In this Leaders of Tech interview, we speak to emerging leader Nicole Darabian, Senior Associate, International Policy (cyber & tech) at Ofcom, the independent regulator and competition authority for the UK communications industry. Nicole discusses trending cyber and tech policy issues, cultivating a culture of shared responsibility to tackle cyber security and sustainability in the ICT sector.
1. In your current role, you look at international cyber and tech policy. What are the top three cyber and tech policy issues on your radar for 2024?
I would not say these are only specific to 2024 but they have been gaining more traction, in my opinion!
- Supply chain security - Admittedly, supply chain security has been a trend ever since SolarWinds put a spotlight on the security risks presented by vendors, part of an organisation’s systems and infrastructure, and the spiral effect one vulnerability can have. I have seen an evolution in how governments and industry are talking a lot more about the need to effectively manage cyber security risks of their supply chains. There is now more guidance and good practices that organisations can and should implement to have more oversight over who and what are part of their supply chains and the need to increase scrutiny.
- Artificial Intelligence (AI) - Cliché, I know, but I cannot not bring up AI. We are already seeing concerns that Generative AI is increasing the level of sophistication of phishing attacks. However, I would emphasise that AI should also be seen as an opportunity to increase cyber resilience in organisations. For example, it can be used to help monitor for abnormal activities, detect and address issues more efficiently and help identify potential vulnerabilities – I don’t think we talk enough about the opportunities.
- Technical standards - Standardisation efforts related to cyber security in technologies such as AI and quantum communications, are taking place across different standards development organisations. Increasingly, technical standards are being referenced as a preferred or must-have for regulatory compliance, so being able to follow and understand, at a high level, the standards being proposed and how they link with policy objectives, is important.
2. You won the 2023 International Institute of Communications (IIC)’s Future Leaders Competition with your essay "Cyber security on the Edge?", which argued there is no silver bullet solution for cyber security. What initiatives do you propose for governments and industry to minimise the risk of cyber incidents?
I work at a regulator so you won’t be surprised to hear that regulation is part of my answer! Setting the expectations in terms of what level of cyber security organisations should meet and ensuring these are met is a responsibility I believe policymakers and regulators have. If we bring up the collective security then there is less chance of a weak link. After the wealth of legislative and regulatory proposals we have witnessed over the last few years, a lot of the focus going forward will be on regulatory compliance and whether or not these efforts meet the desired outcome.
In my essay I also give examples of how industry, and more specifically manufacturers and developers of software products are usually best placed to remediate security flaws identified in their systems and devices. No system will be immune from vulnerabilities but identifying and fixing them are crucial to preventing these from being exploited by malicious actors. For instance, Coordinated Vulnerability Disclosures (CVD) programs are initiatives that help companies improve the security of technologies overall.
3. Your essay also emphasised the importance of cultivating a shared responsibility to address cyber security. What does this mean and how can organisations foster this within their teams?
In my essay I considered the roles different players – such as government, industry and consumers – have in making steps towards improving levels of cyber security. These are, organisationally or individually speaking, in all aspects of our lives. My essay touches on some (far from all!) of the measures we should consider. It starts with the recognition that not one person is responsible for cyber security. For instance, in an organisation, cyber security is not just the responsibility of Chief Technology Officer or the Information and Communications Technology (ICT) team, but the responsibility of everyone. I believe we are seeing a lot more awareness – and action - in this respect. Organisations are being more proactive in educating colleagues about the types of incidents we could be victim to, and simple steps to prevent them. Some organisations are now requiring all employees to have cyber security hygiene training or to elevate cyber security plans at the board level. In fact, it is even becoming a regulatory requirement in some sectors and countries!
4. You contribute to Ofcom’s climate change project, which looks at how communications regulators around the world are considering environmental matters. What do you believe should be the top priority for the communications sector in tackling climate change?
The literature on this estimates that the ICT sector’s carbon emissions are between 1.5 to 5% of overall emissions, which is far behind other sectors such as farming and transportation. That said, in the ever-growing search for ubiquitous connectivity, it is not unreasonable to consider these figures will only grow. I see many communications providers already tracking their emissions and reporting on it, whilst making commitments to net zero targets. I don’t think the solution lies in decreasing our use in technologies (though we could all use less screen time!) but in developing technologies that would bring more environmental efficiencies to the sector. In addition, and mindful that the biggest contributors in the sector are actually our devices, I believe we could do more to improve e-waste (electronic waste recycling) policies and promote a circular economy to help reduce the carbon footprint of producing and disposing devices – just consider for a second how many of those you have at home! Overall, I think the sector is already taking steps to tackle climate change but more can be done – coincidently sustainability is the topic of this year’s IIC’s competition.
5. What advice do you have for young people seeking to establish a career for themselves in the cyber and tech policy sector?
I don’t think there is a set formula. In my case, I decided to do a Masters of Science degree that allowed me to switch path. I would highlight the need to take initiative and reach out to individuals that work and specialise in the sector and you can find some commonality with. Whether it’s through an existing connection or someone who took similar academic path then veered into the cyber and tech sector, being able to hear from those in the sector and understand the types of issues on top of their agenda but also where opportunities are or might come up! Also, being able to find blogs, publications or competitions like the IIC to share your critical thinking and start building your “voice” and show your passion is also something I would recommend.
The views expressed are the interviewee’s own.
