Quorum Cyber, NHS and Howden Group on Securing Data
Thank you again, everybody, for being here. And thank you all for for a very, very good diverse group here of parents with different experiences. Just so everybody is. Whereas a fellow you are founder and CEO of Quorum Cyber and based in Edinburgh cybersecurity firm. Ming, you are Chief Data and analytics officer for NHS England and John, you are Chief Information Security Officer for the Howden Group meeting. I think I wanted to start this with you. So the topic of this conference, of course, is modernizing it without disrupting, you know, clearly NHS had a majorly disruptive incident this summer when a blood test pathology contractor was hacked with ransomware and disrupted the, you know, the returning of blood test results for many, many months for many people, you know, across the NHS. Can you talk a little bit about the
scope of your job as Chief Data and analytics officer? How much data are you responsible for and how was that incident for you? So my role and it's England is kind of the regulator for the NHS, so my role spans a couple of ways. I have kind of 1700 people working for me and data analytics. I'm the kind of head to profession, the data analytics across the NHS. So a policy comms kind of role across the NHS. But we've run all the life services for a lot of the administrative corporate data, a lot of the data that's used in collections from trusts. So not every piece of data, but a
significant amount of data. And then obviously my team also run the kind of statistical reporting and the analytics and the insights from that data. And how is that is when the contractor got hacked, I know it didn't affect all parts of NHS, but it's significant in a way because I'm not responsible for cyber. It didn't impact me as much as my colleague. He's the CIO who has that accountability.
But it was a awakening call for us because we've heard today as much as you can update your infrastructure and it takes one thing, one person for that breach to then impact to send in the lab systems. There was a lot of legacy systems there and it was, yeah, I don't want to go into the ins and outs of it. It was actually a big impact and the biggest impact was actually not knowing where our test results were. Not being able to support it was a particular network. It was a large network of labs, which then impacts a number of hospitals, which then impacts a number of GPS. And and therefore those patients weren't clear. We had to do a lot of retesting.
So the operational pain of that was quite significant. And to me, that incident, you know, kind of highlights what we would broadly call supply chain security. This is a contractor which is not under NHS, but obviously it does work for NHS whose I.T. infrastructure you don't control, right? I mean, you can maybe assess it, you can look at it, but you don't ultimately control it as you were having conversations with colleagues about, well, how do we prevent this from ever happening again? Once kind of the smoke clears and you can see daylight again. What are some of the lessons learned from that incident about, well, how do you manage it? I mean, this is kind of the definition of a complex network. It's not even a network you control. What is it what are some lessons learned
from that about how you prevent? So we have kind of standards. I think it is just working through those standards across the entirety of the supply chain more effectively being a bit more proactive in terms of the way that we test and check and create audits around compliance to those and really doing our own tests in terms of what's the prevention that we would do in terms of sending out, you know, speculative details ourselves to to check the security of the network. I mean, stuff that everybody's doing is nothing new. But, you know, the vulnerability of our networks is only as good as people can, you know, in in personal compliance, really. And I think that's hard, You know, So a lot of it is about education. A lot of it is making sure that people, when they get caught, they they do so as a Chinese, not just a mandatory training that we do, but that applies to all our suppliers as well.
And we talked about this earlier. But, you know, NHS is one of the largest workforces on the planet, right? 1.5 million people. That's not counting the contractors. And and those and what we discussed was that every person, you know, you'll hear from some of the best protected companies on the planet, you're just one admin away from a ransomware incident, like one admin being compromised away. So if you've got 1.5 million employees
to kind of, you have to train them, right? I mean, that's one of the big takeaways as well, is that each of those people has to feel some sense of agency about what I do actually matters, because I could let in these guys, right? If I click on the wrong thing, this same thing could happen. Like, how have you thought about that? Or has this changed the way that you think about how do you educate a workforce that large and that diverse? Yes, I think is making sure everyone's aware of the impact of that, not just from an administrative perspective. What you just heard when they I mean, part of what we're doing is simplifying the the infrastructure so that we can actually get on top of it.
But the training and the bringing to four, actually what this means is really important. The NHS is really lucky in a way in terms of most people that work for them, which has a very strong value base. So if you can connect the security with the value of the impact on patients, you get a lot further that real value of yeah, turning up every day to do the best thing. We do have a lot of contractors. Kind of bank staff who are temporary. He moved from one hospital to another. So the actual policy around single sign
on how to how do we do that to make it more consistent. It's been one of the major cybersecurity programs across without hijacking. Let me just challenge you for something. I think it's unfair to to place the burden of that moment on every one individual.
