EPISODE 059 – Making Cybersecurity Accessible for All

Join us in welcoming Mandy Haeburn-Little to Agent of Influence! Mandy is a pioneer in increasing access to security services for companies of all sizes across the UK. What started as a model to establish a policing Cyber Resilience Centre in Scotland expanded to the first national network of nine Cyber Resilience Centres across London, England, and Wales.  

In this episode, you’ll get to know Mandy through her work as the executive chair of Business Resilience International Management (BRIM), but you’ll also learn about her passion for attracting diverse talent to the cybersecurity industry.  

Tune in to Mandy’s conversation with our host and NetSPI Field CISO, Nabil Hannan, for an engaging discussion on bringing cybersecurity to broader audiences.

Show notes:

• 07:35 – Inspiration behind creating the cyber resilience centres
• 10:52 – Results from bringing business resilience to more companies
• 13:05 – Navigating challenges
• 16:58 – Advice for governments replicating this effort
• 18:57 – Advice for businesses on increasing cyber resiliency
• 21:17 – Barriers that may prevent diverse populations from cybersecurity as a career
• 24:10 – Cyber PATH program
• 26:27 – Mentorship and more to address the skills shortage
• 27:58 – Upcoming podcast on neurodiverse talents in cyber

What inspired you to create the first Cyber Resilience Centre in Scotland?

When Mandy first assumed her position, she had a helpful interview panel comprising of police, fire, government, and business representatives. The centre already existed in Scotland and was called the Scottish Business Crime Centre, which she found puzzling. Why would anyone want to belong to a business crime centre? With the Board’s support, it quickly became the Business Resilience Centre, focusing on advice, services, and supporting the business community. 

At that time, there were significant structural changes, including the setup of a single police force and a single fire service for Scotland. This created an opportunity to work directly with police, fire, and government, and particularly the police as close partners. The police agreed to send several officers to the centre to lead workstreams.  

The Business Resilience Centre established nine workstreams, covering retail crime, nighttime economy and crime, transport, serious organized crime, and financial crime, addressing everything a small business might need but couldn’t afford. They quickly realized that digital and cyber advice were missing, so they implemented those areas. Over time, the workstreams were refined, and it became clear that the business community wanted cyber and digital advice above all else.

“There was a real opportunity to work directly with police, fire, and government, and particularly police as really close partners. They very kindly and supportively agreed to send a number of police officers to the centre to work with us.”

Are there certain results you saw from this initial step into empowering more companies with business resilience?

Mandy is a great believer in learning from everyone she meets. Working directly with businesses, particularly micro and small ones, highlighted their need for substantial support. During this time, Scotland attracted significant interest from elsewhere, particularly London, which was keen to increase business confidence. London had three main police bodies: the National Crime Agency, the City of London Police Corporation, and the Metropolitan Police. They asked her to help set up a model with the mayor’s office in London. The aim was to provide business support on the scale of London, which was extremely challenging, but provided valuable lessons. 

The final step in this development was that the home office had been following the model. Eventually, they submitted a European tender to create a network with policing support from the home office across every area of England and Wales. They went through a retention process and are now in the second phase of that contract. Every area of England and Wales is now covered by that model. 

“Listening to small businesses, they needed a huge amount of support, and during this time, we started to get a lot of interest in Scotland from elsewhere. London was particularly keen to increase business confidence.” 

You had an amazing journey from establishing one centre in Scotland to nine centres across the UK. Can you share what that journey looked like and what challenges you had to overcome to make it successful?

For anyone thinking it sounds amazing and wondering how it “just happens”, it doesn’t. It takes a lot of work, but with goodwill and shared ambition, a great deal can be achieved. Mandy owes a great debt of thanks to her chairmen along the way, especially her last chairman, Paddy Tompkins, who was extraordinary. He came from policing originally, and within policing, the National Police Chiefs Council has a lead for each major crime area. 

Cybercrime was headed by Chief Constable Peter Goodman, along with Andy Gould from the Met Police. These visionary leaders believed in delivering services through policing to the business community, involving universities and students, because policing has a remit for cybercrime protection in England and Wales. 

Recently, cyber and fraud have come together under the City of London. Belief and support are crucial on this journey. Start with one, evaluate the model, identify challenges, and adapt. Mandy pays great tribute to all the directors of the centres; they are unique individuals who bring a strong dynamic to the network. Policing has established itself as capable of this work. A cadre of seconded police officers now understand business models, how to set up a board, budgeting, and have developed their own centres. Challenges are never over, and it’s easy for sideline critics to say it can’t be done at this scale. However, it’s the team, not just Mandy, who has accomplished this. She pays great tribute to everyone still on this journey. 

“We meet challenges every single day. So, for anybody is thinking, ‘Oh, this sounds amazing; how do you just snap your fingers and that happens?’ It doesn’t. It takes a lot of work, and I think with the right goodwill, and the right shared ambition, you can achieve a great deal.” 

What would be the one piece of advice for government agencies looking to replicate this type of effort in their countries?

One thing that has always stood out to Mandy is how underutilized academic institutions are. To truly understand what’s coming in any aspect of business, you can find a university that is studying and knows much more. AI is a prime example. Some universities are ahead of the curve in areas like digital forensics. When speaking to other agencies about potential actions, she recommends looking at emerging needs and partnering with the right university, as that’s where tomorrow’s talent will come from.  

Governments typically don’t have sufficient capital to simply buy out a comprehensive model due to its intricacies and interdependencies. There’s significant international interest in this model. Currently, they are speaking with someone who thinks they can build this out in different ways. The answer from the BRIM team is absolutely. It might focus on retail or another industry, but in the current economic climate, success will come through strong partnerships and foresight. 

