My generation’s ‘where were you when…?’ moment unquestionably occurred on the 11^th of September 2001 when the twin towers of the World Trade Center were destroyed by terrorists. The death toll, and the unimaginable suffering of those that perished, are shocking in their own right, but the impact reached far beyond Manhattan. The lives we all live have been to some extent influenced by 9/11.

A week or so before I had arrived in Oman to take part in the largest British military exercise in living memory. I was part of a force of 20,000 troops in holding areas in the southern desert near the border with Yemen. Each unit was allocated a square kilometre of desert to assemble. My Troop had just collected our vehicles and were spending a few days preparing for the exercise ahead. This was a world before smartphones or reliable internet connectivity; this was remote and we felt it. There were welfare portacabins dotted around the desert that provided some access to painfully slow internet, but the nearest to us was a half hour trek across the sand.

I first heard the news by word of mouth. Some of those returning from a mid-afternoon break in one of the portacabins mentioned, almost in passing, an accident in the US involving a light aircraft crashing in to one of the towers of the World Trade Center. Only when I heard the BBC World Service on a shortwave radio a few hours later did I begin to understand the reality was on an altogether different scale.

In the isolation of the desert it was difficult to grasp the full magnitude of what had happened. Nobody had seen any video, nor would we for several weeks, so all we had was the radio reports and some grainy still images. I had visited the World Trade Center several times, so I had a better idea than most what the collapse of those huge buildings could mean, but by evening there was little doubt amongst everyone that something enormous had happened. The talk in the mess tent was of nothing else.

Rumours and speculation spread very quickly. I recall there was an early suggestion that Saudi Arabia and Yemen were somehow involved. Given that we were not much more than 100 miles from the borders of both those countries, their potential involvement was a sobering prospect. I also recall a conspiracy theory that seeped through from the UK questioning why the UK just happened to have its largest deployed exercising force in 20 years camped on the border of those countries in advance of the attacks. On the ground we certainly didn’t see it that way, especially as we didn’t have a single round of live ammunition between us. If anything we felt suddenly very exposed.

The exercise did continue, and my communications Troop deployed onto the training area. Shortly afterwards we received a detachment from 30 Signal Regiment of a satellite ground terminal that connected our command network back the UK. It is incredible by modern standards, but that connection was one of only two providing reachback communications from the deployed Division and its headquarters to the UK. There was clearly going to be some kind of Western military response so communications between the UK and the British force deployed in the Middle East were essential. By holding that link my Troop became strategically critical for a time. In reality this was quite welcome as we were directly ordered not to move or indeed do anything else that might put the satellite link at risk. For around two weeks my Troop of 30 soldiers played volleyball and generally amused ourselves in the desert whilst babysitting a satellite dish and willing it to keep working.

As the exercise drew to a close it became clear that we would not have an immediate role in any military response, and that the focus was likely to be in Afghanistan rather than on the Arabian Peninsula. The fledging conflict in Afghanistan that would define all our careers for the next 15 years was already close to home though, as each night we watched aircraft fly across the clear sky en-route to missions in Afghanistan. By the time we got back to Thumrait to fly home, the airport had been converted from a sleepy airfield to a bustling military operating base. The difference between exercise and live operations was stark.

A couple of years ago I visited the 9/11 memorial and museum in New York. It is spectacular in scale and the tone is well judged. It is the perfect memorial for a tragic event that touched so many lives. Everyone knows the story of how events unfolded that day, but it was clear from the faces and the hushed conversations of those at the memorial that every single person had their own story, and knew exactly where they were on the 11^th of September 2001.

Twenty-five years ago I joined a bewildered gaggle of officer cadets from universities across the UK as we assembled at the headquarters of the Royal Signals for the two week UOTC Basic Signals course. For a fortnight we lived like kings; the luxury of the officers’ mess was a stark contrast to the draughty transit camps we were used to and the food and drink, (which were taken copiously) were several notches better than student Pot Noodles. 