So if your entire security strategy is dependent on somebody not clicking on a link, you've done something fundamentally wrong. So in defense of the NHS, I think the complexity of the attacks that they've suffered are not due to one person not following training. If that was what we were relying on, this would have been a disaster.
And much more often than these events. So I think it is more complex than just purely placing the blame or displacing the blame into the individuals. We have a job to do. And if that's what ends up taking the
down, a lot of things feel upstream from that moment when this is something that you've have talked about as well, that we've talked about, is that, you know, you you've come up through essentially the banking industry, right? Like early on actually built Lloyd's for security funding centre. It was like sorry it was 1933 was you know, was involved with a company called the Dama Security up in Edinburgh, which, you know, built some of the earliest security operation centres for big banks, including Lloyds. And this was, you know, 20 years ago. And so you've seen these networks kind of modernize and grow over the course of their career. And, you know, we've talked a lot about this fact that there's this myth of securing a network completely.
Do you want to talk about that? And it kind of touches on this idea of what's happened with NHS is that there is this myth that if I buy enough technology, if I hire enough people, my network will be 100% secure. And you think that is just not possible? I think it's I think it's a good objective or something good to keep in mind. But you keep that intention with the reality that again, I'm challenging the previous fallacy, which is I don't think you're one admin away from a disaster. Right? There's a collection of things that need to happen. And I think the world learned that no
matter how much we invest in this, we're having this just before things are going to continue to happen. Right? So and I think that's where I'm having a crisis of identity about our industry a little bit. And how much are we willing to ask people to invest and still not make this problem go away? Because this is a this is an escalating problem. If this was cancer treatment, we would have taken a different approach a long time ago because it's just not. So I think we've accepted that things are going to happen no matter how much effort we throw at this and we move towards the resilience part of the conversation of, okay, now we need to accept that. We need to stay in the fight even if
we're getting punched. And that has been a change of tact compared to the previous idea of I can invest enough to get away from this problem. That's that's a refreshing take on how do we stay in the fight even if we are getting hit constantly from different things? Can you talks about, you know, when you meet with clients obviously with with quorum cyber now that one of the things you tell them is my goal is not necessarily to make you 100% secure. My goal is to make sure if you get hit, you can continue like your business will continue. We will resolve the issue for you. What are the two or three ways that companies can think about doing that? Because cyber seems like such a big amorphous problem. How do we get a handle on it? Especially if you have a large number of employees and a large number of users? What are the two or three ways when you go into a company, a new client engagement that you try to address those issues? Just I might not be able to do everything, but I will keep you operational.
Look, two quick points. The thing one is a philosophical one. I think we need to move them away from this idea that that you can resolve this through technological solutions only and that this is a technology problem. It isn't is a fundamental business continuity problem. And I think ultimately ended in the long miss of time. Business continuity becomes the overarching umbrella for all of this.
And then the second one is to train and test and make sure that this isn't an abstract concept that lives in a project plan somewhere in the left, that every now and then you distill off to tick the box off. We've reviewed the plan. This has to be muscle memory. And if it's muscle memory, like, it's like the goalkeeper that catches the penalties. You want the you want the guy that's been in the goal and that's called ten attempts on target. The one that's under the bench hasn't been tested isn't going to be the most effective one at dealing with the reality of a bad day. So I think good training, good continuous evaluation of the scenarios and actually being in the line of fire I think is super helpful.
And you've told me as well about clients or prospective clients for your firm that will call you and you will go out on an engagement and you you will tell them to tell the audience a little bit about these interactions, where you'll get a sense very quickly that the person calling you might be very interested in cybersecurity and security organization, but you get a sense that their management might not be either aware or on board, which is kind of. And so what happens then when you walk into a client engagement and you get the sense that their management might not be fully on board with this? Look, a lot of our time, our industry has evolved through the technical field, right? So the the people that are in positions of power are intrinsically technical. They haven't grown through the business. And I think hopefully that's changing. But our field was dominated by geeks that became managers and leaders. And one of the things we've learned is unless we start connecting the rest, the rest of the business risk operations, audit, legal, we are we're fighting a battle alone that we can win.
This shouldn't be placed on one individual. The seesaw of an. This is a business team. But in this problem, we're still looking at one human to solve the whole thing. No other problem in an organization that is this important.
Fundamental to their existence is dedicated to human. There's an executive team that deals with this. Cybersecurity isn't the case. So for a lot of the time when you're coming across that one person who's still holding the entire done, the best job that you can do is take a step back and connect them to the rest of the business or bring the rest of the business to understand the problem.
