A second year cyber security apprentice from Department for Transport
I was recently asked to reflect upon my risk management experiences at the Department for Transport. Before writing this blog, I was on the phone to a person newly in post to develop policy for cyber security skills - explaining what cyber security is! This got me thinking of what is the best way to explain what I have been doing and why it’s important.
Simply put cyber security is like the immune system of the digital age. Ensuring that the 1’s and 0’s flowing around the globe and all of our lives keep flowing in the right way, in the right order and do what they are meant to when they get there. This is what modern society is based on, with current events, now more than ever.
I work in the Department for Transport, working with on cyber security risks at a systematic level associated with getting people and goods from A to B, within the UK as well as to and from locations globally.
This is a challenge because transport isn’t one homogenous system. It’s trains, planes, trucks, buses, cars, trams, ships, airports, seaports, smart motorways, train stations and rail networks. As well as all of the supporting services and global supply chains that support moving people and goods around efficiently and on time.
Understanding systems and risks is a significant task both in a technological capacity, as there is a wide variety of technologies in use, and in an operational sense as organisations and objectives across the sector are vastly different.
In cyber, understanding the risks feed into every aspect of managing the security of networks and broader systems. You need to know what you’re trying to prevent from happening so that you can pump resources into knowledge, monitoring, testing, design, assurance and mitigation programs.
To do this we focus on four key pillars: Understand, Promote, Mitigate and Respond. I joined the cyber team two years ago as a career change and since then I have had the opportunity to directly contribute to each pillar.
By understanding the risks, I gain knowledge of the systems and processes involved and what happens when they fail. Through the apprenticeship programme and training I have had the opportunity to achieve 10 different certifications in different aspects of networking and cyber security.
Promotion of the risks seems counter intuitive, but security is more important than it used to be and this needs to be communicated and this is done through engagement activities to ensure the sector knows what risks are present and need addressing.
Mitigation is completed through voluntary and regulatory means and I have analysed cyber assessment frameworks, which break systems down into processes and procedures. For the Network and Information Systems Regulation this requires an understanding of the risk that each component of a system poses, and determining if the response from operators is an appropriate and proportionate way to mitigate risks in the system.
Finally, I have had the opportunity to respond to incidents which help the department understand the risk, promote the risk to stakeholders, and mitigate the risk through encouraging attack paths in the rest of the system to be shut down.
Cyber security has a lot of diversity of experiences to offer and they aren’t all making things work by sitting in front of a screen or configuring a network. I have also had the opportunity to contribute to the less technically hands on risk management aspect of the industry. This enables both myself and DfT to benefit from for a while to come.
Applications are currently open for the future pipeline of cyber security talent in Government Security. To apply, view vacancies and closing dates please click here.