Skip to content

Our Conversation with Dr Emma Philpott - A Leader's Brief Special

Council news

12:00 Tuesday, 28 June 2022

UK Cyber Security Council

For the second instalment of our cyber security Leaders Brief in June, Cyber Security Council’s CEO, Simon Hepburn, talks to Dr Emma Philpott, CEO of the IASME Consortium, an organisation focused on the IASME governance standard and the Cyber Essentials Scheme.

Tell us about yourself

I always feel a bit of a fraud because I’m not a ‘traditional’ cyber security person. It’s surprising how many people you meet in the cyber security sector that say that. I’m trained as a material scientist, my PhD was in ceramic matrix composites, and I worked in materials science until about 12 years ago.

When I arrived in Malvern, there wasn’t much call for materials scientists, and I realised everyone around me was doing cyber security. What excited me was that it was a brand-new sector – I know people say it’s been going for ages, but it was still relatively new when I entered. There were so many opportunities to get involved in and to make a difference, so that was why I decided to get into cyber security. It’s been really exciting so far, I’m really glad I took the leap.

Your route into Cyber Security was relatively unique. How did it come about?

As a small child, I was dragged around the world because my dad used to work for Overseas Aid as a vet, so he went around to different developing countries, and my mum was a local doctor. I was born in Kenya, and I lived for a while in Nigeria, and then Australia, before we came back to the UK, so I was used to moving around a lot. I think that’s helped give me a wider view.

After GCSEs and A Levels, I wanted to be a physicist, so I went to Cambridge to do Natural Sciences, but I found I couldn’t deal with the maths. But there was this thing called ‘Materials Science’ that didn’t need complicated maths, so I thought ‘maybe that’s for me’.

After studying at Cambridge, I joined the Ministry of Defence on their management scheme, which was amazing. I got to drive a tank, I got to go to Hong Kong and spend time with the navy. I ended up doing a PhD through Kinetic; at the time it was the research part of the Ministry of Defence, so I managed to do a PhD while I was working.

I took on different jobs there and ended up managing the 5-metre wind tunnel, which was brilliant. The team that I was managing were all ex-apprentices, who were the most knowledgeable team that I worked with.

It was in an organisation where there were high numbers of people with PhDs and all these lofty academic qualifications, and yet the people I was working with had usually come from the apprentice route, and they were some of the best people in the organisation. That was a way where I really saw that a lot of the people that develop themselves through ‘doing’, as opposed to studying, were amazing.

From there I kept meeting cyber security specialists who didn’t know each other. So, I started the Malvern Cyber Security Cluster to bring them all together and it was just amazing. I’m often starting things that don’t always take off but there was a need for the cluster, so it just took on a life of its own. BBC Radio 4 did a programme on us, which obviously helped to raise awareness.

I then met a couple of academics who had started this thing called IASME and they asked me some business planning advice. They told me they had this certification scheme which was suitable for organisations of all sizes including small companies, and I said to them, “who are your competitors?” And they said, “we don’t have any”. Because of that, I bossily pushed my way in, and it was right time right place. The government was looking for something applicable to companies of all sizes, and I was there.

Can you tell us more about IASME?

IASME was started up to help smaller agencies get certified to cyber essentials, and that’s why we originally developed our IASME governance scheme. We designed it for smaller organisations, but we found out that organisations of all sizes need this.

They need a relatively simple assessment process, because often, the people doing the assessment are not the technical experts, they’re the purchasing department or the finance department, and so it needs to be written in plain English, even for large companies.

We’re very passionate about diversity and inclusion, and that includes sizes of companies. We have almost 300 certification bodies in the UK and half of them are micro companies, we don’t want micro companies to be excluded from supply chains because the barriers are too big.

We also have another side close to our heart, where we try to increase the diversity of those working in cyber security. As a company, we try to make sure we are as diverse as we can, and that’s still a learning curve; we’re still a long way from doing that perfectly, but we’ve certainly learnt a lot and are improving constantly.

We want to encourage diversity in every which way, so: neurodiverse, physically diverse, gender diverse, ethnically diverse. There are challenges with every single one of those, it’s not easy, but our company is successful, and we put that down to our diversity.