And so you will say to the head of cybersecurity, this meeting is fine. I need to speak to your boss before we're before we will go ahead with the contract, your boss. So just to be clear, I'm not leaping over anybody to talk to anybody's boss. But I think we need to bring more people to the conversation. I think we shouldn't be the only way it works. But I think from a data and analytics perspective, there are so many things in the way that you manage your data pipelines, the way that you go from whether it's role based, access control, where in the NHS with very personal data going to purpose based access control, which containerization risk. And that's kind of the the view of how
we would do it as well. It's not just the systems that you come in, you know, bringing all the data together in the data like is is fascinating for cyber security people, but we can actually containerised that as well. So I think it's you're absolutely right, it's a team sport. And unless it's seen sport, then you're more likely to fail. And the cybersecurity people I've talked with, I mean, including yourselves, the ones that have management support, get a lot more done, right. I mean, when they're behind on that mission. And John, you raised a very interesting
example when we spoke earlier about this idea of it complexity, Right. How to group is obviously a global insurance company. You guys have operations around the world and you want to tell the audience how many companies your company has bought in the past year and what that has meant for you as the CEO of this organization.
Yeah, I over the last year, about 60 or 60 companies, you guys brought over 66 companies. So it does create a huge problem. And by the way, I'm not sure I totally agree with your some of your points, unfortunately. But the you know, I do see a lot of companies who have underinvested and I think to go a long way to go and, you know, acquire a company and they haven't got the basics, which to your point, really, you know, they know they're sitting there with a remote access with no VPN and they've got they're not doing vulnerability management, they're not getting the basics right. They've got no more ordering systems, you know, So somebody gets and the they're the nobody's watching.
They may have an endpoint protection, but they've got nobody actually watching the console, so they just don't get the basics. So I spend. So what we've done is we, uh, we have a fairly robust structure of how we, we handle acquisitions obviously pre deal. We do a big due diligence exercise.
We understand what the, what the current situation is to perform detailed risk assessment post deal. I and my team go and do a cybersecurity assessment. We've built a framework around our own CISO and I saw and the number of different frameworks but we built a framework with team goes in a full, full assessment. We run a series of tools to analyze the environment and we understand where those gaps and we figure out in a very pragmatic way from a prioritized way what we're going to fix to to bring the maturity of this business up to a level set standard that we're trying to get the whole of the company.
I've done that for 64 assessments so far and I'm working with to keep that maturity standard. The next thing we do is we look at integrate those businesses into group organization. So, you know, we we've built and invested in a and a security framework in architecture and and we're moving people into that environment. We use as your we, we built a lot of very good tools into that environment to protect and monitor our environment. And we're bringing people into that group and then we can monitor them and manage it for them and support them. I remember learning years ago that one of the most dangerous times from a cybersecurity perspective for a company is the moment between when they announced they've been acquired and when the acquisition actually happens.
Yeah, because if you're a big company buying a little company, the hackers look at the little companies, I'm going to hack you to get into the bigger company. And so with Howden buying 66 companies over the past 12 months, and you also mentioned something interesting about what you have to do to reduce the complexity of their I.T. Infrastructure. You kind of touched on it, which is, you know, you move to the Azure cloud that often involves getting rid of their I.T.
equipment, right? Like their I.T. infrastructure has to go, like the physical infrastructure has to go through integration as we are essentially moving their platforms and applications into as you're shutting down their infrastructure. And so and then from then on, where my team are monitoring and managing that environment for them, we're we're we're obviously we built a big. Um, security architecture, and they're benefiting from that. Um, after we've moved to zero and then we don't really need their local servers or their local data center. There are some things that we need to manage in the data center, and we've maintained this.
Somebody else was saying there are things that we believe just need to be are not ready for. I mean, it sounds like a huge complex operational challenge to onboard that many companies with from that many parts of the world with that many different people in architecture and infrastructure and. And it sounds like what you're saying to the cloud, as you just mentioned, gives you a single point of kind of visibility into your security risks and things like that. Is that right? Is that why kind of the cloud as a piece of go instances and in the US and across Europe and Asia and Australia? So I've got um, Azure instances a little bit, but I have a single framework that's managing all I've got. Uh, we use and we've put your products in on all our endpoint servers, we've got MDR monitoring all of that. We've got a, we've got a small place
that's monitoring our own environments and collecting logs from all of that environment and feeding a single SOC and managing monitoring all single point of view. Um, look, we run a, we have a sign up tool which I mentioned before. We use Wizard, we use a up too, which is in addition to monitoring your looking for malware, it's also looking for vulnerabilities. It's looking at your network, it's, it's looking at Kubernetes and containerised applications.
