Avanade on Preparing Organizations for a World of Stronger Cybersecurity Expectations

[00:00:06] - [Speaker 0]
Welcome back to another episode of the business of cybersecurity podcast. Now when we talk about cyber risk, it is still all too often framed as a technical issue, something that only matters to the biggest enterprises or critical national infrastructure. But that framing is starting to fall apart and fall apart very quickly. So

[00:00:29] - [Speaker 1]
in

[00:00:29] - [Speaker 0]
today's episode, I'm gonna learn more about why The UK mid market is finding itself firmly in the spotlight. I'm gonna be joined by the global security practice lead at Avanade, And we're gonna talk about The UK's new cybersecurity and resilience bill, what it really means in practices, and why managed service providers, suppliers, and midsized firms are suddenly carrying far more responsibility than many realize. And yet, we'll also get into the real world signals that something is shifting. For example, both me and the guest have heard radio adverts encouraging people to join group legal action after breaches at household names at Co op and Marks and Spencer's. I keep hearing these radio ads pointing people to join the claim.com.

[00:01:20] - [Speaker 0]
And this got me thinking that there's a growing expectation that cyber resilience is no longer optional. It's about accountability, supply chain risk, and why cybersecurity is fast becoming a license to operate rather than just another IT problem. So if you work in, supply to, or depend on the mid market, this is an episode you should not ignore, and it's packed with insights along the way. But before I get my guests on today, I wanna give a quick thank you to my friends at Denodo who are playing a big part in supporting this show. Because one of the questions I hear more and more from listeners on this podcast is, why does AI succeed, or why does it fail?

[00:02:01] - [Speaker 0]
Because let's be honest, AI is moving fast, but success is often still elusive. Now most projects fail not because of the AI, but because the data foundation isn't ready. This is why organizations are increasingly turning to Denodo. Denodo delivers trustworthy and AI ready data without the need to copy it everywhere. Essentially, you can optimize your lake house, accelerate AgenTik AI, and build data products that finally make self-service real and achievable.

[00:02:36] - [Speaker 0]
And with a powerful partner ecosystem, teams get to value even faster. So if you're ready to understand why your AI projects fail and how to succeed with AI, simply visit donodo.com and take control of your data world. But enough from me. Let me officially introduce you to my guest right now. So thank you for joining me on the podcast today.

[00:03:02] - [Speaker 0]
Can you tell me a little about who you are and what you do?

[00:03:06] - [Speaker 1]
Sure. Thanks for having me here. My name is Jason Rebel. I lead Avanade's global security practice. What does that mean?

[00:03:14] - [Speaker 1]
It means I'm responsible for the kind of the direction of the skills, the learning and development, the kind of offerings that we take to market with our customers, the relationship with Microsoft security from a global perspective. And I also work and operate in The UK, you know, working very closely with clients because, you know, we've got to stay close to the clients because that's where all the real stuff is happening.

[00:03:37] - [Speaker 0]
Well, it's a pleasure to have you join me on the podcast today. One of the things I try and do every day is demystify a different area in tech, in particular, cybersecurity. And, of course, the new cybersecurity and resilience bill represents a major shift in The UK's approach to digital risk, and we have seen a lot of headlines this year from Land Rover to Marks and Spencer's. And I think most headlines are framing this bill around a almost critical national infrastructure. But I'm curious from your perspective and everything you're seeing and hearing, why is the the mid market actually one of the most exposed groups under this legislation?

[00:04:15] - [Speaker 1]
Yeah. I think it's it's it's a in a way, it's a very positive shift from The UK. Right? Bringing the focus to more sectors, more organizations, and acknowledging the fact that, you know, there is there are these quite complicated supply chains that actually are required to keep a business operational. And if you're a part of the supply chain, if you've chosen to be in the game of being as, you know, a critical supplier to a, you know, big company that affects a lot of The UK or or global population, then you've maybe got some responsibility to ensure that you're able to me maintain certain levels, certain standards, certainly from a security perspective.

[00:04:57] - [Speaker 1]
So I think it's pretty positive from that perspective. But I think the the extended scope to include more kind of mid market organizations is interesting because it captures a lot of managed service providers as well that are kind of in that kind of midsize space as well. So if you're either a midsize organization or a midsize managed service provider and you suddenly find yourself in scope of this, that's going to mean you've suddenly got a new set of financial risks that you need to be aware of and that you would hope would significantly influence your strategy and where you invest. Because the risk now is that you're either not compliant or you you lead to a compromise or you lead to a breach that is gonna effectively impact something major or someone major in in the in The UK business landscape. Right?