I know you’re doing excellent work in the diversity space. Could you expand on that?

We started work about 3 years ago on training up unemployed neurodivergent adults in cyber security and then supporting them into work. The first cohort was 14 people and we recruited them all into IASME. There were only 20 people in IASME at that point, so it was quite a major thing, and really that’s when our education started.

It’s relatively easy to run a course and teach them cyber security and then they leave, and hopefully use what they’ve learnt to go into great jobs. It’s not until you recruit people who are finding problems with being in the workplace that you start learning how you can support them and how difficult it can be.

We saw this particularly during Covid, we had team members who had awful experiences, and they needed support, whether they were neurodivergent or not. We say the whole team is made up for complex individuals and all those individuals need different support at different times of their life. It’s difficult to manage everyone as an individual, and so it is difficult for large organisations, but really, it’s the only way to deliver real diversity, I think.

Has the work that you’ve done there been documented? What lessons can we learn from your experience?

We have three blogs, and we do some work with E2E. E2E Assure is a commercial organisation which has taken a lot of our trainees, and they are absolutely brilliant. However, we’re not very good at shouting about what we do. We’re trying to document it more.

Right now, we’re writing a ‘how to be at work’ guide, which is trying to talk about how to act at work without all the unwritten social rules and writing those rules down. We’ve got neurodivergent people writing that, and it’s been really interesting to see.  We’re hoping to finish writing the content and publish it on our website soon.

Can you explain what Cyber Essentials and Cyber Essentials Plus is?

Cyber Essentials consists of 5 basic controls, and it’s the minimum baseline that all organisations should be at in terms of cyber security. The 5 controls were based on the government looking at the breeches that they’d had in their supply chain over the previous years.

A lot of organisations, and mainly large ones, were being breached because they didn’t have the basics in place. You can get ISO27000 without the basics, and as long as you accept the risk, you get the certificate. Whereas, when you’re the customer and an organisation says, “we accept the risk of not having any passwords” (I’m exaggerating), and then they get breeched for that, a customer would then think they’re not happy with that risk. Cyber Essentials is when a risk assessment has already been done, so it is risk based.

Because it’s the minimum baseline, it’s easier for smaller organisations to implement than the larger organisations. We’ve got some data comparing small companies with cyber essentials and small companies without that are insured, and you’re 60% less likely to have to make a cyber claim on your insurance if you have those controls in place - it’s really quite significant.

 Almost three quarters of the certificates go to small and micro companies, and then the largest of organisations, some of them have an issue as well, mainly with legacy software.

If you’ve got hundreds of endpoints and they’re not in support, that’s a lot that you need to buy from new to get Cyber Essentials, and, in the interests of cyber security, you should definitely have your endpoints in support. A lot of larger organisations say they’re still secure even though they have legacy software. NCSC are working with us to see if we can develop a sort of ‘red team test’ to see if these companies are as secure against commodity attacks.

The difference between Cyber Essentials and Cyber Essentials Plus is just the level of assurance. The requirements are the same, 5 technical controls, now applied to cloud as well. With the basic level Cyber Essentials, the organisation answers all the questions and then, importantly, gets a member of the board to sign to say it’s true.

That moment is often the first time that cyber security has come up to the board level, so it’s very powerful. Then a trained assessor goes in and marks it and gives feedback. If they fail, they have two working days to do something about it, and usually you can do it in two days unless it’s down to loads of unsupported software, and then resubmit and hopefully pass.

I don’t think there’s any company ever that’s taken the Cyber Essentials test and not had to make some changes to pass. Even for us - we do it every year, and every year there’s a patch that hasn’t taken, or something that slips through the net.

Why only two days?

If anyone can’t do it in two days, all they have to do is contact us and we extend it. What we found is that you must have a tight deadline to resubmit, otherwise they forget about it. Sometimes people call us and say they can’t do it in two days because their IT provider can’t come in until next week, and we always say that’s fine. Just tell us when you’ll be ready and that’s when we’ll extend the deadline to. It’s just to get people to focus.

