You are viewing 1 of 2 articles without an email address.


All our articles are free to read, but complete your details for free access to full site!

Already a Member?
Login Join us now

City Lights: Dr Andy Grayland, CISO for the Digital Office, Scottish Local Government

Dr Andy Grayland, Chief Information Security Officer (CISO) for the Digital Office, Scottish Local Government, talks to SmartCitiesWorld about his vital role.

LinkedInTwitterFacebook
Andy Grayland
Andy Grayland

As infrastructure becomes more connected, an increasing number of cities are starting to appoint a Chief Information Security Officer (CISO).

 

SmartCitiesWorld talks to Dr Andy Grayland (CISSP CEng MIET), CISO for the Digital Office, Scottish Local Government, about what this role entails.

 

SCW: What is the purpose of your role and why are more cities appointing CISOs?

 

AG: The Digital Office for Scottish Local Authorities is a partnership of all 32 local authorities that seeks to catalyse digital transformation.

 

As we approach the third technical revolution, we will begin to see the explosion of business applications involving new developments in areas such as AI, machine learning, IoT, robotics and many more.

 

We will move away from data informing decisions to data being used to automatically take real-world actions.

 

We will move away from data informing decisions to data being used to automatically take real-world actions.

 

This is an extraordinary opportunity to enhance the service delivery local authorities provide to their citizens but with these opportunities come many new risks. Security must go hand in hand with requirement definitions of new services, and, for that reason, it is imperative that security experts have a controlling function in board-level decision-making.

 

SCW: What was your route to this position?

 

AG: I studied computer science at university before completing a PhD in the same.

 

From there, I continued to study part-time to continuously broaden my academic understanding.

 

It is far too easy to focus on the technical aspects of cybersecurity while failing to understand the governance, procedural and people issues that are equally important. For that reason, I ensured that my postgraduate qualifications focused on these areas and more.

 

Equally important to theory is the practice, and for this, I joined the Royal Navy as an Information Systems Engineer Officer before moving onto multiple roles within Joint Forces Command in the UK armed forces.

 

There is no exam for work experience, so the easiest way to demonstrate competence is by achieving external validation through organisations like ISACA, ISC2 or IISP.

 

This range of theoretical and practical experiences across a broad range of subjects gave me the skills required to assume the role of Chief Information Security Officer in the Digital Office.

 

SCW: What does a ‘smart city’ mean to you?

 

AG: Smart cities leverage data and technology to improve the service delivered to citizens. Nothing is new there, however. City managers have been manually collecting data and using it to inform policy and services for decades.

 

The difference is the amount of data that can be referenced and the speed at which decisions can be made. As an example, imagine discussing green energy policies with respect to street lighting overnight when footfall is low. The old method may have been to survey street usage then recommend time slots when streets lights could be turned off. This would have to be argued against the downsides, such as a potential increase in crime rates due to the darkness. To enact such a policy would likely take many months of observation, drafting and amending.

 

With smart street lights, the lights can decide if there is pedestrian traffic within range of their illumination and automatically toggle lighting on and off at will. The important aspect of this to me is that if we are concerned about lack of street lighting due to an increase in crime, perhaps this is a potential cybersecurity threat as criminals seek to take over the lighting to hide their actions in darkness.

 

SCW: What is your number-one priority right now?

 

AG: My number one priority is to ensure that executive boards, and thereby the whole organisation, understands that cybersecurity is a business decision, not a technical one.

 

Boards should all be able to understand high-level service delivery and data protection risks brought about by cyber-attacks, and where they do not, they should seek to retrain or employ an additional board member that can translate the risk into a language they all can understand.

 

My number one priority is to ensure that executive boards, and thereby the whole organisation, understands that cybersecurity is a business decision, not a technical one.

 

The Digital Office partnership is developing training and dashboard tools for senior executives that will facilitate this move towards a better collective understanding.

 

SCW: What is the biggest challenge that you face?

 

AG: The biggest issue we face right now is resourcing. Although the journey towards secure smart cities offers opportunities for cost saving in the long term, dramatic changes such as these do not come free of charge in the short term.

 

These changes come at the same time as tightening budgets across the board. Balancing statutory service delivery against transformation is an incredibly difficult juggling act, with diminishing budgets. Add in now the increased concern of security threats, and adequate security may push innovation out of reach of departments’ budgets.

 

One of my key objectives is to ensure that senior managers understand that security is not an optional extra that can be taken as a cost-saving measure, but is instead an integral part to the overall service delivery and is pivotal in building trust for smart city technologies as we move forward.

 

SCW: What achievements are you particularly proud of in your current role?

 

AG: The UK National Cyber Security Centre (NCSC) offers free Active Cyber Defence (ACD) tools for UK public sector organisations to improve their security.

 

In 2018, due to our adherence to the Scottish Governments’ Cyber Resilience Strategy, Scotland became the first nation in the Union to implement the ACD tools across all of its local authorities.

 

SCW: What is the best part of your job?

 

AG: I grew up in a poor household raised by a single mother. Public education and services ensured that without any family wealth behind me I was able to excel in academia and go on to senior roles across the country.

 

The best part about my job is the feeling of accomplishment I get from giving back to the same public services and educational establishments that gave me all of these opportunities.

 

The best part about my job is the feeling of accomplishment I get from giving back to the same public services and educational establishments that gave me all of these opportunities.

 

SCW: Can you describe a typical day?

 

AG: There is no such thing as a typical day in my life. I spend most of my week visiting partners and stakeholders to discuss future directions and to help them implement change. Every day is as new as the last.

 

SCW: What keeps you awake at night?

 

AG: Legacy systems keep me awake at night. We have a relatively good handle on the processes required to achieve an adequate level of security assurance on new procurement, with further positive developments on the way in the form of an automated third-party risk assessment tool being published by the Scottish Government later this year.

 

Legacy systems, however, provide problems that are difficult to resolve when it comes to security. The boring side of security, which is often hidden behind sexier cyber-attacks that make better news stories, is that patching is one of the most fundamental technical controls that an organisation can enact.

 

Unsupported legacy systems supporting critical public services provide a particularly hard challenge. WannaCry would not have happened if all systems were patched up to date.

 

If I could shake the magic money tree, I would replace all legacy systems in one go but we all know that this isn’t possible in reality.

 

If I could shake the magic money tree, I would replace all legacy systems in one go but we all know that this isn’t possible in reality.

 

SCW: If you weren’t doing this job, what might you be doing?

 

AG: I suspect an answer such as continuing to secure technology in the armed forces or working with a multinational investment bank would be a sensible answer.

 

In reality, I’d quite like to spend my time in my woodwork shop and walking my dog.

 

You might also like:

LinkedInTwitterFacebook
Add New Comment
You must be a member if you wish to add a comment - why not join for free - it takes just 60 seconds!