[00:05:54] - [Speaker 1]
And you're gonna be accountable for something that's that's associated with that.

[00:05:58] - [Speaker 0]
And I also think mandatory incident reporting and turnover based penalties, I think that completely changes the risk equation here. So how does that alter the boardroom conversation for mid sized firms, especially anyone from a mid sized firm listening that might still be seeing cyber risk as, hey. It's more of an IT issue rather than a business one. Is that conversation changing now?

[00:06:22] - [Speaker 1]
I would hope it starts to see shift the vision that security is more of a license to operate than it is a kind of a, you know, a nice to have because, you know, you wanna keep the business going. It's you could almost see it as a differentiator as well. Right? You know, if you can demonstrate super high levels of security using frameworks and standards that that your peers or your, you know, your target customers are gonna recognize, you know, it's gonna help distinguish you from the next MSP or the next mid market organization. So I would hopefully see that, you know, by bringing this level of attention, it will shift that focus.

[00:07:02] - [Speaker 1]
As I said, that license to operate is quite a key term when it comes to, you know, you wouldn't go to business without business insurance. Right? Or, you know, you wouldn't go to business without, you know, having a strong product lineup. Well, really, you shouldn't be going to business without a strong security posture to be able to keep you in business and keep your, you know, your customers in business as well.

[00:07:25] - [Speaker 0]
And something else we've got to highlight, of course, is nearly half of The UK mid market businesses out there. They outsource their cybersecurity. So what new accountability challenges does this bill create when responsibility is shared across internal teams, MSPs, and and third party vendors? It feels quite complex and disjointed.

[00:07:46] - [Speaker 1]
Yeah. I mean, it's it's a particular challenge for The UK because there is you know, I I can't remember the exact stat, but a very high percentage of The UK is made up of these mid mid sized and small companies. You know? It's there aren't as many you know, there's not there's no Apples or Microsofts or Nvidia's kicking around. Right?

[00:08:07] - [Speaker 1]
You know? So there is a there's a huge kind of middle layer that is fairly unique to The UK. And then as part of that middle layer is this other middle layer of managed service providers keeping them all running. And generally, that's because these smaller business struggle to bring the talent in. They struggle to have the maturity in how to operate the business.

[00:08:28] - [Speaker 1]
So they kind of outside outsource the problem. But that's built up a new problem in that it's built a very competitive landscape across the MSSPs in that mid tier. And I could tell you the, you know, the margins there are already pretty thin in some places, right, when it comes to, commodity services and so on. So I think it's it's very interesting, in terms of then imposing this additional level of responsibility because that's going to boil down to an investment or a cost at some point, either a risk that they write off or a risk they choose to do something about, which is going to have a cost. That's possibly going to lead to an increasing service costs from the managed service providers.

[00:09:10] - [Speaker 1]
It could really start to change the landscape in terms of how much do you swallow in your margins versus how much do you pass on to customers, especially when it's been imposed upon you. But really, the what's kind of interesting as well is there's no real framework. There's not a certificate you can go and get to say, hey. I meet the cyber and security resilience bill. It's you have to kind of look at the existing landscape so you can look at what the NCSC can provide, and you can go get cyber essentials, or you can, you know, go to and down an ISO path, and you can get audited against an ISO standard.

[00:09:48] - [Speaker 1]
But these are still investments. These are still costs that people have to take into account.

[00:09:54] - [Speaker 0]
And another area I wanted to highlight was the fact that supply chain vulnerabilities now account for a significant port portion of recent UK breaches. So under this legislation, what does good enough security look like across a supply chain, and and where are companies most likely to fall short? I'm I'm sure you've seen a few examples. Don't give me any names, but, anything you can, share here?

[00:10:18] - [Speaker 1]
I think this is a this is a bit of a shared responsibility. I think for companies outsourcing, I think there is a burden on them to improve and implement controls that, for example, can strongly verify any MSPs and their interactions. Because clearly, you know, scattered scattered spider has proven this, that it's quite you know, if you can find out who the vendor is of a company, you can quite easily spoof them if the help desk process isn't as tight as it potentially could be. Who is to blame in that scenario? Right?

