Protecting critical national infrastructure through secure cloud

• Critical national infrastructure can be especially vulnerable to cyberattack.
• There may not be an awareness of the solutions that secure cloud can deliver.
• Similarly, there’s a need for more open recruiting in cyber to unlock potential.

As part of our look into the businesses using the UK’s Cyber Runway from Plexal in 2023, we spoke to one of this year’s cohort, Emma Humphrey, CEO of secure cloud specialist Kuro about the challenges of protecting critical national infrastructure, and the role that secure cloud has to play in that. 

THQ:

We’re seeing a lot more critical national infrastructure targeted for cyberattack in recent years. The UK had the Royal Mail attack early in 2023, the NHS gets targeted with a staggering regularity, and so on. How can a secure cloud capability help towards protecting our national interests? And why isn’t it already in place?

EH:

Well, why is it not in place? Why is it not more widely used? Fundamentally, there are two big reasons. Firstly, it’s not widely understood. Explaining the benefits of cloud is like explaining the benefits of a laptop – you can use it for so many different things. And that makes it quite difficult to understand where problems you have and cloud as a solution to those problems interlink.

But the fact is, even if you fully understand the problem you have with a piece of critical national infrastructure, you don’t necessarily know the cloud product you need, or the products to bundle together to actually solve that problem.

Secondly, even if you do understand how the cloud is going to solve your problem, you may not necessarily have the right skillsets available in-house at a reasonable cost to implement it.

So those two things – skills and understanding – are real blockers to cloud, both generally, and particularly in critical national infrastructure.

Fixing the problems.

THQ:

So how do we address those blockers?

EH:

What we try to do as a business is ask what the cloud can do about the threat environment. The answer’s usually “a great deal.” I alluded to the fact that it should be considered almost like a laptop, in that it can be used for anything, really. But we ask questions about how configurable the security environment is, and the many, many layers of security that you can put around your cloud infrastructure.

Taking cloud away from on-prem is much more secure, because there’s no longer a physical asset to attack, which is a benefit in and of itself. The next thing is the business resilience and continuity aspect of the situation. The cloud isn’t a physical thing, and there are benefits in that, in being able to recall your data access and set up alternative infrastructures to give yourself that business resilience if something does go wrong – that is exactly what the cloud is designed to do.

And if we can overcome those first two hurdles, it’ll be a wonderful thing for security posture in both the public and private sector.

Solving problems for critical national infrastructure the military way.

THQ:

As a veteran yourself, you’re pushing to get more veterans into cyber and cloud. There’s a very particular mindset that comes with the military, isn’t there? It’s that “Get it done, get it done right, and get it done fast” way of thinking, yes? How do you expect that to affect the overall cyber posture of a nation?

EH:

Well, veterans are adaptable by nature. And the threat picture is very fast moving, as is the technology that you work with. And what you find is that veterans are very well able to understand the threat and then apply their toolset to that threat. That’s what we’re all trained to do across the board.

The other thing, as you say, is that we have a get-things-done mentality. We go in and nothing is too difficult. Our mentality is “80% now is better than 100% never,” and in security that is a big deal. How can I improve our posture now to the best it can be, because guess what, cybersecurity is never going to be 100% solved.

Soldiers are a lot more comfortable in that position – “I will do the best I can and I will keep improving.” That’s really the mentality that you need within cybersecurity.

THQ:

But there’s more to it, isn’t there, in terms of getting veterans in the door in the first place?

EH:

Definitely. As employers, we need to get better at recruiting these people and taking advantage of their skills. I’m part of many different groups where people talk about breaking into cyber as if it’s a locked Fort Knox of a career, that requires someone to kick down a door somewhere. And that shouldn’t be the case, because it’s a business like any other.

So apply and put your bid in and talk about your adaptability, talk about your confidence. Most importantly, talk about your ability to effectively communicate. It’s something that we all share. Because these are complicated ideas. And they need plain English speakers to bridge the gap between the guys sitting alone somewhere wearing hoodies and the businesses who need to care about what those guys are doing. Veterans need to have that awareness about their own skills.

Getting more women into cyber.

THQ:

That’s a solid point, because there’s that notion of the guy sitting alone somewhere, whereas bringing more veterans in is almost the antithesis of that, isn’t it? Because veterans are trained to get things done, but the fundamental preparation for that is communication, so everyone knows the same “obvious,” so everyone can do the right thing, and do it now.

What’s more, the percentage of women in tech as a whole, let alone in cyber, is still woefully small. How would you encourage more cyber and cloud businesses to be more gender-inclusive as well as veteran-inclusive?

EH:

By not operating as a dark art. What we do in the cyber community is phenomenal. And a lot of it is deeply technical. But we need to be very aware of the language that we use and make it inclusive. There are plain English ways of saying the complicated things, and we should always do that. And within the military, there’s the maxim: “Keep it simple.”

If you’re communicating in a way that doesn’t include the entire audience, then you are not an effective communicator, you are showing off, or you are talking to a very small proportion of people. And that’s not what we aim to do.

So, I think to include more women, we need to make clear that we are a business and there is a role for everyone there. But also, that if you don’t understand the terms, you can learn, and you can adapt.

I mean, I’m a lawyer by trade, and here I am, CEO of a cyber company. It’s not a dark art, and it shouldn’t pretend to be one, because in doing that, cyber is auto-rejecting a lot of otherwise exceptional skills fits.

The other thing is policies.

If a woman has caring responsibilities, it’s a yes or no decision based on whether the job ad says three days minimum mandatory is in London. You’ll rule out a great percentage of the people who are perfectly capable if you do that, people who’d add so much value, because they simply feel it’s incompatible with their caring responsibilities.

So use words like “flexible” and follow through on them. Understanding things like jobshare, shiftshare – let’s make them a reality.

THQ:

Hey, we did it during Covid.

EH:

Exactly, businesses flexed, and they were able to show that it could be done. A lot of industries thrived, including cyber. So, let’s carry forward some of those lessons we learned and include everyone in this picture.

THQ:

In cyber particularly, it’s not like you have to have everybody in the same room to do anything. So why would you insist on the “return to office” mentality?

EH:

Precisely that. So let’s build systems management where transparency doesn’t mean I can see you, it means I can trust you. And it means we have other ways of making sure that you’re communicating.

We did it before and it worked. Let’s do it again, because the value you can get in unlocking skills, from veterans, from women, from people with caring responsibilities and from people with mobility issues, is absolutely worth it.

The veteran mindset and the cyber mindset are practically identical.

In Part 3 of this article, we’ll talk about quantum cryptography – another area getting a boost from the Cyber Runway in 2023.