The Benefits of Being a School Governor

I recently had the great privilege of being appointed chair of governors at my local primary school. I joined the board in 2018 as a way of getting more involved in my daughters’ education and since then I have served in a number of roles culminating in leading my first meeting as chair last week.

It is surprising that the role of the board of governors in the English education system is not widely understood, given how weighty its responsibilities are. The governing body is collectively responsible for overseeing the strategic direction, governance, and overall well-being of a school. Crucially that extends to legal responsibility for a school’s finances, which can be a daunting and surprising ask for a fresh faced volunteer who originally thought the extent of their duties might be organising the tombola at the Christmas fayre!

So why do it? After all, substantial responsibility without reward isn’t usually the best way to encourage volunteers! The answer, of course, is that there is reward, albeit not a financial one. Governors have a very real chance to make a difference to a school, its pupils and the wider community. Decisions taken by the governing body have a direct impact on the lives and education of our children, and that is incredibly fulfilling. It is measurable too; as a board we collect data on a range of metrics, so we can definitively see when the actions we take are having an impact. Schools are also independently inspected. As a board we were incredibly proud of the work we did with our headteacher and her staff to be upgraded last year to an Ofsted rating of ‘good’ after a lengthy period of requiring improvement.

But there is another, less altruistic reason for being a school governor. The volunteers on any governing body can come from all walks of life. I find this diversity to be a great advantage, but leading in this environment is quite different from my day job, or indeed any job I have had before. I can’t imagine a better training environment for developing the soft skills of persuasion, collaboration and diplomacy. Additionally, many on a typical board will have no background in education. The result is a challenge that is doubly difficult. Leading a disparate and unfamiliar team is one thing, but doing so in an unfamiliar environment when you have little or no domain knowledge is quite another.

And yet, this is the strength of the governing body system. Highly motivated people, bringing their own world views to an environment they don’t know terribly well brings freshness and innovative problem solving.

I know I will thoroughly enjoy my time as chair, and I fully expect I’ll be a much better leader in my day job as a result too.

Running the Loch Ness Marathon

The drive to Inverness for the Loch Ness Marathon was a good indicator of what was to come; it was staggeringly beautiful and it was a very long way! Rather than stay in Inverness itself, I chose to stay about 45 minutes away in Aviemore where the hotels were plentiful and guaranteed family friendly. However, as the kids headed off to the pool and I started my 90 minute journey just to register I began to think the Aviemore plan may have been a mistake. I suppose mandatory registration the day before an event is intended to create a buzz around the event village, but I could happily live without it.

Having picked up my race number I headed back to Aviemore where I ate as much pasta as I could stomach before heading to bed for an early night. Morning came far too soon. Maximum effort on fuelling and hydration coupled with some pre-race nerves meant a queasy start to the day, and judging by the queues for the portaloos at the bus park I was not alone in enduring an upset stomach!

It is a cruel ‘feature’ of the Loch Ness Marathon that all runners are bussed from the centre of Inverness to the start line high in the hills on the south side of the loch. Nothing quite emphasises the huge distance about to be run like being driven the entire length of the course before the start. The sense of collective foreboding added to the camaraderie onboard the rickety old double decker though, and throughout the journey runners made new acquaintances whilst swapping wine gums and war stories from training .

The start is a barren, lonely place when the buses leave!

The start of the race is almost comically remote; a sense only amplified by seeing the empty buses drive off back to Inverness. At this point there is literally no going back. As Bryan Burnett rather too gleefully says in the promotional video filmed on the start line, ‘the only way back to Inverness is 26 miles that way’. Even though the weather was relatively mild, the start is high and exposed. I had a space blanket that I was extremely thankful for. There were plenty of people not so well equipped, and by the time the gun went some of them had taken on a quite unnatural blue hue.

By the time we started everyone was thankful just to be running at long last. The first section is sharply downhill, which was quite painful on cold muscles and joints. However, spirits were high and the banter good. The positive vibe certainly lasted for the first 10 miles, all of which are downhill with a total descent of over 300m. Those first 10 miles are disarming. It is very hard to judge how things are going when you aren’t being made to work for the miles. A marathon is a long way though, and it transpired there would be plenty of opportunity to work hard!