[00:10:54] - [Speaker 1]
It's it's more likely gonna be the company doing the verification than the the company being spoofed. Right? On the other side, for the MSSPs, you know, they're often running in shared service modes, supporting lots of customers. If all of these customers are going to tighten and improve their controls, that's going to introduce more operational complexity for them because you can guarantee they're not going to standardize on any one type of solution to do things like verification or access, you know, or strong authentication or anything such as that. But similarly, those MSSPs are also going to be more frequently asked by their customers, prove your prove your posture, show me your secure, tell me your controls, because they'll be looking to mitigate the risk by saying they've assessed their MSSPs against some sort of standards.

[00:11:44] - [Speaker 1]
Right? So it's gonna be kinda quite cyclical. The you know, the in my view, the the the companies that outsource are gonna need to invest to strengthen their controls that enable access to MSPs, both how they verify those MSPs and the people aligned to them from those MSPs and the security method that they use to gain access. And we see it day to day. Not enough strong identity and access management controls are in place even in large mature enterprises.

[00:12:16] - [Speaker 1]
Even you know, when you scale that out to nonhuman identities, the new AI identities, and so on, the controls just aren't there. Right? So the investment in IAM, especially in verification, I think will be really key. And for the m s MSPs being really ready to demonstrate their posture and be flexible as these new controls come flying at them. You know, I've seen, especially in the OT space, MSPs dictating how they access and the way they operate.

[00:12:48] - [Speaker 1]
I think that's gonna have to shift because it's gonna have to meet more modern standards, more rigorous standards, to be able to to kinda keep the threat actors at bay.

[00:12:58] - [Speaker 0]
And for anyone listening inside an organization that's embedded in larger enterprise supply chains, I'm curious. How do you see this bill changing the expectations that are gonna be placed on them by customers, partners, and even regulators?

[00:13:14] - [Speaker 1]
Well, it's interesting. I was in the car last night coming back from the gym, which is a luxury certainly these days. And I heard on the news, come and join the, the group legal action lawsuit against the co op because the co op membership was compromised. Your details have been stolen. Now I need to do more research, but that's the first time I've just been sat in my car or something and heard of a a cyber incident leading to a group action lawsuit that affects outside of UK population.

[00:13:52] - [Speaker 1]
These could be going on all the time, but I've never heard them advertised on the radio. And I think what this is raising in in what it triggered in me was, well, on. How are they gonna demonstrate that co op were, for example, in that that they were negligent in that example. Where is that? Where is this path gonna lead where there are law firms out there that will just chase these lawsuits.

[00:14:16] - [Speaker 1]
Because if they can get enough compensation, they'll get enough percentage out of it. So where and how far is that gonna go? Right? Should should, you know, JLR caused a pretty significant impact on the whole UK economy. Where is that gonna go?

[00:14:31] - [Speaker 1]
Right? Will the suppliers start raising a a group legal action because of the lost revenue because of their cyber posture? So I think it's going to be very interesting, not just from a, you know, the cyber bill is going to introduce, you know, fines penalties based on revenue fine. They'll have to demonstrate they will actually do it to really get the risk in the red. You know, GDPR had this issue right.

[00:14:55] - [Speaker 1]
Like, will they actually enforce it? And it, you know, it kinda turns out they did. Right? And and you can actually track where the GDPR fines have been issued. The UK is gonna have to demonstrate it's gonna go after people that are negligent and weren't able to meet the standard, but that's only one expectation of risk.

[00:15:13] - [Speaker 1]
The other now coming, you know, just based on what I'm hearing, now you've got the customers or the general public as a risk because they're not happy about your security posture. And I want my piece of the pie that that these legal companies are pulling. I mean, you know, and and plenty of people will jump on that bandwagon. Right? I'm one of the people affected by the co op breach, but I'm numb to the fact that my PII has been stolen by now.

[00:15:40] - [Speaker 1]
It's like, will have have I I've got strong MFA. You know, have a good time with my PII, But a lot of people will be really upset by that and will wanna go and get some sort of remuneration just for the chance of remuneration. Right? So I think it's gonna be very interesting as that political and and kind of landscape shifts to holding cost you know, holding these companies almost saying they're negligent by allowing not allowing because you can't allow a cyber breach to happen, but you can have weak controls. You can have low maturity.

[00:16:13] - [Speaker 1]
Right? So it's gonna be very interesting from that standpoint.

[00:16:18] - [Speaker 0]
And I'm glad you raised this because I've got a very similar story. I was on a car journey just two days ago, and there was an advert on the radio for join the claim against Marks and Spencer's and their date breach claim. And I as same as you would do after it, I went straight onto the Internet and, oh, let's have a look. Join theclaim.com. What's this about?

