Former Irish Government CIO and UK government deputy CIO Bill McCluggage has cybercrime and counter fraud in his sights. He spoke to Ann O’Dea.
Bill McCluggage has had a storied career in IT systems and more recently in cybersecurity and counter fraud. Having served as deputy chief information officer of the UK government and chief information officer of the Irish Government, he went on to lead the information assurance and counter fraud function at the then new UK Open Banking programme back in 2016. Today, he sits on many boards and advises public bodies and private entities on IT and cybersecurity.
When the Institute of Directors were looking to offer guidance to their members on this crucial area of cybersecurity, they turned to McCluggage who created a governance course for board members and senior directors offering insights into the legal and compliance regulation regimes that are critical to risk management at board level.
“I have been in some fairly senior roles and it can be difficult to simplify what seem to be complex problems, specifically at board level. When you get people who are not technical specialists, cybersecurity does frighten them, because you hear all of these horrible instances of fraud of hacking of ransomware and you ask ‘why did that happen?’ ‘why wasn’t it controlled and managed at senior level by a board?’”
McCluggage points out that it is not about board members becoming cybersecurity specialists, but rather having a full enough understanding to ask the right questions in their organisations.
“Just like financial due diligence, when it comes to cybersecurity governance and risk governance you want to be able to go in and see that things have been done and milestones have been met, and patching is occurring. You don’t need to understand necessarily what it is that’s happening but you do need to know that it’s providing you with that specialist capability that’s inside your business to defend yourself.”
And of course, finding the people with the right skillsets is key, says McCluggage. “When you look at it, nothing is new under the sun. It’s about people, processes and technology so if you don’t have the right people there, you run a risk of not picking up all of the things you need to do.”
We also chatted about generative AI because it’s at the forefront of so many minds at the moment, and McCluggage is bullish about the possibilities it offers, while very conscious of the “good, bad and ugly”.
“On the good side, it is fantastic because it’s allowing us to do certain things much quicker, it’s really creative, it’s allowing us to delve into areas where we’ve not had the time, the capability or capacity to do things and, lo and behold, we now can. Especially if you’re looking at diagnostics in terms of cancer, DNA analysis, all of that stuff is really powerful,” he says. “But on the other side, it also can enable the attacker to do things quicker. The gen AI models now are providing the attacker with the capabilities to actually generate the emails that will penetrate you if the social engineering has been done correctly, and it is getting very vicious.”
However, he also believes the industry is well-prepared and not as far behind the curve as some headlines would lead us to believe. “We’re always playing a bit of a catch-up game, but AI can actually be used to help you defend yourself and there are a number of companies and products out there that are already using AI to combat cybercrime.”
Even five or six years back at the UK Open Banking programme, his team was using an analytics engine to spot anomalies within its zero-trust environment. “So we shouldn’t look at this and say the gen AI culture is way out ahead. There are capabilities already developed by a lot of the vendors in the cyber market that have been working on this for many, many years. It’s down to the IT architect and the CIO and the board to understand what tools they need to counter these new types of threats – and they are out there.”
“Let’s not be negative,” concludes McCluggage. “I think gen AI is very positive. We just need to make sure that we catch the bad bits of it and the bad actors by tooling up and getting in the capability to respond.”