Janakan Nadarajah in conversation with Gerry Grant, Cyber Security Manager, NHS Tayside
Secon Cyber Leadership Interviews
26 July 2021
Amongst 2020’s backdrop of accelerated digital transformations and remote working, the NHS faced a whole different set of challenges. Despite this, the NHS still managed to quickly adapt to new working conditions, rollout digital projects, and bring cyber security to the forefront of conversations.
For the Q3 edition of our newsletter ‘What the Hack?‘, Secon Cyber’s COO Janakan Nadarajah sat down with Gerry Grant, Cyber Security Manager at NHS Tayside, to discuss how the last year has changed the cyber security landscape and priorities for the NHS, and what lessons he’s learned along the way.
JN: Tell me a bit about your role and what you do.
GG: I’m the cyber security manager for NHS Tayside. It’s my responsibility to look after the cyber security of pretty much everything within NHS Tayside, so that goes down to the endpoints, the laptops, the desktops the majority of my colleagues use to mobile phones and tablets, all the way to MRI scanners and all the other various bits of technology that may be used in hospitals to monitor patients and help save their lives and make them feel better.
It’s quite a wide and varied type of thing that I’ll see on a daily basis. There’s no real sort of typical day as to what I could be looking at. One day I might be looking at a proposal for a new piece of equipment in accident and emergency and the next day I will be trying to get somebody update their iPad, so a whole variety of different things.
For me, it’s that diversity that makes it interesting and was one of the reasons that I wanted to come and work in this environment. It’s becoming more and more important in healthcare; we’re becoming more and more connected and the things that we’re doing are reliant on technology and we need to make sure that we’re doing them as secure a manner as possible.
JN: So how did you get into working in cyber security?
GG: I’d like to say a long time ago, but it wasn’t really that long ago. I had a bit of a mid-life crisis and wasn’t sure what I wanted to do with my life, what direction I was going. The more I thought about it, I’ve always been interested in technology, and I just saw the way the world was going and that we’re becoming more and more connected.
We’re becoming so connected and the internet of things is beginning to take over our lives. That’s a fantastic opportunity, there’s loads of things that we can do with it, and part of me loves the prospect of being able to turn an oven on when I’m on my way home, but part of me is nervous because how secure is it? And who thinks about the security of these things? That’s what started to get me interested in cyber security.
The more I investigated it, the more curious I became and as time has gone on, I’ve learned and understood more about cyber security. I feel that I’ve got an obligation to try and pass that knowledge on to other people and to try and make people aware of what the consequences of their actions are and how we can make a safer world. I love the technology. I love what it can potentially do. I just want people to be aware of the drawbacks and think about how that might actually affect not just their business life, but their personal life as well.
I think the whole of cyber security crosses so many different domains and subsections. We talk about the psychology of the attackers, we talk about the psychology of the defenders, we talk the way that psychology can be used in social engineering, so there’s a whole aspect there. The real geeky aspects are about looking at the architecture of how a device is actually built and how it works or looking at the infrastructure of a network and how it all connects.
I think I’ve always found it difficult to try and specialise in one specific aspect because there’s so many that interest me. It’s important that some people do specialise in it, but going forward, it’s important that we’ve got people that have an overview of many different things. When you get up to CISO level, they need to have a bit of understanding of everything. It’s not about being a technical wizard, but it’s about thinking about the consequences and how it all fits together.
JN: What do you love about working in cyber security? And what do you not like about it?
GG: I like most of it. I love the challenge, every day you’re faced with different challenges. For me, cyber security is about managing risk and making people aware of what the risk level is. In an organisation a big and diverse as the NHS, that can be difficult because what I might consider very risky, a doctor might think is not risky at all, they don’t see the issue. I’m trying to see the bigger picture and I’m trying to get these people to understand it’s about not just their particular speciality, it’s about the organisation as a whole.
I get to communicate and speak to people at board level, and I also get to speak to the doctors and all the other people within the organisation so I kind of feel like I have an impact on everybody within the organisation, not just on one department. And yes, I’ve got reports to write and I’ve got meetings I need to go to, but I’m still looking and thinking about different things all the time and that’s what I really like.
One of the challenges is it changes so quickly and the types of attacks you’re getting are changing all the time so it’s trying to get that buy in from staff as well. People go ‘cyber security is really important, but I already understand it so I don’t need to listen to you.’ It’s trying to do something to spark reimagination to make them engage with you a little bit more. Trying to get doctors come to cyber security awareness training session, good luck with that because they’re way too busy actually saving somebody’s life. They don’t want to sit and listen to me drone at them, so it’s trying to find different ways and that’s really the challenge that keeps coming. But I enjoy even the difficulties when I reflect on them. 99% of the time I would say I love it, it’s just the 1%, and that’s probably just before I go on holiday.
JN: How did the events of 2020 affect your organisation, its digital transformation, and cyber security agenda?
2020 was a difficult year for everybody and I’ve only had just over a year with the organisation. I joined right at the peak of the crisis, and you know the NHS is unique in terms of how it impacted us and the response that we had to come up with. It certainly made us transform a lot quicker than we would have done in terms of digital transformation. The rollout of things like Teams and Office 365 was sped up to make sure that we had the capability for our staff to work from home. Obviously, that’s not possible for an awful lot of our staff who had to come into their place of work just by the nature of what they do.
