An Interview on Information and Cyber Security with Carol Tullo, The National Archives

Read an interview with Carol Tullo, Director of Information Policy and Services at The National Archives and speaker at our Information and Cyber Security Conference this year


What are the main cyber security challenges in your own role at The National Archives?

For us, the size and diversity of our client base and stakeholder group across government is a challenge.  We need to be able to provide advice and build relationships with departments at all stages in developing their information assurance and cyber security capacity. Our Government audience reflects entities and structures that constantly change.  New departments are created; organisations merge. The human factor means that Government, for the most part, is good at putting in place technical controls to manage cyber risk. But the weakest part of any system will always be the people that use it. Reinforcing the message that maintaining a secure environment is everyone’s responsibility right up to Board level and that all staff need to be confident in identifying and escalating threats drives our advice.

What impact do practical initiatives have to raise information and cyber security awareness amongst staff and board members had at your organisation?

Staff awareness is taken very seriously. Initiatives have included a security awareness month, regular blog posts on our intranet, coverage of speaking events in our internal newsletter, posters, Management Board briefings and simulated phishing exercises to name a few. The impact has been that staff are more able to identify threats and escalate them to the security team. This can be seen by the drop in people responding to our simulated phishing emails for example. The Board have been vocal in their advocacy of good security which in turn filters its way down the organisation and encourages all staff to take the issue seriously. When we hold external events and workshops for departments, we are also able to reinforce those messages for our own teams.

What, in your view, tend to be the key common issues for those with responsibility for cyber security across different organisations?

Threats will vary across an organisation depending on the nature of its work and sensitivity. In many cases, attackers will use similar tactics to try and access systems and information. Many cyber security professionals across government are concerned with making staff less susceptible to social engineering. This can involve making staff more aware of the information they post about themselves and their work online, and also making sure the organisation itself is not publishing information for which there is no public interest but could be used by attackers to carry out research. We provide advice to new joiners at induction on the responsible use of social media. We also point our staff in the direction of some excellent free resources online such as cyberstreetwise and the Open University’s FutureLearn course “Introduction to Cyber Security.”   

WIG’s Information & Cyber Security Conference involves speakers from across the public, private and voluntary sectors. How do you think looking at cyber security in a cross-sector environment is particularly useful?

They provide a great opportunity for people to come together to share their stories and examples of best practice from different perspectives. Attendees are often surprised at how organisations, which on the surface look very different indeed, are often dealing with a lot of the same issues when it comes to securing their information and exploiting it effectively. It is an opportunity to pool ideas and experience and share examples of pressures and solutions.  It helps identify guidance and resources that may not have previously been considered. For example, The National Cyber Security Centre opens its new HQ in Victoria this month and is committed to making the UK the safest place in the world to do business online. The only way it can achieve this goal is by working closely with organisations across all sectors and ensuring that best practice is shared as widely as possible. Conferences play a vital role in that sharing process.   

Carol will be speaking in a panel discussion on priorities and practical experience in delivering cyber security at WIG's Information and Cyber Security Conference 2017. The conference on 29 March will bring together senior leaders from the public, private and not-for-profit sectors to discuss practical insights into managing risk and delivering cyber security. Visit our event page to see a full list of speakers and download the brochure.