I may have a learnt a little about military communications, but even back then that didn’t seem terribly important. What really mattered was being treated like ‘proper officers’ and members of the club. In the evenings when we gathered under the famous beams in the mess bar, we started a ritual of toasting our good fortune with a rowdy ‘God bless the Royal Signals!’ The phrase stuck – it featured on our end of course T-shirts and for years afterwards whenever I met someone who had been on that course we used it to greet each other.

It is little surprise then that when I arrived at Sandhurst a few years later, I was determined that I was going to commission into the Royal Signals. I was so certain that when I had to submit my mandatory reserve option I was at a loss who to choose. I eventually picked the Royal Artillery as a back-up, but it wasn’t much of a safety net. The first question the senior Gunner officer asked me in the selection interview was ‘why do you want to join the Royal Artillery?’ Slightly taken aback, I replied ‘I don’t, I want to join the Royal Signals’. The interview didn’t last much longer – apparently the Gunners don’t value that kind of honesty!

In December 1999 I did commission into the Royal Signals and I never looked back. I had the best part of 20 incredible years in the Corps during which I travelled the world, commanded soldiers on operations and achieved a Masters degree. In one memorable two-year period I was the operations officer in a Regiment that deployed soldiers on 30 global operations in 24 months. All the while I was fortunate to serve alongside a great bunch of people, born of that same open and welcoming culture I first experienced as a university cadet at Blandford.

Today the Royal Signals celebrates its 100^th birthday. Over the last century it has evolved from playing an enabling, almost peripheral role to now being at the very epicentre of modern military operations. With the advent of cyber warfare the Corps doesn’t simply enable anymore, it delivers real effects. The Royal Signals has never been more relevant.

Looking back from my sandbag, I’m incredibly proud to have been part of this tremendous organisation for nearly 20 years. Here’s to the next 100 years.

God bless the Royal Signals!

Last autumn I ran our SOC’s annual business continuity exercise. This involved decanting our entire operation to an alternate site at a facility provided by a dedicated business continuity supplier. Our contract guarantees short notice and sole occupier access to a large vanilla operations room filled with rows of desks and terminals. Within minutes of activating our gold disk, the machines were transformed from bland blank canvasses to exact working replicas of the machines in our SOC. At the flick of a switch analysts had immediate access to the full range of toolsets, data and intelligence that they have in our primary site. Less than 40 minutes after simulating denial of our SOC, we were 100% operational in a new location with the ability to deliver all of our services.

Even though the exercise went as expected, I still found it an impressive achievement. When things go well it is usually the result of a great deal of work, and this is no exception. Our successful exercise was only possible as a result of years of designing, fine tuning and maintaining a resilient architecture drawing on multiple datacentres and cloud solutions. The business continuity plan is planned in detail, and that plan is reviewed every 6 months to ensure every element continues to be fit for purpose.

The business continuity facility that we use is routinely manned by a solitary manager; for the most part it must be a terribly lonely job and he was clearly glad of the flurry of activity created by our exercise. Out of interest I asked him how frequently the facility is used for real in response to a genuine crisis. I didn’t expect it to be often, but the answer still surprised me. In the 5 years he had been working there, none of his hundreds of customers had ever activated their alternate site for a genuine crisis. Apparently, the vast majority of customers never even test activation, so for the most part he watches over an empty room, waiting for a crisis that, for the most part, never comes. 

But this year a crisis did come, and it was a big one. The global coronavirus pandemic and the subsequent closure of offices meant that business continuity was suddenly front and centre in the minds of organisations of all shapes and sizes. Like everyone else we reached for our process documentation, dusted it down and set about putting our well-rehearsed plan into action. Except it didn’t work. Like virtually all business continuity plans it started with the assumption that our primary office space had suddenly become unavailable to us. It most certainly did not consider the possibility that all office spaces would be denied to us; our alternate site was unavailable for exactly the same reasons our primary site was unavailable.

