Who would want to be a CISO in the NHS?
Really, who would want a job where something bad will happen at some point and you will be blamed? Oh, and while you are waiting for that bad thing to happen, you will have your budget consistently reduced and be told you can't buy anything or hire more staff to prevent the bad thing happening. Oh, and if you do get some budget, you can't openly engage with the market and certainly won't get to decide what you buy…procurement are way more qualified than you to make that choice. As this thought crosses your mind, you watch yet another middle manager, paid a salary higher than many of the people who actually deliver patient care, walk past. See what I mean?
It's not news now, but I noticed this article was published recently –
It's articles like this that annoy me a wee bit. Let me explain why…
Considering the start of this blog, imagine how it must feel to a CISO or senior IT person in the NHS to read that article? To see in print Rob Shaw (your ultimate digital boss) and Simon Stevens (your ultimate boss) come out with quotes of the like in the article must be disheartening. I'm surprised the people responsible for cyber security in each NHS trust have not walked out in protest. The article is not well informed. To call out patching as the root cause, is a bit like allowing a knife wielding maniac to walk into a hospital and stab someone, only to then blame the victim for not stopping it! You would expect a security guard to spot said knife wielding maniac on attempting to enter the hospital, raise the alarm and attempt to stop or at least mitigate the attack.
Cyber security is no different. Yes, being patched up to date would have stopped THAT version of Wannacry infecting, but what about the next one? The general (and sensible) opinion is that it's impossible to keep everything patched up to date, all the time. Whether it is a lack of resource, a refused change request (think Equifax) or a lack of awareness, there will always be vulnerabilities. Perhaps the NHS should focus on a more intelligent way to mitigate the risk?
The problem is, security is a bit different from other areas of IT. It's one where customers need to build strong partnerships with specialist cyber security consultancies (like us), but (as is often the case in public sector), procurement prevents this from happening.
So, Mr Simon Stevens and Mr Rob Shaw, how about you focus on cracking that nut and find a way that gives your beleaguered CISO's the freedom to get the right advice and help. There are intelligent and cost-effective services you can deploy, alongside a good patching regime that will enhance the protection of critical data and services. If you want to see some examples, have a look at bigredbutton.io to see what I mean.