[00:16:37] - [Speaker 0]
Straight away, can see 10,000 plus people have signed this from from that radio advert, and there's 10,000 people on board of this, group action. So you mentioned the coops. It must be a bit of a trend that we're beginning to see here.

[00:16:50] - [Speaker 1]
Well, it's interesting if you're just seeing it as well because, it did feel new. Was like, oh, you know, I get diesel emissions scams, and all of this was the the last frontier. But now suddenly, well, I'm a company I gave my PII to has been breached. I want some I want some money for that. You know, I I could certainly somewhat understand it with the JLR case with the suppliers.

[00:17:16] - [Speaker 1]
Right? Because that less genuinely led to impact and and, you know, more 900,000,000.0 of lost revenue, right, in that sector. But even so, you know, how how can you demonstrate that they were negligent?

[00:17:32] - [Speaker 0]
Yeah. Traditionally, if we look back, compliance often becomes a checkbox exercise. What what does it take to embed compliance into day to day operations without slowing the business down or creating just pure security theater, which we might have seen in the past. Anything you've seen here on getting it right? Because, again, tricky balance.

[00:17:54] - [Speaker 1]
I I think getting it right is a is a tricky one to say. There's lot of operating model things to consider here because risk teams are often separate from cyber teams. We have cyber teams focused on control implementation, response containment, etcetera. Risk teams focused on demonstrating the business is compliant. And there's often a gap in between that, right, which is, well, yes, we're maybe we're demonstrating a compliance, but actually this control is a bit weak.

[00:18:26] - [Speaker 1]
And I'll keep picking on the help desk one because that's a particular pain point at the moment, right, that led to certainly the M and S and coop scenarios and others. How did they if one of the controls was you must have a robust process for help desk verification, a response to that could be, yeah, we've written a really nice procedure. Is that really good enough for the threat actor landscape and the level of maturity AI impersonations is a paper based process with maybe a bit of kind of easily defined security questions enough. And I think if organizations, and I'm definitely not saying we've got the magic bullet and it's easy, but if compliance could be more integrated into cyber and engineering and genuine proactive maturing of controls and budget and space to do it, then I think you'll get to compliance almost engineering, And you'll have much more ongoing improvement across the business. Know, we said improvement seems to happen in point solutions or large scale transformations at one point in time.

[00:19:44] - [Speaker 1]
Right? But it needs to the threat landscape doesn't move like that. It's it's evolving. It's not a program. The threat the threat landscape isn't a pro just in a point in time program of problem.

[00:19:54] - [Speaker 1]
Right? It's not always changing and evolving. And if you can lean on compliance to lead your, you know, your kind of your gaps and your maturity scores can inform your engineering, maybe that would be a great way to get going.

[00:20:10] - [Speaker 0]
And preventative controls and resilience planning, a conversation around these things on a tech podcast, they all sound incredibly sensible. But on the flip side of that, they do cost real money. So how should those mid market leaders that we were talking about earlier, how should they be thinking about balancing in investment in prevention against that very real financial and reputational cost of a report that instant? I saw a report recently. I think it said it can take an organization five years to get over the reputational damage, for example.

[00:20:39] - [Speaker 0]
But any anything you can share around getting that balance right too?

[00:20:43] - [Speaker 1]
I mean, there's a lot of research, and there's a lot of public information about the cost of a breach. Right? And anyone can, you know, search today and it's, you know, 5,000,000 over here and 8,000,000 over in The US. I I think those numbers are a little bit misleading. JLR admitted to losing a 196,000,000.

[00:21:08] - [Speaker 1]
The overall impact was in the 1,900,000,000.0. That's a far cry from $55,000,000. Right?

[00:21:16] - [Speaker 0]
Yeah. Yeah.

[00:21:17] - [Speaker 1]
Though the cost of a breach number maybe needs to evolve a little bit in terms of the total business impact number of a breach perhaps. And I think that is the calculation basis. Right? And when you tie that in with cyber resilience, you know, the cost of a breach isn't just they got in, they stole some data, I'm gonna have to pay some fines, I'm gonna have to re maybe remediate. It's, you know, well, what's the what would it cost you to totally rebuild your entire IT infrastructure whilst you're still trying to run your day to day business operation?

[00:21:51] - [Speaker 1]
And that is, an uncalculable cost for most companies. And we're seeing a great shift from a cyber resilience perspective into putting in models like minimum minimum viable companies or lifeboats, which are a lower initial investment, but give you an option to fall back to should the worst case happen. Right? But even then, you're needing the entire business to get behind it. It's not just a cyber initiative anymore.