Immediately we had to scrap the plan and set about writing a replacement based on dispersed local working. Initially this seemed like a daunting task, but it quickly became apparent that producing a workable plan was actually surprisingly easy. All of the design considerations we had made for our original plan meant that we had a fundamentally agile architecture that could be bent to accommodate our new requirements. The same applied to our processes; the fact that we had planned so rigorously meant that we understood what we needed to change in order to work in a novel and alternative way. 

We began looking at this challenge two weeks before our offices formally closed, but within 48 hours we were very confident we could, for the first time ever, seamlessly move a large team that had always been office based to dispersed, remote working. We were right too, and when the day came that migration was seamless with no loss of service to our customers.

Crises are unpredictable by their very nature and, ultimately, they rarely happen in the way planned for. In the end our standing business continuity plan didn’t work, but the lessons we had learnt from our years of planning enabled us to design a workable alternative extremely quickly. Dwight D Eisenhower put it succinctly when he said Plans are worthless, but planning is everything.

I was asked recently to answer some questions about building and running an effective Security Operations Centre (SOC) for a forthcoming article in Infosecurity Magazine. Thinking about the answers certainly helped pass the time on a work trip back from Denmark! Here’s what I came up with:

How important is it for companies to have an effective SOC and why?

Barely a day goes by without the news recording another high profile cyber breach. Such events are expensive, both financially and in terms of reputation. It is a common misconception that cyber-attacks are highly targeted. A few are, but most are not, so organisations of every scale and across all sectors can be vulnerable. No solution provides guaranteed protection, but a holistic approach to cyber defence can radically reduce risk. A SOC is a critical component of any organisation’s cyber defences. When done well it offers 24/7 vigilance and the ability to respond immediately when the worst happens.

What are the biggest challenges to overcome when running a SOC?

There are several, especially when starting from scratch! However I would say the biggest challenge is finding the right people. Security is fundamentally a people business; the right tools help too of course, but having the right blend of skills and experience in SOC analysts and engineers is the most important aspect to get right. Recruiting such talent isn’t easy – the skills gap in this industry is widely publicised – but by using dedicated recruiters who seek out talent, and by developing talent through an apprenticeship scheme, it is possible to build the right team.

What are the key elements of an effective SOC?

I think of a SOC comprising four fundamental and interlinked elements:

People: It is critical to build a team of analysts and engineers who have the skills (and passion) to run an effective SOC.

Tools: Using a blend of industry leading tools and bespoke detection capabilities across the Kill Chain ensures maximum coverage at all stages of an attack.

Processes: The SOC is fundamentally an operations room, and for it to work effectively under pressure and at pace there must be established processes for analysts to follow. Crucially however, these must not be so prescriptive that analysts don’t have freedom to bring their analytical skills to bear.

Threat Intelligence: Intelligence is essential for getting on the front foot. A mature and current understanding of the threat landscape makes the difference between operating reactively and proactively.

If implemented effectively, what impact can a SOC have on an organisation’s security posture and health? 

SOC impact is notoriously difficult to measure, however one approach is to track coverage before and after implementation by employing a recognised industry standard. Using the MITRE ATT&CK framework, I have seen organisations grow from 15% coverage to more than 90% following the implementation of a well scoped SOC. There is a financial impact too. Given the extremely high cost of breaches, it is not overstating the case to suggest a mature SOC can defend against millions of pounds worth of damage.

The requirement for robust and comprehensive cyber security exists across all sectors. Whilst we normally associate the threat to be most acute in finance, government and Critical National Infrastructure, it is increasingly clear that a similar threat exists in what hitherto may have been regarded as ‘softer targets’.

Earlier today, the BBC published an article that revealed both the scale of the threat to Universities and their vulnerability to cyber-attacks. Universities may initially appear to be a low yield target – after all what value is there in an undergraduate essay or the minutes of the Dungeons and Dragons club AGM?

