Dr. Richard Browne:

It is important to stress that some sectors were well ahead of others in terms of preparedness for cybersecurity. That is backed into sectoral-specific legislation, and banking and financial services are an obvious case in point. Also, in telecommunications, for example, they have 2011 obligations on network and information security, which means they were slightly further ahead. The mentality question is difficult to answer because there is no single unified organisational culture across these organisations. They are very different. The HSE faces huge challenges in balancing a large clinical workload and the care responsibilities for 5 million people with cybersecurity responsibilities that come in on top of all that late in the day, so to speak.

I do not think it is fair to say there is a singular mentality of any kind. There is a broad and much more focused understanding of the risks associated with cybersecurity incidents, not just since the HSE incident but going back years prior to that. There is a growing collective understanding of the things that need to be done to deal with that. The challenge is that some of these changes are structural. They are not just the need to buy better computers, but a structural change to organisations, which takes time. That is happening across the public service, particularly thanks to the work of the Office of the Government Chief Information Officer, OGCIO, the national digital strategy and a much greater focus on unified digital processes.

Across the private sector, some areas are going to struggle, and were always likely to, especially in the voluntary sector. In some cases, such sectors handle personal data, personal information and relatively large amounts of money but may not have strong corporate governance around their function. If members look at our recent baseline standard for the public sector, to our mind this needs to be a governance question and needs to be mainlined as part of corporate governance. When we speak about regulators taking on and mainstreaming cybersecurity as part of their regulatory function, the same argument needs to be made in corporate governance more generally. Work is ongoing with the chartered accountants' organisations to look at exactly that.