The section between 10 and 17 miles is flat along the loch side. My focus in this section was simply to hold a reasonable pace to tick the miles off one by one and break the back of the race. This proved to be a very sociable stretch and I fell into conversations ranging from post race meals to Scottish Independence, and all without a cross word being said!

At my level, a marathon is always going to go wrong. It is just a matter of when. A quick glance at the profile of the race makes it abundantly clear where the ‘having fun/not having fun’ transition is most likely. At 17 miles there is a long, relentless hill that just keeps giving as the route begins to track inland. Cruelly, the hill arrives at just the point most amateur marathon runners are beginning to feel a bit wobbly. Suddenly the reassuring constant pound of a running stride broke into a punctuated run/walk as literally everyone was broken by the hill. I found this section very difficult. I never fully recovered my lost rhythm with the result that the last 8 or 9 miles became a survival wobble. As I came into Inverness itself over the last mile or so, the wobble became more determined, but all style had gone and this was now a run powered by grimace.

I’ve never known a finish straight to feel shorter than it is, and the finish on the banks of the River Ness was no exception. I finally finished in a ‘tunnel vision trot’ 4 hours and 35 minutes after I started, cheered over the line by my wife and girls. I was very happy to finish, but I probably felt more relieved than elated.

After any endurance event I always find myself asking 2 questions:

Would I do it again?
Could I have done it faster?

Never say never, but I can’t imagine doing the training for a marathon again unless it was for a very specific target, such as a four hour time. And that wouldn’t be easy. I trained relatively hard for this marathon and I was nowhere near prepared enough to run it well. I ran the first half in 2 hours, which was exactly what I expected. In the second half I imploded and lost 35 minutes, which again is exactly what I expected. The easiest way to go faster would be to not implode in the second half, but that would require so much more training at the 3 hour plus mark that it would take over my life. In short, I could go faster, but it would require a lifestyle change and a dedication to the cause that I’m not sure I’m ready to give.

But that is a debate for another day. For now all that matters is on the bucket list it says – marathon: tick!

Training for the Loch Ness Marathon

Running a marathon has always been one of those life “must do’s”. I always assumed that it was inevitable that one day I would run one; surely these things just ‘happen’. However, by the time of my 46th birthday it hadn’t happened and, given my fitness at that time had achieved an all time low (thanks Garmin for the brutal truth), it seemed a marathon was becoming increasingly unlikely.

That was the trigger. That night I entered the Loch Ness Marathon, and just to make sure I didn’t chicken out, I told Facebook and Instagram. There’s no going back after that!

Half-marathon: a waymarker en route to the real thing

I did consider a few other events before settling on Loch Ness. Initially I had planned to run a city marathon, but the London ballot is too unpredictable and marathons abroad became expensive very quickly. I figured that if I couldn’t have cheering crowds to motivate me then the next best option was to do something where the setting was beautiful and spectacular. Loch Ness certainly fitted that bill, and after I’d read the reviews from previous years I was sure that it would be a well organised and memorable race. The date was set: M day was 2nd October 2022.

One of the advantages of being more massive and less fit than ever before is that improvements come very quickly. I started in the January dark, doing an awkward run/walk shuffle around for about 4 kms at a time. My plan at this stage was to pre-train; to get good enough to start a ‘proper’ training plan in the Spring. Fairly quickly I fell into a routine of doing two shortish runs during the week and a longer run at the weekends, although at this stage 7 kms counted as a long run! On Monday nights I ran around the very dark running track while my daughter was at hockey training. Track running really helped with building confidence, pacing and avoiding injury, even if I did have an irrational fear that I was about to run into something (or someone) in the pitch dark!

I had intended to follow a more prescriptive training scheduled as my fitness improved. I had been given Chris Evans’ book ‘119 Days to Go’, which as the title suggests provides a day by day training programme lasting 17 weeks. Sadly my ability to follow a daily training plan was limited by my inflexible (and sometimes unpredictable) work/life routine, but reading the book was still helpful. Not least it gave me the confidence to not run too much. It also reassured me that being able to run 7 miles at steady pace with 5 months to go is comfortably ahead of the training curve.

