Richard is the Chief Technical Officer at Salford Royal NHS Foundation Trust, which he joined in 1998. His responsibilities range from infrastructure provision and digital equipment to cybersecurity.
The most difficult challenge was initially dealing with cybersecurity, but there has been a huge transition in how we view it. It used to be seen as something we did alongside the ‘day job’, but now it has taken a much more central role. The main challenge is embedding cybersecurity culture and awareness into teams, and ensuring that security is dealt with in the right way at all levels. Part of my role is to introduce cybersecurity topics to the board, to make sure leadership are aware of the risks that the organization is presented with. How these risks are perceived will then influence our strategic direction when it comes to cybersecurity.
Security executives should first become aware of the language they are using, and change it if necessary to suit their audience. Many of them come from a technical background and speak in highly technical terms. People from other backgrounds will struggle to understand cybersecurity if it is presented in a highly technical manner, and they may consequently fail to realize its importance. Analogies are powerful ways to help translate to a non-technical audience. It comes down to understanding your audience, including their backgrounds and motivations. This has been one of the most important things I have understood in the last couple of years.
I think a lot of people don’t understand cybersecurity and how it could impact on them personally or on the organization they work in. People tend to view it as something that restricts people, rather than being an area that protects them. Most organizations need to do a better job of embedding their security team into the wider business culture. Security measures should be viewed as coming from within the organization, rather than as something alien. Another important aspect is to foster a transparent culture between employees about cyber risks, and have everyone be willing to report their mistakes.
Medical devices now have far more digital capabilities than ever before, but with this comes a higher risk of these capabilities being exploited. Hacking groups are aware of the value of the information held in these devices. Unfortunately, I see this risk increasing over the coming years as everything becomes far more digitally integrated. Another risk unique to the public healthcare sector is that funding tends to be very tight. Usually, cybersecurity is viewed as a cost-avoidance tool by decision-makers and is not prioritized enough as a result. This makes attracting and retaining cybersecurity talent, as well as having the right level of security in place, important challenges. The Salford Royal NHS Foundation Trust is fortunate enough to have a great team, but many other organizations struggle to retain talent.
It’s all about the relationships you have with the key influencers in your organization. You could be doing all of the right things but if you don’t have the right support at the right level then you won’t achieve anything. It is also extremely important that you establish a cybersecurity performance baseline when you are just starting out. A lot of people start changing things as soon as they start, but if you can’t compare your changes to anything, then you won’t know if you’re improving. Therefore, the first thing you should do is simply observe and establish a baseline for yourself of what is going on.