So it's giving you lots of different information, all of which is getting fed into a single, uh, environment. We're watching and watching that all the time. And I want to ask you as well, as you know, we've talked about the security risks of these complex networks, but you've raised a great example of why networks modernize in the first place. NHS, of course, was in the news a lot this summer for a couple of reasons, but one of which was the Palantir deal, right? NHS is now using Palantir and watching it from the outside. Like it kind of makes sense why there's controversy or whatever around it, but you have some really good examples of the use of Palantir inside. The NHS has some very tangible effects that we as patients of the NHS can feel and see. Can you talk a little bit about
operating theatres and how Palantir helps you book operating theatres in a much more efficient way? I found this to be a very interesting part. Yeah, so it's quite fascinating how theatres are managed in the first place. So it's a supply chain issue, it's the scheduling is the mix of bringing in data from electronic patient records, the rostering systems for staff and staff in terms of the clinician team in the TARDIS and some of you may or may not know that the mixture of the anaesthetists and the clinician will make the difference between the procedure being the 15 minute procedural or 30 minute procedure.
So you can have your productivity if you have the wrong mix, making sure that the patient has had all their checks and vitals, the COVID test and all those things, if they've done the pre assessment, all of that coming together, we have a business process that the platform has enabled us to inform so we can plan six weeks out, four weeks out, two weeks out before bringing patients in. The platform is actually quite agnostic to whether it's an AI model or whether it's connections. And the workflow is what's helped us. So instead of people planning on bits of Excel and pieces of paper and lots of emailing backwards and forwards, which is, you know, for me it's a logistics issue, They can do all of that in the platform. Now it's not rocket science, but it's actually practically it means that for a patient, you know, you can turn up and you don't have to be sent home because that's one of the major problems you have to reorganise, just not your life to be to have that procedure.
And then you get turned away at the door for staff, for clinical staff, the surgeons, they now own the waiting list, which actually has been a very good psychological difference for them because they feel like they can prioritize the patients where they know they're having pain or worse effects because they actually know that they're less they know their patients really well. This is the human side that I would never take over. They actually know and the patients. So that's great. And what we've been looking at is once we know that mix and the preferences even were going down to the preference of, you know, if you do a stent in the cardiac event, what type of stent a particular surgeon prefers to work with because that's what they've trained and how they're more efficient. Their preference cards are now being digitised so that we can actually make sure the products are available at the right time for the right thing in much more advanced, which longer term.
We were just talking about it today. What I want to have been a supply chain person myself. I want to then get a better deal. That's a poll logistics. Rather than the push, and therefore we'll have savings in products as well. But all of that is is quite interesting.
The machine learning that we've done, the AI will now predict the timings and it will offer the clinicians and the scheduling team. This is based on your mixture of availability, his next patient that could fit that slot. So we're maximising the use of theatres and in the results that we've had in the hospitals where we've put the product in, we're saving like 5 to 7% of utilization, which sounds not a lot, but in the NHS, one extra procedure every day makes a big impact on productivity.
So in a bid to change, productivity between five and 7% is actually a big deal. I remember at the time, you know, some of the concerns regarding Palantir's involvement, the NHS was the concentration of all this data in one place and that was kind of, you know, what was being debated here. And you talk about it like, is that a security risk? Well, potentially.
But the reason you do it is, as you're describing, you're bringing in this just one example. You're bringing the scheduling data from all of these different specialists all together in one place to say they're all free at this time. It's a very practical, concrete way to understand if you bring our data together, it might be a security risk. But also the the reason why you do any of this stuff is to make sure you can do be really careful and considerate. We don't take the entirety of the clinical record, which may have a lot of sensitive information. We only bring the data into the platform that you need for that purpose.
So it's a purpose based access. It's also a purpose based usage. So each of the data elements are considered What what's the data you need? What's the insight you need to make that decision and taken action. So it's very action orientated, which is why the clinicians like it because it helps them do their job better over time, will build with the live flows more of a digital twin of the NHS, which then allow us to do more sophisticated scenario planning, which again will be much more effective. We're also looking at air in terms of
discharge, creating an automated discharge letter and some of the testings that we've done with patients that actually prefer it to the clinical, the clinician written one. If you've ever had a letter when you go home for a procedure, it doesn't really explain to you what it is. We can make it a bit more empathetic with the language simpler through I, we're now just testing that we're going through in a human in the loop. Just to check that that's valid is exciting times you know making but having a platform, regardless of who supplied that platform, has meant that we can actually create our data found it is much easier the way that we purchase the the licenses is multiple instances along a common framework.