Then the injuries started. Perhaps it is age, but I seemed particularly badly afflicted by niggling injuries for the majority of my training. If I am being honest with myself, I suspect the real underlying cause was being too heavy. I had planned to lose 10Kg before starting training, but that never happened. I therefore ran 1000km over a year putting far more strain on my body than I should have done. I lost around 7 weeks of training to injuries including, patella tendonitis, plantar fasciitis, a calf strain and odd back spasms. I learnt that compression socks and patella bands work well, and I also re-learned that when something hurts it doesn’t necessarily mean you need to stop. By the end of my training I’d say I was at a constant 3/10 on the pain scale across my various ailments. But I found that was sustainable.

My biggest worry throughout my training year was that I might not even make it to the start, and even with weeks to go that was in doubt. I gave up all hope of being ‘ready’ and was ultimately just happy to be there at all. Over the 10 months of training I ran just under 1000kms. I did around 8 runs that were longer than a half marathon and my longest run was about 35kms. A few years ago I cycled from Land’s End to John O’Groats. After training for that I realised I trained far more than I needed to. The reward for that was the event itself was relatively straightforward and pain free. For the marathon the opposite was true. I was underprepared and I certainly didn’t have enough long runs in my legs. I knew it was going to hurt, but at least I made it to the start!

Where I Was – 11th September 2001

My generation’s ‘where were you when…?’ moment unquestionably occurred on the 11^th of September 2001 when the twin towers of the World Trade Center were destroyed by terrorists. The death toll, and the unimaginable suffering of those that perished, are shocking in their own right, but the impact reached far beyond Manhattan. The lives we all live have been to some extent influenced by 9/11.

A week or so before I had arrived in Oman to take part in the largest British military exercise in living memory. I was part of a force of 20,000 troops in holding areas in the southern desert near the border with Yemen. Each unit was allocated a square kilometre of desert to assemble. My Troop had just collected our vehicles and were spending a few days preparing for the exercise ahead. This was a world before smartphones or reliable internet connectivity; this was remote and we felt it. There were welfare portacabins dotted around the desert that provided some access to painfully slow internet, but the nearest to us was a half hour trek across the sand.

In the Omani desert – 10th September 2001

I first heard the news by word of mouth. Some of those returning from a mid-afternoon break in one of the portacabins mentioned, almost in passing, an accident in the US involving a light aircraft crashing in to one of the towers of the World Trade Center. Only when I heard the BBC World Service on a shortwave radio a few hours later did I begin to understand the reality was on an altogether different scale.

In the isolation of the desert it was difficult to grasp the full magnitude of what had happened. Nobody had seen any video, nor would we for several weeks, so all we had was the radio reports and some grainy still images. I had visited the World Trade Center several times, so I had a better idea than most what the collapse of those huge buildings could mean, but by evening there was little doubt amongst everyone that something enormous had happened. The talk in the mess tent was of nothing else.

At the World Trade Center aged 5 in 1981

Rumours and speculation spread very quickly. I recall there was an early suggestion that Saudi Arabia and Yemen were somehow involved. Given that we were not much more than 100 miles from the borders of both those countries, their potential involvement was a sobering prospect. I also recall a conspiracy theory that seeped through from the UK questioning why the UK just happened to have its largest deployed exercising force in 20 years camped on the border of those countries in advance of the attacks. On the ground we certainly didn’t see it that way, especially as we didn’t have a single round of live ammunition between us. If anything we felt suddenly very exposed.

The exercise did continue, and my communications Troop deployed onto the training area. Shortly afterwards we received a detachment from 30 Signal Regiment of a satellite ground terminal that connected our command network back the UK. It is incredible by modern standards, but that connection was one of only two providing reachback communications from the deployed Division and its headquarters to the UK. There was clearly going to be some kind of Western military response so communications between the UK and the British force deployed in the Middle East were essential. By holding that link my Troop became strategically critical for a time. In reality this was quite welcome as we were directly ordered not to move or indeed do anything else that might put the satellite link at risk. For around two weeks my Troop of 30 soldiers played volleyball and generally amused ourselves in the desert whilst babysitting a satellite dish and willing it to keep working.

As the exercise drew to a close it became clear that we would not have an immediate role in any military response, and that the focus was likely to be in Afghanistan rather than on the Arabian Peninsula. The fledging conflict in Afghanistan that would define all our careers for the next 15 years was already close to home though, as each night we watched aircraft fly across the clear sky en-route to missions in Afghanistan. By the time we got back to Thumrait to fly home, the airport had been converted from a sleepy airfield to a bustling military operating base. The difference between exercise and live operations was stark.