[00:22:19] - [Speaker 1]
Right? It's an entire business resilience initiative. And just even getting the mind space in all those people, you need board level backing to get something like that off the ground. And that's the tricky thing with resilience and and these preventative larger scale preventative actions is actually you really need the whole business to be behind it. You need the CEO to be pushing this.

[00:22:45] - [Speaker 1]
The board needs to be holding them accountable for doing it. Right? And it's and and they're not easy to do. They take up a lot of time. It's not BAU.

[00:22:55] - [Speaker 1]
You know, it's we need to carve time out of our you know, like, now is the worst time, right, especially for, like, retailers because of Christmas and everything. But if some one of them went down now, oh my goodness. Could you imagine? Mhmm. Right.

[00:23:11] - [Speaker 1]
So the investments into these these models needs to happen sooner than later. There will never be a good time to start. I mean, obviously, right now is probably the worst time, but that's where that's where I think the investment needs to be really anchored in because it's not it's not made up. This this canon could happen to any company that's providing services.

[00:23:33] - [Speaker 0]
Yeah. Completely agree with everything there. And, obviously, we're at that magical time of the year where businesses are starting to think about a new year, doing things differently, how they can better prepare and increase resilience, all that good stuff. So if we were to look ahead and give everyone listening maybe a valuable takeaway, are there any practical first steps that mid sized businesses should be taking to move from that reactive compliance towards genuine cyber resilience, that utopia before enforcement pressure really starts to buy and and and nag away there? Anything they should be doing now or at least thinking about doing in the new year?

[00:24:10] - [Speaker 1]
I I mean, it's very easy for me to just say it right. But, I mean, generally, it starts with having a very comprehensive maturity and risk conversation against one of the frameworks that the cyber and resilience bill recognizes as being reflective of a good security posture. Right? Whether it's, you know, NIST ISO, you know, Cyber Essentials, and so on. Understanding all of those controls, your current maturity against them, and being very honest about your current maturity against them.

[00:24:45] - [Speaker 1]
You don't just wanna do it as a tick boxing exercise. Like, yeah, we hit level three out of five or we're level 3.5 out of five, which lots of organizations seem to hit that golden 3.5. So really understanding that, what are we aligning to that we can demonstrate so our customers were compliant with? What is our maturity against that? Where do we want it to be?

[00:25:09] - [Speaker 1]
And then where can we continually improve after we put that big push in to get to that minimum, that kind of three, three point five Goldilocks zone for lack of a better zone? Why not be a five, right? What is the real cost of that gap from where you are to being as best as you possibly could be? You know, maybe being bold and ambitious, wanting to be the best in your business at being secure and being able to demonstrate that be a good place to start.

[00:25:37] - [Speaker 0]
Completely agree with you again there. And for anybody listening, maybe they wanna continue this conversation, find out more about you, keep up speed with you, your work, and obviously, Avanade there. Anything people wanna find out more about? Anywhere you'd like to point everyone listening if they're looking for a little extra help?

[00:25:56] - [Speaker 1]
I would say avanade.com is a great place to start, but you can always message me on LinkedIn, and we can always have a conversation.

[00:26:04] - [Speaker 0]
Perfect. I will, put a link there to the Avanade website and indeed your LinkedIn. I'll also try and include a little extra information of things you've been talking about recently. I urge everyone listening to check that out, but it's just so refreshing to have a open and honest conversation about this. I know it's top of mind for many business leaders now, especially looking into the new year, but thank you for starting this conversation today.

[00:26:27] - [Speaker 1]
No problem. Thanks for having me.

[00:26:29] - [Speaker 0]
I really appreciate how practical and candid my guest was in our conversation today, especially at a time when many organizations are still trying to make sense of what this legislation actually means for them. And what stood out most was that cyber risk is no longer contained within tech teams or even in individual organizations. Customers, regulators, suppliers, and now even the public are all part of that risk equation. And this shift towards group legal action and reputational fallout also feels like a a genuine inflection point for UK businesses and indeed global businesses. So for everyone listening, I'll have the links to and Jason's LinkedIn so you can continue the conversation.

[00:27:14] - [Speaker 0]
And if this episode has you rethinking how prepared your organization really is or anything you're gonna be doing differently next year, I'd love to hear your thoughts. So please drop by tech talks network dot com. There's eight different podcasts, 4,000 interviews, and many ways in which you can contact me. But that is it for today. So thank you for listening as always, and I'll speak with you all again very soon.

[00:27:40] - [Speaker 0]
Bye for now.