Retirement Reflections from Derek Willins

• by Ellie Hurst
• Advent IM Blog

This is a bittersweet week for us at Advent IM as our own Head of Client Development, Derek Willins, retires. There can be no doubt of his contribution to Advent IM and to security and we will miss his insight, curiosity and collegiate approach that so exemplifies our core values. Derek kindly wrote a post with his thoughts on the industry and its future,  from his perspective, and that reflects on his time with us. We would like to take this opportunity to thank him for his hard work, his can-do attitude and everything he has given to the business, even the terrible Dad jokes.

In his own words then…

I’ve spent most of my life in the world of data.  Analysing it, selling it, buying it and more recently protecting it. Advent IM, a security consultancy, took me on to help develop their business in 2018, and I didn’t know quite what a strange world I was now entering.  I’ve put down my observations and split this blog into sections that are meaningful from my point of view.

The security market. Understanding what is the ‘security industry’, and where Advent IM fitted in was the first challenge. Physical security (from man guarding to surveillance of premises) seemed straightforward (but this is changing). Getting to know the other industry components, which contains data protection, information management systems, business continuity and resilience, with their supporting IT systems and software, was the challenge. In addition, all the various institutes, governing bodies, standards and qualifications, supporting these elements makes for a siloed and diverse specialised industry, set in a fast-changing environment.

All these components have been collectively known as ‘cyber security’ for a good while now (a term in the industry no one seems to like). It’s a relatively new industry and still finding itself. A recent DSIT report stated that “Revenue generated by the UK cyber security sector has nearly doubled from £5.7 billion in 2018 to over £10.5 billion in 2023, with an estimated 20,000 additional jobs created”. How the £10.5bn breaks down is anyone’s guess. However, the DSIT has produced an excellent report (footnote 1) in an attempt to identify all the key components of the market. There are 10 main sectors including; endpoint and mobile security, Identification authentication and access controls, to network security. ‘Cyber Professional Services’ is where Advent IM fits. These firms provide expertise to organisations on risk, standards, compliance and assurance, and I know now that Advent IM is one of the best.

Security people and culture. I’ve managed to meet scores of security people at dozens of security events. I don’t like classifying individuals into buckets, but if I have to, I’ve found that by nature, security people are careful, conservative, knowledgeable and committed people. Most are passionate about what they do and have a great sense for the importance of their work. Rightly so.

It seems to be an industry that draws certain types of people in, and they stay. For balance, I’d say If half of them could become better communicators then many challenges would be solved, but at the moment silos are alive and well in the world of security.

C-Suite interest in ‘cyber’ is improving but it feels glacial. They are at last realising that “In the old days, you had business and then you laid technology on top of it. Today, business is technology and everything we do has technology threaded through it.” (Susan Story: CEO, American Water Works). This means that technology is business, and therefore the data it manages, comes with a security obligation that only the most regulated industries appear to have adopted as a standard part of business today.

Themes. I’ve noticed in my short time in security that despite rapid change, there are a few constants. One is the media. It is consistent in grabbing one theme, then exhausting it for a few months before moving on to the next new thing. Examples from memory: GDPR, IoT, edge computing, zero trust, home working and Covid-driven accelerated digital transformation projects, security skills shortages, and now AI’s impact. More ‘doing the basics well’ content would do a lot of good. Maybe it doesn’t sell.

Another constant is that every week, organisations are in the news for being breached, losing data, or enduring downtime due to hostile forces (whoever they may be). Its March 2024 and universities were in the news last week, and this week it’s the Home Office and their immigration database, this latter one being a self-inflicted information governance failure. I do not doubt that no matter how much more we spend on ‘cyber’ security (now £10.5bn in UK), that these issues are not going away. The bad guys’ skills, or our own bad behaviours, continue to keep pace with investment.