A couple of years ago I visited the 9/11 memorial and museum in New York. It is spectacular in scale and the tone is well judged. It is the perfect memorial for a tragic event that touched so many lives. Everyone knows the story of how events unfolded that day, but it was clear from the faces and the hushed conversations of those at the memorial that every single person had their own story, and knew exactly where they were on the 11^th of September 2001.

Happy Birthday to the Royal Signals

Twenty-five years ago I joined a bewildered gaggle of officer cadets from universities across the UK as we assembled at the headquarters of the Royal Signals for the two week UOTC Basic Signals course. For a fortnight we lived like kings; the luxury of the officers’ mess was a stark contrast to the draughty transit camps we were used to and the food and drink, (which were taken copiously) were several notches better than student Pot Noodles.

I may have a learnt a little about military communications, but even back then that didn’t seem terribly important. What really mattered was being treated like ‘proper officers’ and members of the club. In the evenings when we gathered under the famous beams in the mess bar, we started a ritual of toasting our good fortune with a rowdy ‘God bless the Royal Signals!’ The phrase stuck – it featured on our end of course T-shirts and for years afterwards whenever I met someone who had been on that course we used it to greet each other.

It is little surprise then that when I arrived at Sandhurst a few years later, I was determined that I was going to commission into the Royal Signals. I was so certain that when I had to submit my mandatory reserve option I was at a loss who to choose. I eventually picked the Royal Artillery as a back-up, but it wasn’t much of a safety net. The first question the senior Gunner officer asked me in the selection interview was ‘why do you want to join the Royal Artillery?’ Slightly taken aback, I replied ‘I don’t, I want to join the Royal Signals’. The interview didn’t last much longer – apparently the Gunners don’t value that kind of honesty!

In December 1999 I did commission into the Royal Signals and I never looked back. I had the best part of 20 incredible years in the Corps during which I travelled the world, commanded soldiers on operations and achieved a Masters degree. In one memorable two-year period I was the operations officer in a Regiment that deployed soldiers on 30 global operations in 24 months. All the while I was fortunate to serve alongside a great bunch of people, born of that same open and welcoming culture I first experienced as a university cadet at Blandford.

Today the Royal Signals celebrates its 100^th birthday. Over the last century it has evolved from playing an enabling, almost peripheral role to now being at the very epicentre of modern military operations. With the advent of cyber warfare the Corps doesn’t simply enable anymore, it delivers real effects. The Royal Signals has never been more relevant.

Looking back from my sandbag, I’m incredibly proud to have been part of this tremendous organisation for nearly 20 years. Here’s to the next 100 years.

God bless the Royal Signals!

Business Continuity: Plans are worthless, but planning is everything

Last autumn I ran our SOC’s annual business continuity exercise. This involved decanting our entire operation to an alternate site at a facility provided by a dedicated business continuity supplier. Our contract guarantees short notice and sole occupier access to a large vanilla operations room filled with rows of desks and terminals. Within minutes of activating our gold disk, the machines were transformed from bland blank canvasses to exact working replicas of the machines in our SOC. At the flick of a switch analysts had immediate access to the full range of toolsets, data and intelligence that they have in our primary site. Less than 40 minutes after simulating denial of our SOC, we were 100% operational in a new location with the ability to deliver all of our services.

Even though the exercise went as expected, I still found it an impressive achievement. When things go well it is usually the result of a great deal of work, and this is no exception. Our successful exercise was only possible as a result of years of designing, fine tuning and maintaining a resilient architecture drawing on multiple datacentres and cloud solutions. The business continuity plan is planned in detail, and that plan is reviewed every 6 months to ensure every element continues to be fit for purpose.

The business continuity facility that we use is routinely manned by a solitary manager; for the most part it must be a terribly lonely job and he was clearly glad of the flurry of activity created by our exercise. Out of interest I asked him how frequently the facility is used for real in response to a genuine crisis. I didn’t expect it to be often, but the answer still surprised me. In the 5 years he had been working there, none of his hundreds of customers had ever activated their alternate site for a genuine crisis. Apparently, the vast majority of customers never even test activation, so for the most part he watches over an empty room, waiting for a crisis that, for the most part, never comes.