Has Cyber Essentials ever been the first time a company’s board is aware of cyber security and the impact that could have on their organisation?

We ask for feedback once a year, and when we do that, we contact every organisation we assessed that consented to research contact and we ask them what benefits we found in the scheme. So many told us that a major benefit was raising the importance of cyber security in the organisation.

People have said that they’ve been able to use the outcome of Cyber Essentials as a reason to get investment in cyber security. I read one today that said, “making the board understand that this is as important as buildings”. Just using it as a way to get the board to understand how important it is, and one of those things is getting the board to sign.

You mentioned NCSC earlier. What is your engagement like with NCSC, and also government departments and core organisations and strategic partners that support you in the work that you’re doing?

We have a great relationship with NCSC. We were involved in Cyber Essentials from the beginning, and they had a tender where they wanted just one partner. We almost didn’t bid because we thought we were too small to win a contract like that, but we did bid in the end, and we won.

What I love about NCSC is their diversity. When I’m working with their team, they feel like they’re part of IASME because they’re so diverse! But also, we’re able to be honest with them, and I think that was a pleasant surprise.  It means we’ve built up a level of trust on both sides, and we’re very honest about things that we might be struggling with.

In terms of other organisations that we work with, we worked really closely with the Department for Education last year. We worked with them to look at cyber security in schools, that was an amazing team who were very proactive and responsive.

We have a great relationship with organisations like Immersive Labs, so with all our training of neurodiverse adults we’ve recently started again. We’ve been training ten people and two of them have already got jobs, so that’s really exciting. With all of that, Immersive Labs have been a great partner, they’ve given us use of their platforms for free, which is amazing. DWP, the Jobcentre, have recently started working with us too. We work with lots of great organisations that are really generous with their time and with their resources.

How could we encourage more women, more ethnicities, and more neurodiverse people into the sector?

There is a big issue about being seen to be included, which I think has improved over the last year or so. When I was a junior in Kinetic, all the directors that I met were men, and then I met a director in Kinetic who was a woman. She had to leave a meeting early to go and pick up her kids, and it was like a revelation to me, I think it had a big effect on me.

People often say, “we’re only going to take the best people for the job”, and that of course is a good thing, but it is also important for junior people to be able to recognise themselves in senior roles, on panels, at conferences. That’s really important, otherwise you can’t imagine yourself being senior in that sector.

There are still a horrible number of stories from young women about going to cyber security networking events and being faced with misogyny. If you’re a young woman in a room full of men discussing women in a derogatory way, you’re not going to be able to stand up and say this isn’t ok. You want people to give you a job in the future, you don’t want to be seen as a complainer, so how do you do something about this? Usually, you would just leave. I’ve spoken to women in the past about this about their experience, and they just stopped going.

I think anyone who is senior enough, confident enough, old and ugly enough, just has to say something if they see something like that. You might be the killjoy and come across as deeply uncool, but you’ve got to do it if you want to make young women comfortable at these events.

It’s the same with all other diverse groups. I think when you’re formally at work, people know not to be discriminatory, but it’s in the social events and in the side aspects of the sector that it persists. It’s one thing to offer support, but if people aren’t expected to take it up, you might as well not offer it.

The optics of the sector is of a man in a hoodie in a dark room. How can we change the optics of the sector?

It’s a difficult one, but I think trying to be less scary. We see lots of organisations that panic if you say ‘cyber security’ to them, thinking that’s going to be expensive, hard, people will laugh at them because they don’t understand cyber security, so they close their eyes and cross their fingers.

We try to make it so that it’s not embarrassing to ask, ‘what’s a firewall?’ or ‘what’s a home router?’ When you make it out to be all high tech, people will be too embarrassed or shy to even ask the first questions, which is the first step. I think, while it’s all hoodies and hackers, it’s too scary for people to think about, so we need to make it more approachable.

We get feedback from organisations saying they didn’t want to do Cyber Essentials, brought to us kicking and screaming, usually because of a tender, because they thought it would be difficult and complicated. They often come to us saying they’ve now done Cyber Essentials and they’re so proud of themselves, and they often go on to do more things, taking the next steps. These people have found out that it doesn’t have to be expensive, and they can understand it.