Winning business. ‘Cyber’ security in the UK is a highly competitive industry. The headline growth in industry revenue hides low growth in some sub-sectors. Almost 2000 firms are available for buyers to choose from in the UK. The Top 10 suppliers dominate of course, but there is plenty of space for agile problem-solving experts like Advent IM. Trust and reputation are everything. Referrals, introductions, and cooperation with complimentary suppliers works best for development.  Meeting people face to face is the best way to develop relationships and growth. E-mail and Social media play an important awareness role and depending on what’s being sold can bring in leads.  But direct cold telephone calls especially to mobile phones is not a good idea to any security person. I’ve had them and they always refuse to say how they got my number. Hardly a trust builder, and firms keep getting this wrong.

Fear, uncertainty, and doubt does not sell anymore. Organisations have become immune. Experience has taught them what’s at risk.  A solutions-based approach based on knowledge of real challenges works far better for successful suppliers.

Advent IM’s approach of dynamic content-led and solution-based marketing provides value to the market and the resulting goodwill makes it a whole lot easier commercially.

Security today. In 2018 it seemed to me (and most people I talk to) that legislation changes make things happen. Sadly, too many organisations always have better things to do than good security it seems, and legislation is needed to create action. GDPR and the need to protect personal data was all that everyone talked about then. It felt like lawyers were becoming security experts overnight, and costly errors were made as firms overdid it. Overall, GDPR was a catalyst for raising everyone’s security game, even though the Data Protection Act covering much of it was already in place. The DPA 2018 is now the ‘UK GDPR’.

After GDPR implementation cooled, Covid started. Working from home became a norm for millions. Organisations had to adapt quickly and security and digital transformation projects were accelerated. Much was achieved. The UK Government launched its ambitious Cyber Security plan 2022-2030 and impressive it is. They have clearly set out their stall to raise the standard of UK Plc cyber security, leading with the Public Sector. Even more surprisingly, its actually being implemented, with every government department completing a cyber assessment framework every year to show progress, and having it independently verified via the GovAssure scheme. On top of that, security being built in at the start of projects instead of at the end is being adopted via the ‘Secure by Design’ process, with the MoD leading the way. This is great progress, and the adoption of another long-held Advent IM belief that security should be involved from the start of everything.

However, the Ukrainian war started since COVID-19, has continued to impact the post-COVID recovering global supply chain, and most large economies are suffering a downturn.  High inflation and reduced demand makes business in the UK is a tough place today, and survival means being ruthless. Security budgets are impacted and projects are delayed. I sense the progress we were making is slowing down.

A recent quote from a board director on LinkedIn in early 2024, sums up the feeling from many people; “Cybersecurity providers are facing a moment of truth. After years of persuading companies to spend more on security software, hackers are still getting through. That’s giving some companies ‘cyber fatigue’”. The truths this reveals are:

• Too many organisations are beguiled by the siren call of new technology alone to solve their security problems. It doesn’t.
• Great governance and process, managed and implemented by motivated people have at least as big an impact on security as technology.
• Well run technology with great process and people working together in a holistic way, is the only way forward for all organisations.

Security Tomorrow. Technology will continue to evolve rapidly. So-called , ‘bad actors’, will continue to take advantage of it. Threats to organisations will evolve and remain as high.  No one can predict what where and when. What I do know is;

• Security silos have to become more porous. Especially cyber-physical security. Everything the enterprise does is connected. Do not allow cracks to appear to the outside world.
• Investment in good people, their training, and great process is as important as investment in technology. If not more so. They are the ones who make the technology work.
• Resilience and the ability to recover in the event of inevitable incidents is not a luxury, it is existential.

In conclusion, I’m grateful to Advent IM for the opportunity to gain insight into the workings of a dynamic industry which is a welcome UK success story. Great progress for security has happened, but there are signs it is flagging at the moment. This is temporary though.

Advent IM is an SME, but punches above its weight through thought leadership, knowledge sharing and client focus. Its ability to pivot and evolve with change has allowed it to flourish for over twenty years. That’s some achievement and a testament to their values and beliefs.

Sources

1. UK Cyber Security Sectoral Analysis 2023. DSIT.