But this year a crisis did come, and it was a big one. The global coronavirus pandemic and the subsequent closure of offices meant that business continuity was suddenly front and centre in the minds of organisations of all shapes and sizes. Like everyone else we reached for our process documentation, dusted it down and set about putting our well-rehearsed plan into action. Except it didn’t work. Like virtually all business continuity plans it started with the assumption that our primary office space had suddenly become unavailable to us. It most certainly did not consider the possibility that all office spaces would be denied to us; our alternate site was unavailable for exactly the same reasons our primary site was unavailable.

Immediately we had to scrap the plan and set about writing a replacement based on dispersed local working. Initially this seemed like a daunting task, but it quickly became apparent that producing a workable plan was actually surprisingly easy. All of the design considerations we had made for our original plan meant that we had a fundamentally agile architecture that could be bent to accommodate our new requirements. The same applied to our processes; the fact that we had planned so rigorously meant that we understood what we needed to change in order to work in a novel and alternative way.

We began looking at this challenge two weeks before our offices formally closed, but within 48 hours we were very confident we could, for the first time ever, seamlessly move a large team that had always been office based to dispersed, remote working. We were right too, and when the day came that migration was seamless with no loss of service to our customers.

Crises are unpredictable by their very nature and, ultimately, they rarely happen in the way planned for. In the end our standing business continuity plan didn’t work, but the lessons we had learnt from our years of planning enabled us to design a workable alternative extremely quickly. Dwight D Eisenhower put it succinctly when he said Plans are worthless, but planning is everything.

SOC Thoughts

I was asked recently to answer some questions about building and running an effective Security Operations Centre (SOC) for a forthcoming article in Infosecurity Magazine. Thinking about the answers certainly helped pass the time on a work trip back from Denmark! Here’s what I came up with:

How important is it for companies to have an effective SOC and why?

Barely a day goes by without the news recording another high profile cyber breach. Such events are expensive, both financially and in terms of reputation. It is a common misconception that cyber-attacks are highly targeted. A few are, but most are not, so organisations of every scale and across all sectors can be vulnerable. No solution provides guaranteed protection, but a holistic approach to cyber defence can radically reduce risk. A SOC is a critical component of any organisation’s cyber defences. When done well it offers 24/7 vigilance and the ability to respond immediately when the worst happens.

What are the biggest challenges to overcome when running a SOC?

There are several, especially when starting from scratch! However I would say the biggest challenge is finding the right people. Security is fundamentally a people business; the right tools help too of course, but having the right blend of skills and experience in SOC analysts and engineers is the most important aspect to get right. Recruiting such talent isn’t easy – the skills gap in this industry is widely publicised – but by using dedicated recruiters who seek out talent, and by developing talent through an apprenticeship scheme, it is possible to build the right team.

What are the key elements of an effective SOC?

I think of a SOC comprising four fundamental and interlinked elements:

People: It is critical to build a team of analysts and engineers who have the skills (and passion) to run an effective SOC.

Tools: Using a blend of industry leading tools and bespoke detection capabilities across the Kill Chain ensures maximum coverage at all stages of an attack.

Processes: The SOC is fundamentally an operations room, and for it to work effectively under pressure and at pace there must be established processes for analysts to follow. Crucially however, these must not be so prescriptive that analysts don’t have freedom to bring their analytical skills to bear.

Threat Intelligence: Intelligence is essential for getting on the front foot. A mature and current understanding of the threat landscape makes the difference between operating reactively and proactively.

If implemented effectively, what impact can a SOC have on an organisation’s security posture and health?

SOC impact is notoriously difficult to measure, however one approach is to track coverage before and after implementation by employing a recognised industry standard. Using the MITRE ATT&CK framework, I have seen organisations grow from 15% coverage to more than 90% following the implementation of a well scoped SOC. There is a financial impact too. Given the extremely high cost of breaches, it is not overstating the case to suggest a mature SOC can defend against millions of pounds worth of damage.

Ten Years of Photo a Day

Ten years ago I started a project. I decided to take a photograph every day to document my life. I started on 5^th May 2009, for no other reason than that was the day the idea popped into my head. As it happens, it was a great time to start, only a few weeks later Katy and I got married and so the Photo A Day project has become an invaluable record of the journey of the Orr family.