But it isn’t about those things. The targeted and organised threat is geared towards uncovering the vast library of intellectual property that is developed and held by academic institutions. A huge proportion of our nationally important, cutting edge knowledge is contained in red brick repositories. It is easy to see how cyber criminals motivated by financial gain or state actors motivated by industrial espionage would see these as rich pickings.

They are easy pickings too; universities quite rightly foster a spirit of openness and sharing, including in the digital domain. This creates a massive attack surface, which is difficult to mitigate with generally meagre IT security budgets. That is why an intelligent, risk-based approach to cyber security is essential for academic institutions. Only by implementing a forward leaning and targeted approach to cyber defence can the academic sector defend their intellectual property from exfiltration and exploitation.

Children are expert negotiators. As a father of three impressively persuasive daughters, I know to my cost that children are masters at bargaining and winning a deal. The incredible thing is, this talent seems to be instinctive. We never teach our children these skills, they just seem to be born with an innate ability to negotiate. This month I spent a hugely rewarding two days on a negotiation course run by Bill Garcia of TableForce. The course was outstanding – easily the most useful two-day course I have ever done – but during it, I was struck by how closely the approach Bill taught us resembled the negotiating behaviour of my own daughters:

• Children know to try – the first rule of bargaining is to give it a go. As Wayne Gretzky put it, ‘you miss 100% of the shots you don’t take’. And children try better than anyone else; they do so with audacity and persistence. 5 minutes before dinner:
  • Can I have an ice cream?
  • No!
  • Can I have an ice lolly?
  • NO!
  • Can Charlotte have an ice cream and I’ll share?
  • No, No, No!

• Children know the power of the opening position. By starting big they shift the cursor of expectation and get a bigger outcome:
  • Can we go to Disneyland today?
  • Wha…? No. How would that even….?
  • Ok. Can we go to the park then?
  • Sure, whatever.

• Children know to never give without getting:
  • If I tidy my room, can I have a biscuit?
  • But you should be tidying your room anyway.
  • It will be super tidy.
  • Ok, sure…..

• Children understand the motivations of their parents and use that knowledge to manipulate (they get on our page).
  • Can I have a snack?
  • No, you’ve literally just had dinner.
  • I could have an orange – I’m really worried I haven’t had my 5-a-day today.
  • You win, have an orange.

So, the question is, if I understood all this as a child, why have I just spent time re-learning the same skills? Like almost all children I was taught that negotiating is impolite. I was told it is rude to bargain with people and, over time, I learnt to stop challenging and accept other peoples’ opening positions without question. That approach may have made for an easy life when I was schoolchild in a classroom, but in business, and indeed in adult life, it means entering every negotiation on the back foot. So, this month I spent two days learning skills that I once knew, skills that I see every day in my own children. Next time I want to clinch a deal, I’ll think like a child. Some would say that shouldn’t prove too much of a challenge.

 

 

It is now a year since I started my resettlement journey – transitioning to civilian life after 20 years in the Army. Although it was undeniably daunting at the outset, I am delighted with the way it has worked out. I have a job with an excellent company, I actually get to go home to my family every night (a key driver for leaving) and I am in a financially stronger position. I am fortunate that I have achieved everything I wanted to in the 12 months following ‘pressing the button’.

This seems like a sensible point to take stock and review the last year, not least because it may prove useful to those leaving the service now in the same way that I found the advice invaluable of those ahead of me on the conveyor belt. Rather than tackle this with the usual ‘top tips for resettlement’ I thought it might be helpful to recount how I set about planning my transition highlighting what worked and what didn’t along the way.

