Mr. Padraic O'Reilly:

I would agree with what the first speaker said but I would add to it. What I have seen across a lot of different sectors, including the defence sector in the United States for example, is that we have hundreds of thousands of companies that supply up the chain to the primary contractors. Often when one goes into a defence industrial base company that is trying to baseline itself on a cyber standard, it might have two or three people, if that, who are responsible for this. On top of the IT management work that they are already doing, they are having to report out on a standard. Sometimes, if they have a little bit of a budget they will contract with a managed service provider or the like and that will put a process in place but I generally see that such a move might be a one-off and it does not then become a continuous practice.

There is a role for governments, even at the lowest levels. Some of the best companies we have worked with on the smaller end have direct mandates from the top to spend a budget to baseline themselves and then some continuous improvement on the cyber standard. The EU's NIS directive is in alliance with the cybersecurity framework, CFF, and ISO, the information security management framework and other control frameworks are informative references. There are many good standards out there.

With larger companies, we get into big time governance issues. In larger companies there are many different departments, including those deal with compliance, risk, information technology and operational technology. They often talk to each other but when we get them on calls together, sometimes the right hand does not know what the left hand is doing. This is an issue. They must also justify spend when it comes to fixing things. They might have alarming gaps in a programme and have to take it upstairs but to take it upstairs, they must make a risk-based argument.

The governance structures are not always interested. There has been much talk about cyber being central to governance in larger organisations but at times over here, to be frank, governance structures have been asleep at the wheel. It takes events like this to shake them up and they do but then, sometimes, the hype cycle ends and they move on. Education is a good element of what we are discussing and that also applies to governance structures as well.

There must be teeth behind this as well. In larger sectors I see results if executive pay is sometimes tied to cyber. My company has seen that. It is a complicated challenge as there are resource-constrained companies on the smaller end. Many of the ransomware hacks hit smaller organisations, which can be difficult, as it leads to a scramble. They might not have had time or resources to back up things. That is why they are such a juicy target for attackers. In larger companies there are sprawl and antiquated practices. Much cyber is still drawn on spreadsheets, which is a problem, as there must be central visibility for the practice of cyber inside a company. Spreadsheets do not get the job done. Many large service organisations deliver on the back of spreadsheets. When Mr. George Wrenn and I founded our company, we created software that makes a central repository for the practice of cyber.