Every May, I assemble the pictures into a slideshow. Nothing too fancy, just enough to show I have a passing knowledge of how to use iMovie! Each image gets two seconds of glory before moving on to the next day, which means it is possible to watch a year zip by in around 12 minutes. Further showcasing my iMovie skills, I set the whole thing to music released in that year, something that really helps with invoking memories.

At the ten year anniversary of doing this I have taken the opportunity to have a look through all the slideshows, which is no mean feat as even at only two seconds per day it takes over two hours to watch ten years unfold. In watching it was the mundane photographs that stood out. I deliberately don’t try to capture quality, well composed images. Originally this was for practical reasons – it would be too all consuming to try to produce a decent image every day so I started by literally just snapping anything and more or less stuck with that approach. I’m really glad I did too. The more formal, staged pictures we take tend to be of events we remember clearly anyway. My pictures record what I wouldn’t otherwise remember, the kitchen table after breakfast or the view from a train seat on an otherwise forgettable commute. These are the moments that bring back the memories that nearly got away.

The bigger the archive I create, the more precious this project becomes, so I can’t imagine I’ll stop any time soon, irrespective of the daily fear of forgetting to take a photo! So let’s see what the next ten years has in store!

Music copyright means I can’t upload the slideshows, although I suspect they would very quickly become dull to a casual observer so that is probably for the best! I have, however, included an image from each year below to give a 1/365^th sample!

5th May 2009 – The first photo

6th March 2011

8th June 2011

1st March 2013

28th September 2013

11th November 2014

Allyson and Gordon ready for Tissy’s Wedding

5th August 2015

8th May 2016

12th June 2017

25th February 2019

Cyber Threat and the Academic Sector

The requirement for robust and comprehensive cyber security exists across all sectors. Whilst we normally associate the threat to be most acute in finance, government and Critical National Infrastructure, it is increasingly clear that a similar threat exists in what hitherto may have been regarded as ‘softer targets’.

Earlier today, the BBC published an article that revealed both the scale of the threat to Universities and their vulnerability to cyber-attacks. Universities may initially appear to be a low yield target – after all what value is there in an undergraduate essay or the minutes of the Dungeons and Dragons club AGM?

But it isn’t about those things. The targeted and organised threat is geared towards uncovering the vast library of intellectual property that is developed and held by academic institutions. A huge proportion of our nationally important, cutting edge knowledge is contained in red brick repositories. It is easy to see how cyber criminals motivated by financial gain or state actors motivated by industrial espionage would see these as rich pickings.

They are easy pickings too; universities quite rightly foster a spirit of openness and sharing, including in the digital domain. This creates a massive attack surface, which is difficult to mitigate with generally meagre IT security budgets. That is why an intelligent, risk-based approach to cyber security is essential for academic institutions. Only by implementing a forward leaning and targeted approach to cyber defence can the academic sector defend their intellectual property from exfiltration and exploitation.

Party at the Palace

My great grandfather was a professional footballer. In the first few decades of last century he played club football in Glasgow and represented Scotland in a number of internationals, including on an exhibition tour to South America back in the days when we could legitimately claim we were teaching the world the game. Bobby Orr is something of a legend in our family; we have all been brought up with the stories of him playing at Cathkin Park and at Hampden in front of thousands of people. He must have been something of a celebrity in an age when that term was just beginning to mean something.

Of all the stories that I have heard, the one that has always captured my imagination was his choosing to play the last few seasons of his career at Crystal Palace. In the 1920s, London must have seemed an incredible adventure for someone from a small village outside Glasgow. I have no idea how he came to sign for Palace, nor what he would have made of living and playing in London, but I suspect it was both lucrative and glamourous. There are accounts of my great grandmother, bedecked in the finest furs (different times!), travelling by first class rail from Glasgow to watch him play on match days.

Sadly I never met my great grandfather, and even more sadly my dad didn’t meet him either. He died in the 1940s, and despite the fact my grandmother was pregnant at the time, he died without ever knowing he would have a grandson. Recently that grandson turned 70, and to mark the occasion we made a pilgrimage to Selhurst Park to watch Crystal Palace play in the Premiership. It was quite something to sit in the stands where my great grandmother sat 90 years ago cheering her husband on the very same pitch where we watched the current team beat Huddersfield. It isn’t often that these connections to the past are possible, but when they are they are worth savouring.

David Orr

Blogging about life and work