Being Head of Risk at Thames Water - a company which still runs on a Victorian-era water pipe infrastructure - must have its challenges, especially when it comes to mitigating the latest cyber threats. Thomas Christophers says that much of his job is about prioritising which risks to focus on, but more than anything, it’s about 'company culture'.
Getting the company culture right is essential because, “people are as good as the systems in place,” he explains.
“If you haven't got a clear vision of what your company culture should look like, what you want it to be and how you’re going to get there, then your risk management suffers as a result,” Thomas says. The culture and people of a company are closely intertwined and are implicit in a good risk management system.
However, he feels that breaches like these are not all doom and gloom. Rather, they give more visibility and transparency to the system - as well as a necessary wake-up call for the organisation to ensure this sort of thing doesn’t happen again.
Also of interest: Podcast - What can we learn from E-Stonia?
How can companies create the right culture?
Thomas thinks there’s a great degree of responsibility at the highest level of the company - from the chairman down - to ensure that the right culture, governance and processes are in place.
However, the right middlemen and management need to verify that the message is transmitted and filtered down in the appropriate way too.
Thomas’s top three tips for getting the company culture right:
- Start with a set of defined business principles to strike the correct tone which should be revised and reviewed continuously.
- Create the right governance framework, policies, committees and delegations of authority.
- Install a risk management system - define a defence model to verify that the proper controls are in place and that those controls are being tested, whether operational or more cultural ones. The internal audit should then come in and test those controls and review that the culture is right for the company.
Also of interest: Book extract: Where does the human cyber security threat lie?
How to ensure we don’t overdo it with regulation
Thomas’s advice is: “Set policies but keep them flexible”. The company needs to show that they treat people with respect, they have a diverse and welcoming environment and listen to each other’s views. “You’ve got to relay that these are ideals to aim for rather than rules to stick to,” he adds.
Also of interest: The neurodiversity opportunity in cyber security
What is the key to helping staff really “get” cyber security?
Rather than creating an Orwellian 1984 environment, it’s about promoting ‘continual awareness’ about cyber security - ensuring staff are focusing on the basics of security, whether be working in the right way or securing their systems correctly.
And finally, Thomas adds: “Keep the cyber security training personal, consistent and...fun!”
You can hear Thomas Christophers, Head of Risk at Thames Water, speak on the “What roles do your staff need to play for a quick recovery?” panel at the R3: Resilience, Response & Recovery Summit. For more details, check out the event here.