So again that segregates the day. So that allows you to connect when you want to connect it. We have very good audit trails of who's access to the access, the data, for what purpose and what data they've looked at. So that transparency for the public has been quite how very good security trail. Yeah, very. I wanted to kick this one to you.
I mean, one of the incidents I wanted to talk about was the CrowdStrike outage, you know, earlier this summer, which was one of the best examples to me of both, you know, a technology that really good at what it does in securing networks, but also an example of how when you get i.t networks that are this complex of tiny error can cause mass outages around the world. And now very you and I spoke, you know, the day that this happened and something that you said stuck with me is that, you know, your quote was something along the lines of this was an example that as an industry, the security industry is moving too fast. You talk about what that means in the
context of. Yeah, and it wasn't just for the record. It wasn't it wasn't something we said. It was a security and yes, it was an outage, but it wasn't a security answer, which is important, different to to some of the other examples. I think it does show how interconnected this whole thing is. Right.
We've we've built a deck of cards on some pieces that are fundamental to the operational society. CrowdStrike is a huge part of the market, the same as Microsoft's. Some of the other names that we better run today. And I don't think we've put a lot of
care into the resilience of that architecture because it is moving fast, too fast. I don't know what to fast means. I just think society hasn't had a conversation about the risks that we're willing to trade off for that innovation and that potential benefit. And that's part of the conversation we're having here. I think the NHS is probably behind what society wanted it to deliver, but I think some of the adoption we've done in other aspects of society have moved faster than in. Nobody can fly for 48 hours because CrowdStrike doesn't update. That is not well managed. And as you as you point out, CrowdStrike was not hacked.
This was an update of theirs that they had developed and it had a glitch, it had an error. And that error caused this cascading. And it wasn't even CrowdStrike. It was CrowdStrike interaction with Microsoft. And it was the contact between those two that failed. So this is complex and we haven't really
made it any simpler and we're not making it any simpler. And now we're conceding control to black boxes and. Now, John, you had you had personal experience with this. Do you want to talk about the CrowdStrike incident and kind of what that day was like for you? It wasn't a very good day. I was at my feet.
I was putting my toes on my loungers on holiday when I when I took the call. And my team leader told me that this is happened and we took the 930 servers and took about 500 laptops. So we had a major issue and it's kind of lucky it was on a Thursday morning, early morning, and a lot of people probably go home on a Thursday night to the laptops to turn it off and and on until Friday morning if they do turn one and the. And so the user impact was a little bit minimal but the seven point was was quite massive and but my team managed to recover all by the end. Before Monday morning we brought back about 930 servers and over the weekend kind of support where we can hold it but but but we managed to get it back up in the business was like, well, look, it didn't didn't touch us. No, it did touch us. And so they just didn't know that it touched us.
That's how you do your job. Well. Well, so. So what does an organization like yours what do you learn from an incident like that? Because you're not just going to take your CrowdStrike software and throw it out because it says this is this is just a function of our increasingly complex I.T. system. What lesson do you take from that? What do you change? What do you do to reduce the likelihood that something like that could happen again? Oh, actually, after every major incident like that, we run a what we call corrective actions.
So we run a continuous improvement activity and we invited CrowdStrike in to explain what happened. And so they came and talk to us and we went through the records. We we made some changes. But one of the things that we definitely looked at is were and what were the other single points of failure in my the structure and where they're making changes that I don't control and identify what those are and then make sure that we've got you found more with the others. Microsoft is going to be one of them, but there are others. I'm a big user of Mimecast. For example, my guest did the same thing. We probably took my systems out for a
period of time, for example. So, you know, looking at what are the contingencies you're going to build in and how can you recover faster, It is it is a teaching moment identifying single points of failure, building some controls around those. That's one way to manage as fairly as saying this increasingly complex nature of these i.t networks. We do have some questions here.
Don't a lot of time, but we'll get through some of these. This is for ming. How do you see the proposed league tables for the NHS impacting or disrupting your role? I wasn't expecting that. Questions the very specific questions for my team report on the league table.
So we report on performance every day so it doesn't really changes what we do. Okay. And then next question is I guess for for everybody, uh, why opting for an American aid provider for NHS versus going with a national company? I'm not sure I understand that question.
Well, I do. Why Pallant Why? Why a UK company? We went through a public procurement process. Everyone was able to bid for that work and they came out the best. Right now we are almost out of time here. Everybody.
I really appreciate your time here today. I mean, obviously we could continue this conversation for a long time, but I appreciate all the perspectives you guys are able to to provide. And thank you for being here, I think, very much.
2024-11-17 03:13