Planning

With a background in Plans and Operations it seemed logical to apply the same trusted planning method I’ve used all my career to my resettlement campaign. I started by articulating as simply as possible what I was trying to achieve, namely a job in the private sector that I could commute to daily with a salary that matched or exceeded my existing Army salary. I then conducted an estimate process to produce a plan to deliver that end state. As shown in the diagram below, I devised five Lines Of Operations (LOO) to break the task down into manageable chunks. Each LOO had its own end state and all five aggregated together to deliver the overall objective. I haven’t shown it here, but the plan existed at a further level of detail comprising around 60 milestones and sub objectives, which I tracked using an online project management application.

The LOOs were:

LOO1 – Build the Network

If there is one piece of advice that I was given consistently through the resettlement process it was that networking is critically important. The advice is accurate too; there is no substitute for having a diverse and influential network of contacts who are able and (hopefully) willing to help. My challenge, however, was turning that theory into practical reality. I had been aware that maintaining a network was important for years, so over time I built up a fairly substantial collection of contacts on LinkedIn. Military officers are fortunate in this regard; simply by virtue of moving so frequently we meet a broad spectrum of people, both serving and civilian. I found collecting these contacts on LinkedIn in the years before I left invaluable, especially as many of my serving contacts had already left and therefore had trodden the resettlement path before me. It really helped when the people I spoke to had been through the transition process themselves and every single one went out of their way to help. It is hard to overstate the value of the network I already had as a direct result of being a military officer.

Armed with my LinkedIn contact list and a large glass of wine, I set about categorising my contacts into those that might be in a position to offer me a job, those that could assist by opening doors, and those that could provide specific advice. I quickly discovered that the first category doesn’t really exist; networking does not often lead immediately to a job offer and if you adopt the attitude that it should you will lose friends pretty quickly. Once I had a list, I allocated everyone a score based on how much I thought they might be able to help me. I then started at the top and began making contact, initially on LinkedIn but always followed up with a meeting in person. This proved hugely valuable, and a large proportion of my meetings led to further referrals and several led directly to interview opportunities. Without exception, everyone I met was happy to give up their time and I left every single meeting with at least one new nugget of advice. If I could do one thing differently it would be to focus my networking on the geographical area in which I planned to settle. I made the mistake of focussing on my network’s centre of gravity, which was inevitably London. It is amazing how many times I met people who could help me get a job in the South East, but who had little influence in the North of England, even when they worked for a company with regional offices. Developing a Partner level relationship with one of the ‘big four’ in London was surprisingly ineffective at securing a job with the same company in the north.

In addition to this informal networking, I also harnessed a couple of more structured and well organised networks. The Officers’ Association is an excellent resource and they were able to put me in touch with some very helpful ex-forces contacts. I also joined the Two Roses networking group which, despite the name, is a Yorkshire focussed networking group for veterans. They are a really helpful and friendly bunch, with the added advantage that they know the ground in the North. My understanding is that most regions in the UK have similar groups – I suspect the OA would have details.

LOO2 – Apply for Jobs

It sounds ridiculous but it is easy to forget that you actually have to apply for jobs! Particularly in the early days when I didn’t understand how networking operates, I naively thought that eventually I’d be offered a job from that process. I’m not saying that never happens, but it is extremely rare. Fortunately, I recognised this before the optimum time for applying, which turns out to be 3-4 months before the ideal start date, so I was never on the back foot.

Generally I found that the two best ways to find vacancies was organisations’ own careers webpages and LinkedIn Jobs (the job I ultimately secured was from LinkedIn). Before I started, I invested time writing and tuning my master CV and covering letter. I wrestled with the debate about how demilitarised both should be, and I ultimately decided on a hybrid. Completely civilianising all language and appointments looks ridiculous and contrived – being an Ops Officer is simply not the same thing as a Chief Operating Officer – but equally it is still important to write in a way that the target audience will understand. On several occasions I was complimented on my CV for its absence of ‘nonsense jargon’, something I achieved by writing in plain English and not seeking to translate every element of military language.