ENDS

For the second instalment of our cyber security Leaders Brief, Cyber Security Council’s CEO, Simon Hepburn, talks to Dr Emma Philpott, CEO of the IASME Consortium, an organisation focused on the IASME governance standard and the Cyber Essentials Scheme.

Tell us about yourself

I always feel a bit of a fraud because I’m not a ‘traditional’ cyber security person. It’s surprising how many people you meet in the cyber security sector that say that. I’m trained as a material scientist, my PhD was in ceramic matrix composites, and I worked in materials science until about 12 years ago.

When I arrived in Malvern, there wasn’t much call for materials scientists, and I realised everyone around me was doing cyber security. What excited me was that it was a brand-new sector – I know people say it’s been going for ages, but it was still relatively new when I entered. There were so many opportunities to get involved in and to make a difference, so that was why I decided to get into cyber security. It’s been really exciting so far, I’m really glad I took the leap.

Your route into Cyber Security was relatively unique. How did it come about?

As a small child, I was dragged around the world because my dad used to work for Overseas Aid as a vet, so he went around to different developing countries, and my mum was a local doctor. I was born in Kenya, and I lived for a while in Nigeria, and then Australia, before we came back to the UK, so I was used to moving around a lot. I think that’s helped give me a wider view.

After GCSEs and A Levels, I wanted to be a physicist, so I went to Cambridge to do Natural Sciences, but I found I couldn’t deal with the maths. But there was this thing called ‘Materials Science’ that didn’t need complicated maths, so I thought ‘maybe that’s for me’.

After studying at Cambridge, I joined the Ministry of Defence on their management scheme, which was amazing. I got to drive a tank, I got to go to Hong Kong and spend time with the navy. I ended up doing a PhD through Kinetic; at the time it was the research part of the Ministry of Defence, so I managed to do a PhD while I was working.

I took on different jobs there and ended up managing the 5-metre wind tunnel, which was brilliant. The team that I was managing were all ex-apprentices, who were the most knowledgeable team that I worked with.

It was in an organisation where there were high numbers of people with PhDs and all these lofty academic qualifications, and yet the people I was working with had usually come from the apprentice route, and they were some of the best people in the organisation. That was a way where I really saw that a lot of the people that develop themselves through ‘doing’, as opposed to studying, were amazing.

From there I kept meeting cyber security specialists who didn’t know each other. So, I started the Malvern Cyber Security Cluster to bring them all together and it was just amazing. I’m often starting things that don’t always take off but there was a need for the cluster, so it just took on a life of its own. BBC Radio 4 did a programme on us, which obviously helped to raise awareness.

I then met a couple of academics who had started this thing called IASME and they asked me some business planning advice. They told me they had this certification scheme which was suitable for organisations of all sizes including small companies, and I said to them, “who are your competitors?” And they said, “we don’t have any”. Because of that, I bossily pushed my way in, and it was right time right place. The government was looking for something applicable to companies of all sizes, and I was there.

Can you tell us more about IASME?

IASME was started up to help smaller agencies get certified to cyber essentials, and that’s why we originally developed our IASME governance scheme. We designed it for smaller organisations, but we found out that organisations of all sizes need this.

They need a relatively simple assessment process, because often, the people doing the assessment are not the technical experts, they’re the purchasing department or the finance department, and so it needs to be written in plain English, even for large companies.

We’re very passionate about diversity and inclusion, and that includes sizes of companies. We have almost 300 certification bodies in the UK and half of them are micro companies, we don’t want micro companies to be excluded from supply chains because the barriers are too big.

We also have another side close to our heart, where we try to increase the diversity of those working in cyber security. As a company, we try to make sure we are as diverse as we can, and that’s still a learning curve; we’re still a long way from doing that perfectly, but we’ve certainly learnt a lot and are improving constantly.

We want to encourage diversity in every which way, so: neurodiverse, physically diverse, gender diverse, ethnically diverse. There are challenges with every single one of those, it’s not easy, but our company is successful, and we put that down to our diversity.

