The Association for Consultancy and Engineering (ACE) SME Council recently brought together engineering and technology professionals from across the water sector for a focused session on cyber security, one of the most pressing challenges facing suppliers and contractors operating in critical national infrastructure today.
As cyber security and technology recruitment specialists within the wider Gattaca group, InfoSec People was proud to be part of the event alongside our colleagues at Matchtech, who sponsored the event. Together, we are uniquely positioned to help organisations across the water sector find the talent they need to strengthen their cyber posture, from experienced OT engineers to specialist security professionals.
The session delivered clear, practical insight from two expert speakers: Liz Banbury, who brought an in-depth perspective on supply chain risk and regulatory expectations, and Ben Craig, who examined the talent dimension of how organisations attract, retain and develop the right cyber security people.
Speaker Highlights
Liz Banbury: Chief Information Security Officer at Thames Water
“Attackers often target suppliers first, not the regulated entity.”
This point landed with real weight. The supply chain is frequently the path of least resistance, and it is therefore the responsibility of every supplier, regardless of size, to take their own cyber security seriously.
“Reducing your own risk, reduces the risk of the customer.”
On the question of where to start, Liz was direct: Cyber Essentials. For SMEs in particular, achieving this certification is not a bureaucratic exercise, it is a meaningful signal to customers and a genuine baseline of protection.
“Cyber Essentials is not ‘tick-box’ it’s a passport into supply chains.”
Liz also highlighted the practical, proportional steps that all organisations can take, including password hygiene, multi-factor authentication, and ongoing staff education, particularly around social engineering attacks, which remain one of the most common and effective routes into an organisation.
Regulatory expectations are rising across critical national infrastructure, and Liz was clear that organisations which move early gain more than just risk reduction.
Ben Craig: Director of Cyber Recruitment at InfoSec People
“Cyber security is a people problem before it is a technology problem.”
Skills shortages disproportionately affect smaller organisations, which often struggle to compete with larger utilities and consultancies on salary and career progression. The result is a retention challenge that compounds over time: limited progression paths, burnout from always-on security roles, and the constant threat of losing experienced people to better-resourced competitors.
Ben highlighted that strong retention strategies are themselves a form of risk management. Retaining experienced people means retaining institutional knowledge, continuity, and the contextual understanding that cannot be hired in from outside. The most effective retention approaches, he suggested, centre on role clarity and realistic expectations, meaningful investment in training and development, and a clear sense of purpose protecting critical national infrastructure is genuinely meaningful work, and organisations should not be afraid to say so.
On the question of what good hiring looks like in the sector, Ben emphasised that technical skills alone are sufficient. The most effective cyber professionals in the water sector combine sector understanding with strong communication skills and risk-based, proportionate thinking.
“Right people, not just more people.”
The session closed with a clear vision of what good looks like for water sector SMEs: cyber security embedded in organisational culture, teams aligned to operational and business needs, people who are supported and retained, and recruitment that is targeted, realistic, and sector-aware.
Post-event interview
After the event, we sat down with Liz Banbury for a deeper conversation on supply chain risk, skills gaps, and the future of cyber talent in the water sector.
Q: What are the biggest cyber risks when contractors and partners hold sensitive asset data outside the organisation?
The risk is where the data is classified as confidential or sensitive and exposes the company to weaknesses or vulnerabilities, or to information which allows a person to understand the network infrastructure or site layouts, for example:
- If disclosed to unauthorised persons or misused, this information on its own or correlated with other information could lead to an operational and/or cyber incident via networks or via physical sites.
- There is also an add-on concern with ‘open data’ being held elsewhere, such as with councils for planning permissions and engineering works orders.
Security minded communications are at the forefront of risk mitigation, to ensure that the minimum amount of information is revealed [outside of what is required to do a job] and that contractors and other partners are very clear about our expectations and mandatory requirements for the safeguarding of that information.
Q: Where do you see the greatest risks technological or talent-related?
I am not so close to this, but I know that finding experienced engineers across many sectors is proving hard. To answer this question, it really depends on what we mean by ‘talent-related’. Ultimately, the industry needs both. The experienced engineers and the cyber security specialists.
From a cyber perspective:
Depending on your role, I think the crucial skills right now is again back to mindset. The ability to talk to the senior stakeholders, the board, the executives. The ability to know what good looks like and to be able to move quickly to form an opinion on whatever the latest topic is.
