition to a wealth of experience, the La Fosse team have a great knowledge of the tech market and many sectors within it.
Simon Hodgkinson was a particulatly great fit for the NHM as Interim CIO, taking us through a new ‘Digital Twin Technology Vision’ and new ways of working. My team and I at the Museum have been very appreciative of having direct access to Simon, as a hugely experienced, world-class cybersecurity professional.
If you’re a non-profit organisation or CISO looking to become a part of the platform in any capacity, please don't hesitate to get in touch with Ross Tanner at email@example.com.