I know you’re doing excellent work in the diversity space. Could you expand on that?

We started work about 3 years ago on training up unemployed neurodivergent adults in cyber security and then supporting them into work. The first cohort was 14 people and we recruited them all into IASME. There were only 20 people in IASME at that point, so it was quite a major thing, and really that’s when our education started.

It’s relatively easy to run a course and teach them cyber security and then they leave, and hopefully use what they’ve learnt to go into great jobs. It’s not until you recruit people who are finding problems with being in the workplace that you start learning how you can support them and how difficult it can be.

We saw this particularly during Covid, we had team members who had awful experiences, and they needed support, whether they were neurodivergent or not. We say the whole team is made up for complex individuals and all those individuals need different support at different times of their life. It’s difficult to manage everyone as an individual, and so it is difficult for large organisations, but really, it’s the only way to deliver real diversity, I think.

Has the work that you’ve done there been documented? What lessons can we learn from your experience?

We have three blogs, and we do some work with E2E. E2E Assure is a commercial organisation which has taken a lot of our trainees, and they are absolutely brilliant. However, we’re not very good at shouting about what we do. We’re trying to document it more.

Right now, we’re writing a ‘how to be at work’ guide, which is trying to talk about how to act at work without all the unwritten social rules and writing those rules down. We’ve got neurodivergent people writing that, and it’s been really interesting to see.  We’re hoping to finish writing the content and publish it on our website soon.

Can you explain what Cyber Essentials and Cyber Essentials Plus is?

Cyber Essentials consists of 5 basic controls, and it’s the minimum baseline that all organisations should be at in terms of cyber security. The 5 controls were based on the government looking at the breeches that they’d had in their supply chain over the previous years.

A lot of organisations, and mainly large ones, were being breached because they didn’t have the basics in place. You can get ISO27000 without the basics, and as long as you accept the risk, you get the certificate. Whereas, when you’re the customer and an organisation says, “we accept the risk of not having any passwords” (I’m exaggerating), and then they get breeched for that, a customer would then think they’re not happy with that risk. Cyber Essentials is when a risk assessment has already been done, so it is risk based.

Because it’s the minimum baseline, it’s easier for smaller organisations to implement than the larger organisations. We’ve got some data comparing small companies with cyber essentials and small companies without that are insured, and you’re 60% less likely to have to make a cyber claim on your insurance if you have those controls in place - it’s really quite significant.

 Almost three quarters of the certificates go to small and micro companies, and then the largest of organisations, some of them have an issue as well, mainly with legacy software.

If you’ve got hundreds of endpoints and they’re not in support, that’s a lot that you need to buy from new to get Cyber Essentials, and, in the interests of cyber security, you should definitely have your endpoints in support. A lot of larger organisations say they’re still secure even though they have legacy software. NCSC are working with us to see if we can develop a sort of ‘red team test’ to see if these companies are as secure against commodity attacks.

The difference between Cyber Essentials and Cyber Essentials Plus is just the level of assurance. The requirements are the same, 5 technical controls, now applied to cloud as well. With the basic level Cyber Essentials, the organisation answers all the questions and then, importantly, gets a member of the board to sign to say it’s true.

That moment is often the first time that cyber security has come up to the board level, so it’s very powerful. Then a trained assessor goes in and marks it and gives feedback. If they fail, they have two working days to do something about it, and usually you can do it in two days unless it’s down to loads of unsupported software, and then resubmit and hopefully pass.

I don’t think there’s any company ever that’s taken the Cyber Essentials test and not had to make some changes to pass. Even for us - we do it every year, and every year there’s a patch that hasn’t taken, or something that slips through the net.

Why only two days?

If anyone can’t do it in two days, all they have to do is contact us and we extend it. What we found is that you must have a tight deadline to resubmit, otherwise they forget about it. Sometimes people call us and say they can’t do it in two days because their IT provider can’t come in until next week, and we always say that’s fine. Just tell us when you’ll be ready and that’s when we’ll extend the deadline to. It’s just to get people to focus.

Has Cyber Essentials ever been the first time a company’s board is aware of cyber security and the impact that could have on their organisation?