I focussed on detailing achievements and outcomes in my CV. As someone who now sees many CVs a week, I can confirm that the real value comes from evidence of success in roles similar to the job you are applying for. Once I had written a draft CV I sent it to an array of people for ‘red-penning’. I kept doing this until I started receiving suggestions to change something back to the way it had been in a previous version. Then I knew I was chasing the error!

I spent about half a day on each job application. It takes this long to tailor the CV and covering letter for that specific job. To really force home the idea that my application was laser targeted at a specific job I made a conscious effort to weave the language of the job advert and job specification, including using full phrases, into my CV and covering letter.

For every application I tried to let someone from my network on the inside of that company know that I had applied. This has a twofold benefit; if they are willing to put in a good word that always helps but perhaps even more importantly they are able to nudge the process along when the glacial HR process inevitably stalls.

Overall my approach worked as most of my applications led to some kind of positive follow up.

LOO3 – Build Online Profile

Resettlement is effectively an exercise in personal promotion. Fortunately, in the social media age it is really easy to build an online brand to portray yourself however you choose. It is important to start early, engage with multiple platforms and to remain consistently active.

I once met a CEO who claimed he wouldn’t hire someone if they didn’t have a LinkedIn profile. Possibly an extreme position, but it does serve to highlight just how important LinkedIn is in the modern job market. I made sure my profile was immaculate, both in terms of content (which must compliment the CV) and appearance, including adding a few photographs. I also made sure that I was active on LinkedIn daily, including writing original content. I’m not sure exactly how, but high activity and original content seem to be the two things that promote profiles to the front of the algorithm queue.

I also started blogging on a website that I set up originally purely for self-promotion. As it turned out I quite enjoyed writing and the blog also served as an excellent platform to promote my charity fund raising efforts, but these were fringe benefits. I wrote (and still write) at least one article a month on a subject of professional or personal interest, which I then promote on Twitter, LinkedIn and Facebook. The benefits of this are hard to quantify, but I do know that in the period of my resettlement my website was viewed almost 6000 times, which is a great deal of exposure I wouldn’t otherwise have had. It is not unreasonable to assume that many of the companies that I applied to will have Googled me and it certainly can’t have done any harm when they found a site with a narrative that was completely under my control.

LOO4 – Conduct Training

The resettlement period offers an opportunity like no other to invest time and money in personal development. At the beginning of the process I conducted an analysis of the gap in my skills and professional profile. I did this by consulting widely, but also by reviewing hundreds of job adverts to get a feel for the skills and attributes they were asking for. I quickly understood I had a deficit of commercial understanding and finance. I also didn’t have much in the way of formal recognition of cyber skills, despite having a good few years practical experience.

To address the first two shortfalls, I enrolled in Manchester Business School’s AMAC course. I can’t recommend this course highly enough; over 3 weeks it teaches MBA level material tailored at the gaps in knowledge a typical mid to senior level officer has on leaving the forces. I learnt a huge amount about business governance, strategy and finance, and it provided an excellent opportunity to get to know officers in the same situation, many of whom I now count as valued contacts. A qualification form Manchester Business School also has a certain gravity that plays well on the CV and at interview.

To tackle the cyber skills certification gap I did the CISMP course. Whilst good enough, I would with hindsight have done CISSP instead as it is probably the most widely respected general qualification in the industry.

LOO5 – Administrate

In the whirlwind that is resettlement it is easy to forget the considerable burden of administration that has to be done on leaving. It all takes longer than might reasonably be expected so it is worth starting early. It is imperative to apply for the pension as soon as possible to ensure payment starts on termination. It is also worth speaking to the taxman before the inevitable first pay cheque gets taxed at emergency rates.

The Results

A year on from starting this process I am pleased to be able to say the plan worked. I have an excellent job with NCC Group managing a team of cyber security analysts and engineers delivering Managed Detection and Response to an array of customers across multiple sectors. The company is ambitious and progressive; there are plenty of ways my career could develop from here without changing employer. As for the all-important commute, I now drive 25 minutes each way and go home every night, which is a welcome far cry from the two nights per week at home that originally pushed me to abandon ship. And, although it isn’t about the money, there is a mortgage to pay so it is not an unimportant consideration! I achieved my objective of matching my Army salary so with my pension added to the mix I am now financially better off than when I was serving.

