Emma O'ConnorIn conversation with Jack Hayward, Associate Director of Information Security at the Wellcome Trust

In conversation with Jack Hayward, Associate Director of Information Security at the Wellcome Trust. There’s not a lot we enjoy more than hearing our clients’ thoughts on the cybersecurity industry. So, we were delighted when Jack Hayward from Wellcome agreed to join us for our panel discussion at Infosecurity Europe in June. Wellcome is one of the world’s biggest charitable foundations, spending over £1bn a year supporting science to generate new knowledge about life and solve urgent health challenges. Jack’s contribution to the panel was invaluable, so we asked him to answer a few more questions for us:

Q) In priority order, what would you say will be the foundations of any decent cybersecurity strategy for the next five years?

This will vary depending on the nature of the organisation, but:

1. Basic IT hygiene including things like patching and maintenance, backups, inventory etc.

2. Detection and response capabilities.

3. Demonstrable good governance that can build trust in brands.

4. Scalability through automation, orchestration, AI etc.

Q) Why are the basics so difficult to keep up to date?

We all work in an environment that is trying to get things done and those ‘things’ are not just security. There will always be pressure on people in various roles and you always have to account for people being humans, not machines. If you have a service desk that’s under pressure, for example, then things may be rushed and governance steps may be missed. That’s part of why we make sure we resource those functions well and build processes that we hope are resilient.

Q) When people think of a cybersecurity function, the first thing they often think of is SIEM, SOC, Zero Day Attacks and Threat Hunting. Do you think this is true or is breach prevention now playing a crucial role in cyber strategies?

Both are critical to good security. Too much focus on either will eventually cause problems as it means you lose sight of the other. One likely cause of the focus on the response side of things is that prevention is quite easy to label as the responsibility of non-security engineering teams, but it is still a responsibility of security to ensure that those processes are effective and applied everywhere.

Q) How do you organise and train your team to ensure that they are proactive rather than just chasing potential threats?

My team is essentially split into ‘engineering’ and ‘operations’. Ownership for designing, improving and managing tooling sits with the engineering team and responsibility for operating the tools is with the operations team. We work hard to create structures for feedback between the two groups to help the control set develop better. This sort of split is going to be much harder in smaller teams but it may still be possible to do it virtually by sectioning off time for each thing. If, however, you are never able to stop fighting fires, you may well need additional support in making time to look at the big picture, which can also be a significant challenge.

Q) You are responsible for protecting a very complex organisation which must have a huge rate of change. How do you go about creating a strategy that ensures the business can remain agile, while not weakening your defences?

Many interesting things are going on at any time, but it's very unusual that the core nature of any organisation changes fundamentally. Most of the risk sits within fairly stable process areas such as finance, legal, HR etc. That's where most of my team's focus is applied. We have a decently sized team, but, like everyone, we still need to prioritise by risk level. We rely on a set of top-tier security tools and platforms to help cover us, and we take great care to ensure they are rolled out properly and functioning correctly.

Q) How have you educated your Board on the importance of a strong cybersecurity foundation and do you provide them with any top-level stats on how the business is progressing in this area?

I present annually to our Board on security, covering our overall security capability, the threat landscape and likely threat actors, significant recent changes in our levels of control and any key risks and associated projects and/or work. This does include metrics, but they are high-level and focused on risk rather than detailed technical statistics.

We also do training with our board including regular tabletop exercises. They are very engaged and alert to the importance of scenario planning for information security. And we have ongoing phishing simulations running for them just as we do for all staff. They are well drilled and generally excellent at spotting anything phishy, but, given the quantity of simulation emails we send, we get maybe one or two clicks a year. They encourage me to ‘name and shame’ when we meet: it’s a fun discussion but it also gives them added insight into how vulnerabilities arise.

About ThreatAware and the Wellcome Trust

ThreatAware has supported the Wellcome Trust since February 2023 to strengthen its cybersecurity posture effectively and efficiently. With a complex security environment, monitoring and managing cyber assets is an organisational priority.

Through our unique, patent-pending timeline matching algorithm, we were able to standardise data from all of Wellcome Trust’s systems, giving Jack and his team that elusive, single source of truth and instant visibility of their entire IT estate. Armed with this knowledge, they have been able to efficiently and proactively reduce their attack surface and become confident in their ability to prevent breaches.

To find out how we could help you do the same, get in touch