We ask for feedback once a year, and when we do that, we contact every organisation we assessed that consented to research contact and we ask them what benefits we found in the scheme. So many told us that a major benefit was raising the importance of cyber security in the organisation.

People have said that they’ve been able to use the outcome of Cyber Essentials as a reason to get investment in cyber security. I read one today that said, “making the board understand that this is as important as buildings”. Just using it as a way to get the board to understand how important it is, and one of those things is getting the board to sign.

You mentioned NCSC earlier. What is your engagement like with NCSC, and also government departments and core organisations and strategic partners that support you in the work that you’re doing?

We have a great relationship with NCSC. We were involved in Cyber Essentials from the beginning, and they had a tender where they wanted just one partner. We almost didn’t bid because we thought we were too small to win a contract like that, but we did bid in the end, and we won.

What I love about NCSC is their diversity. When I’m working with their team, they feel like they’re part of IASME because they’re so diverse! But also, we’re able to be honest with them, and I think that was a pleasant surprise.  It means we’ve built up a level of trust on both sides, and we’re very honest about things that we might be struggling with.

In terms of other organisations that we work with, we worked really closely with the Department for Education last year. We worked with them to look at cyber security in schools, that was an amazing team who were very proactive and responsive.

We have a great relationship with organisations like Immersive Labs, so with all our training of neurodiverse adults we’ve recently started again. We’ve been training ten people and two of them have already got jobs, so that’s really exciting. With all of that, Immersive Labs have been a great partner, they’ve given us use of their platforms for free, which is amazing. DWP, the Jobcentre, have recently started working with us too. We work with lots of great organisations that are really generous with their time and with their resources.

How could we encourage more women, more ethnicities, and more neurodiverse people into the sector?

There is a big issue about being seen to be included, which I think has improved over the last year or so. When I was a junior in Kinetic, all the directors that I met were men, and then I met a director in Kinetic who was a woman. She had to leave a meeting early to go and pick up her kids, and it was like a revelation to me, I think it had a big effect on me.

People often say, “we’re only going to take the best people for the job”, and that of course is a good thing, but it is also important for junior people to be able to recognise themselves in senior roles, on panels, at conferences. That’s really important, otherwise you can’t imagine yourself being senior in that sector.

There are still a horrible number of stories from young women about going to cyber security networking events and being faced with misogyny. If you’re a young woman in a room full of men discussing women in a derogatory way, you’re not going to be able to stand up and say this isn’t ok. You want people to give you a job in the future, you don’t want to be seen as a complainer, so how do you do something about this? Usually, you would just leave. I’ve spoken to women in the past about this about their experience, and they just stopped going.

I think anyone who is senior enough, confident enough, old and ugly enough, just has to say something if they see something like that. You might be the killjoy and come across as deeply uncool, but you’ve got to do it if you want to make young women comfortable at these events.

It’s the same with all other diverse groups. I think when you’re formally at work, people know not to be discriminatory, but it’s in the social events and in the side aspects of the sector that it persists. It’s one thing to offer support, but if people aren’t expected to take it up, you might as well not offer it.

The optics of the sector is of a man in a hoodie in a dark room. How can we change the optics of the sector?

It’s a difficult one, but I think trying to be less scary. We see lots of organisations that panic if you say ‘cyber security’ to them, thinking that’s going to be expensive, hard, people will laugh at them because they don’t understand cyber security, so they close their eyes and cross their fingers.

We try to make it so that it’s not embarrassing to ask, ‘what’s a firewall?’ or ‘what’s a home router?’ When you make it out to be all high tech, people will be too embarrassed or shy to even ask the first questions, which is the first step. I think, while it’s all hoodies and hackers, it’s too scary for people to think about, so we need to make it more approachable.

We get feedback from organisations saying they didn’t want to do Cyber Essentials, brought to us kicking and screaming, usually because of a tender, because they thought it would be difficult and complicated. They often come to us saying they’ve now done Cyber Essentials and they’re so proud of themselves, and they often go on to do more things, taking the next steps. These people have found out that it doesn’t have to be expensive, and they can understand it.

ENDS