“One of the things that has always struck me is how underutilized academic institutions are. If you wanted to really understand what’s coming down the line in any aspect of business, if you look, you will find a university who’s studying and who knows much more than us.” 

How about advice for small or medium size businesses looking to increase their cyber resiliency?

For a long time, cybersecurity seemed like a dark art. As a small business owner, Mandy understands the hesitation in knowing what to touch and what to do. The National Cyber Security Centre (NCSC) is an outstanding government agency offering accessible, bite-sized information. They provide very digestible information, avoiding overwhelming pages of technical details. Centres in England and Wales offer free membership for businesses with fewer than 50 employees. 

Additionally, she recommends following IASME, an organization offering cybersecurity standards. Today, a new act in security has been announced by NCSC: the Product Security and Telecommunications Infrastructure (PSTI) Act. This act is a great example of evolving standards, focusing on how to choose the right devices. Following agencies like NCSC and IASME helps businesses stay informed and secure.

“I think for a long time, [cybersecurity] was a dark art. I think that people kept putting up pictures of guys in hoodies working in the dark, and this didn’t help anyone.” 

You’re also passionate about addressing the skills shortage and attracting more people — specifically more diverse talent — to the cybersecurity industry. What are some barriers that may prevent diverse populations from exploring cybersecurity as a career? 

While Mandy is not technical by background, she has learned through on-the-job experience and working with others. There is a need for a radical approach to addressing the shortage of women in tech, attracting women of all ages, including those returning from family responsibilities. When Mandy was younger, she might have found the industry too technical, dull, or too maths-based.  

However, by discussing possibilities with young women, it becomes clear that the potential is limitless. People can engage in diverse activities like blood analysis, flying a hovercraft, brand designing, or even going to the moon. Those interested in community and charitable work can achieve extraordinary things with AI, as evidenced by recent support for young mothers. 

Attracting young people, not just university-bound students, but those with relevant skills, is crucial. Strong role models and accessible pathways are important. Veterans also represent an important demographic. In Scotland, Mandy worked with the organization SaluteMyJob, helping veterans with diverse backgrounds and experiences reintegrate into the workforce. There is a real opportunity to increase diversity by considering these groups.

“When I was younger, I would have thought it was just going to be too technical, too dull, perhaps too maths-based. But actually, the more you talk, the more that you see, you could do blood analysis, you can learn to fly a hovercraft, you can do brand designing, you can go to the moon, you could do all these things.” 

Can you tell us about the Cyber PATH mentorship program and how the Cyber Centres support it?

The intention is to develop a partnership with universities similar to each regional centre. These centres have established strong relationships with local universities eager to have their students gain practical experience, not just in business skills but also in their application. There is interest in integrating some of them directly into policing. Policing, as a public sector, faces budget challenges, so having a pipeline of unique, talented, and business-savvy students would be advantageous.  

Looking ahead, the focus is on ensuring students are well-supported, working in secure environments where they cannot intrude on any network. They are fully mentored, have senior supervisors, and go through a process of reviewing business needs, making recommendations, and working directly with police on those issues. They also collaborate closely with the wider technical cyber community. Students are limited in their work scope, which is appropriate, but they maintain connections with the broader technical community. From this work, referrals can be made to larger cyber community industries.

“I’m really interested in the future and whether it might be possible to take some of these young people directly into policing. As we know, policing as a public sector is challenged in terms of budget — that will always be the case. So, if you could have a pipeline of really unique, talented, but also business-savvy students coming through, that would be fantastic.” 

Mentorship is a great way to open the industry to a broader audience, but it’s challenging to scale. Have you seen success with any other methods of addressing the skill shortage?   

Mentoring is essential, supported by strong centralized systems. Some centres offer unique development for Student Services and the Cyber PATH program. A significant time commitment is necessary to provide effective mentoring. As these students are also engaged in university activities, they need flexibility to balance both. They require substantial mentoring and support, which is why they have buddies, seniors, and supervisors to help them grow and make informed choices. Real human support is crucial, with certain aspects achievable online, but specific online interactions are also necessary. 

“I think that you will not get away from a time commitment. If you’re going to help somebody to be great, then you need to build the time.” 

You have an upcoming podcast episode on attracting neurodiverse talent. Where can people tune in to listen to it? 

CyberVersed is available on all major platforms. It explores themes around the Cyber Resilience Centre network and various leadership topics, supported by national ambassador companies. The podcast also focuses on neurodiverse talents, with an upcoming episode in two weeks. There is a need to better understand the unique talents within neurodiversity, moving beyond the buzzword to grasp what it truly means and how to offer support. The talents within this group are remarkable, as evidenced by a young woman who designed and flew her own jet. 

The podcast also features discussions with women in AI, examining specific developments they lead and the future of tech, exploring upcoming advancements. 

“We need to do much more to understand the very specific and unique talents included within neurodiversity. At the moment, it is a bit of a buzzword. So what does it actually mean? What does it feel like? What is it like to be someone with neurodiverse talents, and how can we support you better?” 

Mandy Haeburn-Little is the executive chair of Business Resilience International Management (BRIM) where one of their current contracts involves establishing policing cyber resilience centres across England and Wales. Mandy has received two commendations from the City of London Police and the National Police Chiefs Council for her work in developing the first National Network of nine Cyber Resilience Centres, aimed at helping companies reinforce their business resilience. For these efforts, she was awarded an Honorary Doctorate in 2022, recognizing her determination to work with students within the business sector. Additionally, she was honored as Cyber Woman of the Year in 2021. 

Amazingly, she still finds time to host the CyberVersed podcast, where she interviews prominent industry leaders. Give it a listen!