I think we’ve been on a higher level of alertness when it comes to cyber attacks and the impact that that would have on us. In the last year, the number of conversations we’ve had around cyber security has been increased. It’s something that’s higher up on the agenda now than it previously was because they know now how reliant we are on the technology to ensure that our staff can keep that constant line of communication going.
It put a lot of pressure on the IT departments to make sure that everything was in place. We were made acutely aware of how important we were, and I think if you’re to take a positive out of it, it’s shown the organisation how quickly we can adapt and how important the work is that we do and how important the infrastructure is that we have in place. We were in a reasonably good place beforehand, and work was done to make that even better, and I think going forward it’s shone a bit of a light on our department and how we benefit the organisation.
When I took the job last May, I thought long and hard about it. I knew it would be a challenge and it has been the challenge that I expected. It’s a totally unique organisation that has unique challenges and you know, people talk about end life software and legacy systems, but it’s not cheap to go buy a new MRI scanner and you’re not going to do that every five years just because you know part of the software’s reached its end of life. You have to put other mitigating measures in place, and I knew it was going to be hard.
In a public sector organisation, things move a little bit slower than they do in the in the corporate world and budgets are little bit tighter. You’ve got to fight for every single penny, but it was the challenge that I wanted, and I think going forward, it gives me such great experience you wouldn’t get anywhere else. I’m never going to be a doctor, there’s no way I could stand the sight of all that blood. The only way for me to give back to the NHS is to take on a role like this. I want to make the NHS more secure for all the people that work here, but I want to make sure that all the patients’ data is safe, and I want to make sure that we’ve got systems and process in place that give the best patient experience. Cyber security is there not just to protect NHS Tayside as an entity, but to protect their customers, which is everybody that lives in the area.
JN: What do you think organisations need to do to increase cyber security awareness and understanding amongst its employees?
GG: I don’t think there’s an easy answer, but it’s about communication and it’s about creating a nudge culture that is showing the end user how it benefits their personal life. Generally speaking, the user doesn’t particularly care that they have to have a 12 character password to keep the company safe, but if you explain to them why it’s good to have a 12 character password for their personal banking or email account, they understand it a little bit better. We need to try and make these things personal.
You really need to get buy in from board level, it has to come from the top down. It’s about making the board aware of what the risks are and how it can affect their organisation and them personally. Again, it’s about that nudge culture. You can’t just walk into the boardroom and say, ‘Cyber security is the most important thing, you’ve got to do something about it.’ You’ve got to explain to them why and again, even go into how that might affect their personal life and how they can then extrapolate that out across the business.
It’s difficult because you don’t want to create a fear culture. It’s about explaining how we can protect ourselves and the steps that we can take. If we can teach that and get our users to understand that from a personal level, they’re not upset about it.
It’s about just that constant drip of awareness in the same way that health and safety was a big, massive thing in sort of the 90s and the early 2000s. There were posters everywhere and everyone was talking about health and safety. We need to try and follow a similar sort of thing. It’s about trying to get people to understand the risk and the consequences of the things that they do.
JN: Focusing specifically on the NHS and healthcare, what do you see as the greatest security threat or challenge for the healthcare industry?
One of the biggest challenges is making the clinicians understand the risk that they bring to the business. It’s not always the clinicians’ fault, I think vendors have got a lot to answer for as well when it comes to pieces of medical equipment. They sell pieces of equipment that are not built in a secure manner. You speak to the vendor and they’re like oh yeah, but it works elsewhere. It might work, but let’s talk about how we can do this in a more secure fashion.
It’s trying to get that understanding from the clinicians that they need to ask the right questions and we as cyber security professionals needs to provide them with the questions to ask. It’s about creating the right culture within healthcare.
We’re a public organisation, there’s not buckets full of money set aside for us to pour into cyber security and even from a public perspective, if we were to turn around and say we’ve spent x millions of pounds on cyber security, I’m pretty sure there’s a few people in the public out there that would be like ‘How many nurses and doctors could that have paid for?’
We need to speak to the vendors and get them to understand that they need to have security in at the beginning. It’s getting better, but they need to think about the life cycle of these bits of kit as well. How long are they going to support it for? What are the plans if the operating system does reach end of life? Do they have a backup or is there something different that can be put in place that’s not going to be too expensive?
There’s a lot of challenges, especially getting a doctor whose primary job is making people better and saving lives to think about cyber security even though they’ve got 101 other things to think about. I claim it’s important and they’re like yes, but how does it save somebody’s life? They need to begin to understand the risk they bring in and how we’re trying to help them mitigate it.
JN: What are your key cyber security focus areas for the next 12 months?
GG: We’ve touched on cyber security awareness and training, so I’ve got whole strategy put in place around awareness and how we can roll that out across the organisation to begin that cultural change and get people to start thinking about cyber security.
Other focuses are around visibility of what’s happening on the network, how can we improve our alerting to any potential incident that’s come up, and how can we start to be a lot more proactive in looking for issues before they actually become an issue so we can stamp it out and put a stop to it. We’ve got different tools in place that should mitigate it should it happen, but we need to make sure that it’s a strong point for us. We can only do that with added visibility and the extra ability to see what the endpoints are up to.
They are the key objectives and I think if I got those in place over the next 12 months, I’ll be pretty happy and will definitely feel that we’ve moved forward.