From an engineering perspective:
We know that the supply chain in some areas is still at a low-level of maturity. Engineers work upfront in programs and play a significant role in ‘secure-by-design’, however, engineers like the majority of other people, will be struggling to keep up with new threats such as the latest Claude Mythos capability.
Given our reliance on our third parties and the supply chain, and knowing that the supply chain is often targeted to attacks by indirect channels, it is imperative that the regulated entity invests in both the cyber talent and in upskilling their engineers to bolster their own and the industry’s overall resiliency.
Q: How should organisations approach building more diverse, high-performing teams?
This is an area which takes conscious action and on-going focus. It is not simply a matter of hiring people to fit gender, ethnicity, location models, as first and foremost, the individuals and teams still need to have the capability and experience to perform. It is also about mindset. You must believe that diversity can and will make a team and organisation stronger and able to pivot to challenges.
How organisations should be doing this is more from the ground up? Work with schools, apprenticeship programs, graduate programs – recruiting from non-standard channels. For example: ex-military, neurodiverse memberships. We need to be mindful of our biases as hiring managers, and internal education and awareness can help with this. When we talk about bias, this is culture, and culture needs to be executed at the top. Senior leaders need to live the values of the organisation.
Q: How should organisations approach the balance between third party cyber security suppliers and developing in house teams?
This is a complicated question and really depends on the organisation and its level of complexity and maturity at a given time. Quite often, there is a strategy at the Board and Executive Committee level, which will have been ratified by groups such as Shareholders, Regulators, etc. The strategy will commit to a set number of FTE across different business and function areas.
Secondly it really depends on where you sit. If you sit in a transformation program, then it may make sense for a majority of roles [PM, BA] to be outsourced, so that you do not have too many FTE after programs finish and transition into BAU.
The third area is BAU, the ‘on the ground’ teams where projects will transition to upon completion. These teams are often a mix of permanent and third-party. Knowing which roles should be in-house vs outsourced requires having a forward-looking strategy, which understands the industry you are working in and what the ‘art of the possible’ is, i.e. how embedded are you with third-party partnerships. It also requires a good understanding of what a ‘critical’ role or domain is, as it is not always the same for all organisations. Generally, though, critical roles should be ‘in-house’ – security, strategy and governance, and I also believe that certain core domains such as IDAM and PAM and Architecture should be in-house.
Q: How do you see the cyber talent landscape evolving over the next five years?
Getting out the crystal ball – the talent landscape needs people with some different skillsets that were just not foreseen or required a generation ago. 10–15 years ago, quantum computing was ‘a thing’ but something that was still considered to be 10–15 years away. The NCSC has published guidelines advising organisations on what they need to do to start addressing this risk, you can find the guidelines here.
This is currently an unquantifiable risk, and it takes a level of skill and understanding around what this unfolding computing superpower could do.
The same can be said of AI and the most recent revelations regarding Claude Mythos. Cyber practitioners need to be more aware and tech-savvy regarding not only these new technologies but also the pace of the changing world.
There is also a risk that, as we are talking about specialists and skills, there may also be a growth in shortage of cyber-experienced people as organisations and industry need to expand their cyber security capabilities. Engineers are in short supply now, particularly within the Operational Technology [OT] areas, and I do not see that gap shortening in the near future. Experience will count more than academic exams and accreditations as it is the understanding of the context of threats to the organisation and how to prioritise action that will count.
Finally, automation and the advances in AI will continue to increase, and this will change the landscape of roles and responsibilities, especially at the entry level. This feeds into my previous thoughts around talent and building diverse teams, as the bar will become higher. This could place more stress on an already partially burned-out profession. Many cyber practitioners have been operating at a heightened level of focus and productivity for many years already, and there is fatigue. These changes and the fast-moving threat environment will mean that even greater emphasis is required on ensuring that there are good career pathways and that mental stress is reduced.
Want to talk talent?
Whether you are looking to grow your in-house cyber capability or need specialist support across engineering and OT, speak to the teams at InfoSec People and Matchtech.
InfoSec People is a UK based boutique cyber and technology recruitment consultancy, built by genuine experts. Whether you’re a cyber security professional looking for a new opportunity or a business looking to build your security team, we are here to help. Contact us as our experienced recruiters are passionate about cyber security and are committed to providing exceptional service.
Call us directly on 01242 507 100 to discuss opportunities or email info@infosecpeople.co.uk.