As for the other opportunities I was pursuing, the facts are these:

• I actively pursued 13 clear opportunities over a 2-3 month period.
• I had some kind of first interview (telephone or face to face) for 10 of the 13.
• 3 opportunities were ended by the company after the first interview. 2 were ended by me.
• I was invited to a final interview for 5 of the original 13.
• I attended 2 of the interviews and was offered positions as a result of both.
• I withdrew from the remaining 3 interviews as I had already accepted a job with NCC Group.

If I had been offered this outcome at the outset there is no question the decision would have been to ‘stick’ rather than ‘twist’! The resettlement process is a huge amount of work but, in hindsight, it was enjoyable too. It isn’t often in a working career that anyone can dedicate several months to finding their ideal next career step without distraction. I feel very lucky I had the time and resource to get it right.

 

 

 

 

 

Patching computer systems is like healthy eating; everyone knows they should do it, most people know how to do it, but far too often it is done half-heartedly or not at all. A staggering 80% of all successful cyber-attacks could be avoided if the breached system was maintained at the latest patch state. Wannacry, perhaps the most infamous and widespread attack in recent years, was entirely avoidable as a patch for the vulnerability it exploited was released a month before global mayhem was unleashed in cyberspace.

So why do we inflict this misery on ourselves? Why don’t we just patch and head the majority of our security worries off at the pass? As a fully paid up member of the ‘head scratching’ security community I watch on with incredulity. But I am also a hypocrite with a short and selective memory. Only a few years ago I was on the other side of the fence, responsible for managing hundreds of systems in extremely challenging circumstances. Back then security patching was a perpetual headache that far too often became overwhelming. With the benefit of hindsight, patching was difficult for an array of reasons:

• Configuration Management.  Few will admit it, but configuration management is poor to non-existent in the majority of organisations. And if you don’t understand the state of your systems it is impossible to determine what patching is required. Once control is lost it is very difficult to regain.
• Cost.  Patching can be expensive. It gets even more expensive when products reach end of life and support stops. At that point the choice can be stark; engage in a major upgrade or consciously neglect patching newly discovered vulnerabilities. Making the business case to change on the basis of a risk that can be difficult to quantify is notoriously difficult when money is tight.
• Time.  I was once responsible for a fleet of systems that were held offline in a warehouse in readiness for emergency use. On a monthly basis we built each system and applied updates and patches. Or at least we tried to; in reality the process took far more hours than were available in a typical working week. The result was a fleet that became ever more out of date and ever more vulnerable. This is an extreme example, but dedicating time to patching systems can be difficult when there are so many different demands on our resources.
• Risk and Disruption. Most organisations have at least one legacy system that nobody really understands, but whose existence is critical to the business. Making any changes to such systems is regarded as poking a sleeping bear, so the idea that you would attempt to patch it, or any system it interoperates with, is regarded as self-harming at best.
• Impenetrable Security. The very worst reason I have ever heard for not patching came from a third-party managed service provider who argued that it wasn’t necessary because their cyber security solution was so robust. As an industry insider I am a huge advocate of comprehensive cyber security, but there is no solution that is impenetrable. This approach is akin to leaving your door unlocked because you have a fence that is almost (but not quite) unscalable.

So, despite the bewilderment of the cyber security community there are many good reasons why patching is difficult. However, there is no getting away from the fact that patching is the single most impactful measure that any organisation can take to improve their cyber security posture. Understanding your enterprise and its vulnerabilities in terms of business risk is an important first step that enables prioritisation of resource (the NCSC has some great advice on this). Once this has been achieved, a holistic cyber security solution can be designed. The answer, as ever, is a portfolio of measures that work together to drive down risk.