Mr. Pat Larkin:

I thank Senator Dooley for his question. In general terms, the commercial sector has a slightly different mandate from the public sector and it comes back to the aspect of mindset. In most cases, there is a very clear imperative. We were shouting into the wind five years ago when we were trying to educate boards about the importance of cybersecurity and the need to do something about it. The frequency and degree of crime and the resulting cost to organisations has ensured that data awareness now definitely exists. Boards are bringing in businesses like ours to do cybermaturity assessments and assess organisations' readiness because they are interested in protecting shareholder value. Customers vote with their feet if there are breaches. Therefore, apart from the direct cost of an incident like a ransomware attack, or something like that, the tail cost is far more significant. The clean-up costs, regulatory fines and related loss of customer confidence and revenue are huge factors. This has ensured that boards are now intimately aware of the risks of cyber infrastructure and they are giving a mandate to their organisation to protect their revenue and customers. The mindset now is a defensive one, namely to protect the business and shareholder value. A clear mandate is coming from many boards to do that, and, therefore, there is a matching resource commitment from the top and a budget to do that.

I suggest that mandate is probably less clear in the public sector and in the Government. There is more of a compliance mindset. The National Cyber Security Centre, NCSC, is also a regulatory authority for the European Union's network and information security, NIS, directive. While it is a good framework and a step in the right direction, we must return to the fact that these are critical State services, such as health, telecommunications and power etc.. First and foremost, we need to secure those services. If we do not do that, then the State and its people will suffer and so too will prosperity, because foreign direct investment, FDI, companies will vote with their feet. That portable wealth and capital which exists in Ireland will simply move abroad. If we are below par in cybersecurity, such wealth will move. I refer to the State adopting a mindset which regards cybersecurity as critical to societal progress and prosperity and the protection of those aspects and not some notional compliance in respect of the EU concerning GDPR or NIS. Do not get me wrong, compliance is important. However, if we approach this issue from a mindset which views it as critical to our prosperity, services, economy and people, then that is a different mindset. It is a mindset which leads to carrying out risk assessments and maturity capability assessments to protect against threats and putting programmes in place to secure the cyber infrastructure. That mindset may not be as obvious in the Government and public sector, but it needs to be.