John Whitehill is PwC’s Cyber-Security Director. Colin Slater is the company’s Cyber-Security Partner. In the run-up to the 2017 Scottish Cyber Awards, DIGIT caught up with them during a visit to the office of local cyber security expert, ZoneFox.
DIGIT: You both operate within a global company. How does Scotland’s tech sector measure up to the international markets you deal with?
John: “I think in Scotland what’s unique is the range of industries that we face up against – everything from financial services to oil and gas, to pharmaceuticals, to research, to public sector; small medium and large business. And the range of business that we speak to is quite exceptional.
“Scotland’s tech community compares favourably to other regions that we see. I think what does set it apart is the access to university-educated talent that we can get, and I think that organisations are waking up to the fact that we really are well-placed with skilled students on our doorstep. I think it’s also fair to say that Scotland is a commercially attractive proposition for many organisations – as the cost of living, transport and capacity nears being full in other cities, Scotland provides another option for organisations. And it’s truly not that far away from London and other financial centres.”
Colin: “Scotland demonstrates a slightly different footprint to the rest of the UK. We have to cover everything – oil and gas, financial services, utilities, public sector, health, you name it. What is really interesting about Scotland though is that actually the threat is exactly the same as all around the world. I’ve spent half my life living over in Asia-Pacific – everything we see here is everything we see there: different time zone, different accent, but exactly is the same.
“What’s good about Scotland’s tech industry is the way we’re responding to the cyber-threat by spinning up new businesses that are actually relevant. There’s a lot of cyber-startups when you look around the world and you map them. But what I see in Scotland is a really focussed view of actually what’s going to make a difference. We’ve got some brilliant examples of phenomenal startup businesses – things like ZoneFox and Skyscanner. But for every one of them there’s probably 10 or 20 small startups that could be the next one. And these are all focussed in on things that will make a difference. And that’s a little bit different – it’s definitely not jumping on the bandwagon.”
DIGIT: With the recent attacks, how is the threat of cyber-security changing?
John: “I think what’s made cyber-security more and more real in the last 12 months are some really high-profile incidents. Everyone remembers the WannaCry and Petya ransomware attacks. I think the incidents really adjusted public perceptions about how real the threat is. I think when we see incidents that affect national institutions like the NHS, all of a sudden it goes from, “That won’t happen here”, to, “This isn’t feeling very comfortable. Not only my business that I work in but my own personal identity is somewhat at risk.” I think that really shifted the dial of how real the threats around cyber-security actually are.
“I think a lot of universities are adjusting their course offerings to really fit in-line with where organisations see growth. We see a lot of growth in areas such as machine learning, artificial intelligence, robotics, Internet of Things. I can already see universities starting to offer up courses there that are going to give us some really good well-educated students for the future.”
Colin: “Cyber-crime has evolved massively. If we go back 25 years to when I started in security, I never envisaged every single day picking up a newspaper, and reading a story about cyber-crime and cyber-security. It was an annex of technology, but we all know that it’s not that anymore. I’ve spent most of my life now advising boards, chief executives, non-executive directors about risk. And that’s all that cyber is – it’s nothing more complicated than that.
“There’s a lot of perceptions of people in hoodies, and, “it’s all done in the back room”. It’s not. It is an organised cyber-threat. It is a well-put-together crime. They don’t have rules, they can do what they want and they’re really well-organised. That’s what we have to deal with as professionals all day, every day.
“This year we’ve seen some of the most impactful cyber-events ever. We saw the SWIFT payments stuff last year, which I described as the ‘bank heist’ of my generation. What we’ve seen this year is massive disruption – that’s not going to change, it’s going to get worse. If you look at the changes we’ve got in terms of automation, in terms of the way that we do payments, we’ve got blockchain, issues around our identity – this is actually the core of our society now. Security is right in the middle of that. You cannot launch any business without thinking about your footprint – what you do personally, how you manage your own persona, what it means for your business, the risk to your business, and ultimately what could possibly go wrong. And that’s what businesses really need to start at: thinking, “What are the events that could catastrophically end my business?” …it’s quite serious. You have to go there, experience what it feels like and then plan for it to happen.”
DIGIT is the official media partner of the Scottish Cyber Awards which take place in November 2017. Nominations for the award close on Friday 8th of September.