Construction and cyber – fundamental foundations04 December 2019
Martin Leggett talks hard hats and hackers with Steve Witty of Willmott Dixon.
By his own admission, Steve Witty can take a hard-bitten view of the world of recruitment. “I’m in my 50s and I can be quite cynical about calls out of the blue,” he told me as we chatted on a rainy afternoon last month.
So, when he was approached about working for Willmott Dixon – after a decade-long stint with global IT service integrators – he found his natural curiosity leavened with scepticism.
“Why would I want to work in the construction industry when I’ve never even set foot on a building site before?”
He initially struggled to see how his infosec experience with companies like Unisys and Leidos could be relevant to a 170-year-old privately-owned building firm working solely in the UK.
Building with data
That was before he was introduced to CIO Alan Ramsay. He quickly learned how the digital transformation had revolutionised the way Willmott Dixon works with its customers. “They put a virtual reality headset on your head, and you can literally walk through a building. You can say ‘Oh, those switches look too low’, or even ‘those urinals are too high’.”
Data, it turns out, is as critical and sensitive for builders as it is for defence, finance or IT.
The fact that Willmott Dixon boasted a development team whose size and sophistication wouldn’t be out of place at one of his former employers also impressed. Within weeks, he had made the move. And, by his own admission, hasn’t looked back since.
A career developed in full colour
Not that this is the first career switch that Steve – now a year into his role as Head of Security and Compliance – has contemplated. Back in his RAF days, he jumped from photographer to IT trainer to business analyst, as opportunity knocked, before settling into a career based in security. He found an approachable, people-oriented attitude was vital right from the start from his first job snapping for the RAF’. “If you don’t have that attitude, you don’t get the pictures.”
Seeing things from other people’s perspectives is something that Steve has carried with him into his current role. “Rather than say ‘No’, I tend to say ‘Yes, if…’. People bond with security better that way. I much prefer to be proportional, pragmatic and practical.
Purpose – and people – first
Placing people at the heart of things is also the Willmott Dixon way. The company’s mission statement proudly proclaims ‘a purpose beyond profit’. That may go some way to explaining the firm being rated as 4th in the 2019 Sunday Times list of Top 100 companies to work for.
It’s certainly something Steve picked up on early on. “The thing for me is they don’t just pay lip service to it – they genuinely mean it. We have an excellent management trainee scheme, which is aimed at more than just graduates. As long as you have the right attitude you can apply and thrive.”
But while Steve was pleasantly surprised by the positive culture at Willmott Dixon, he knew he could make a real impact when it came to the information security basics.
The threat profile was a particular concern. It became apparent that construction is no backwater as far as adversaries are concerned. In fact, it’s a prime target.
‘We see it all’
“What surprised me is that construction seems to be an extremely attractive target. Especially for phishing attacks. That ranges from general phishing attacks to spear phishing and whaling.”
He partly attributes this to a low sector maturity compared to the finance, defence or IT sectors. But it’s also because of the very particular character of construction’s attack surface – its third-party network is wide, diverse and deep. And ripe for exploitation.
“We have such complicated supply chains, from big-name building suppliers down to SMEs. And even now they’re still not that concerned about cybersecurity. They’re very often on a limited budget.”
Start with the Essentials
So, what has Steve been doing at Willmott to tackle this worrying combination of high threat and low awareness? He began with the essentials. Cyber Essentials.
“My strategic focus is to get the basics right – building a solid foundation – and to engage with those supply-chain people, putting myself out there. Briefing them that any company that uses computers in any serious way should be able to meet the requirements of Cyber Essentials.”
“And to be frank, if you can’t, I think you’d have to seriously question whether you should be storing anything digitally.”
‘Come on in.’
Hauling the supply chain up to meet a minimum baseline may be Steve’s – and construction’s – biggest challenge. But in the main, the fundaments of cyber for the world of bricks and mortar remain the same. That’s why he’s keen to encourage colleagues to make the switch to sectors outside their comfort zone.
“I’ve tried to explain that it really doesn’t matter what they’ve worked on previously. They can get their head into another industry quite quickly.”
As he sees it, there’s plenty of work to be done outside areas traditionally strong on infosec. Work both interesting and challenging.
“The bottom line is that the fundamentals of what we need to protect and how we protect it are the same regardless. If you’ve got data, you need to protect it.”
Hard hats or not.
Do you have interesting insight and experience you’d like to share on the role of the CISO? Contact Martin at firstname.lastname@example.org.