Mr. Pat Larkin:

I thank the Deputy for the question. There are a number of key principles that differ. I would call it a defence mindset rather than a compliance mindset. If one focuses on compliance one is just trying to achieve compliance but if one focuses on defence and protecting what is important to the organisation, then one is much more centred on the robustness and resilience of the organisation. Board level involvement, top-down engagement from the top level of the organisation and a commitment to cyber resilience and cybersecurity are important to the business. That involves communication upwards from stakeholders in the business to make the board aware of that and to be transparent with it on the exposure it faces, the maturity the organisation is at and the work programme it needs to undertake to achieve that resilience. It is important to point out that it is a journey and not a destination. There is no point at which an organisation is entirely resilient or mature. It has to commit to the ongoing journey.

Back to the second speaker's point, organisations need to bring standards and measurement into play to assess matters. There are standards so we do not need to reinvent the wheel. There are standards like ISO/IEC 27001, which is a well recognised standard. It puts in place an information security management system and governance in an organisation. It is objectively measured and assessed periodically by an auditor and then that builds a structure by which an organisation can then layer in the people, process and technology controls that make it mature and resilient.