Exclusive: Winning the cyber war

International Security Journal hears from Andy Watkin-Child, Founding Partner of the Augusta Group.

In August 1941, US President Franklin D. Roosevelt and the British Prime Minister, Winston Churchill met aboard the USS Augusta to sign an “Atlantic Charter”. This agreement was to outline their respective war aims for the Second World War and to outline a post-war international system. The Charter they drafted included eight “common principles” that the United States and Great Britain would be committed to supporting in the post-war world.

It was a significant moment in the Second World War and provided the inspiration to a group of cybersecurity experts from the UK and US, that have joined together and formed a cybersecurity team to collaborate in the spirit of the “Atlantic Charter”, signed on the USS Augusta. To address the cyber collaboration, knowledge sharing, advisory and skills gap that exists between the US, UK and EU for cybersecurity and cyber-risk management.

The Augusta Group was formed with the aim to re-imagine cybersecurity and cyber-risk management. To make a real difference re-setting the strategic intent of cybersecurity and cyber-risk from the boardroom to the shop floor and across the supply chain.

International Security Journal sat down with one of the Group’s Founders, Andy Watkin-Child to find out more about the services that the Augusta Group is offering.

Setting the standard for cybersecurity

With the severity, complexity and frequency of cyber-attacks around the world increasing at a rapid rate and the US moving quickly to legislate cybersecurity, both public and private entities are in need of advice on how to mitigate against these evolving threats and to comply with US cyber regulation. As Andy explains, this is where the Augusta Group can help: “Myself and three other professionals (Ted Dziekanowski, Brian McCarthy and Jason Spezzano) came together in early 2021 after we were all part of a US Department of Defense (DoD) Cybersecurity Maturity Model Certification (CMMC) programme.

“We formed the Augusta Group because we all recognised that there was a need to develop cybersecurity strategy, governance and risk in a different way. Our involvement in the US DoD programme taught us a lot about how the US was planning on improving its cyber capabilities and we all felt that the plan they were putting in place could be improved on.”

In the eyes of Andy Watkin-Child, increased international collaboration and agreed cyber standards are required to protect against the cyber threat: “The US recently held a Quadrilateral Security meeting with Japan, India and Australia that included setting up a collaborative cyber agreement and to discuss common cyber standards. Vice President Harris recently called on global leaders to work together to counter cybersecurity threats and the US and UK already have a close working relationship on security collaboration.

“These sorts of agreements will be vital as there is an urgent need for international cybersecurity collaboration and common standards. Improving international cyber collaboration, supporting public and private sector organisations manage cybersecurity and cyber-risk and educating the board room. These are the main aims of the Augusta Group and therefore we are helping to bring people together to work on this.

“For example, we support UK trade associations to gain a better understanding of the new cyber regulations and legislation coming from the US, its impact on UK and EU businesses and how they should improve their cybersecurity and risk management practices. We have recently presented to both the All-Party Parliamentary Group on Cybersecurity with the DoD and the Group on AI, discussing US cyber standards and legislation to help educate UK legislators.”

It is clear that the US aims to drive and enforce positive change through cyber legislation and enforcement of existing cyber regulations to improve compliance with cyber standards, which, according to Andy, is set to have a significant impact on organisations all around the world: “The US is concerned about the amount of Intellectual Property (IP) theft and cyber-attacks on critical infrastructure in recent years. The US is now adopting a position on enforcing cyber regulation and the House of Representatives and Senate are working on a significant cyber legislative agenda in 2021. The US is starting to take the line that if an organisation wishes to do business with the US Government, they must consider their cybersecurity posture, comply with US cybersecurity standards or agree reciprocity. While this is someway off for all Federal Government, regulations such as DoD procurement regulation require cybersecurity compliance for contract awards.

“This is a very big change and may have a huge effect on businesses in the UK, Europe and the rest of the world. To provide an example of what that could mean for a business, if they deliver a US federal contract but do not comply with contractual cybersecurity standards, they could end up being investigated by the Department of Justice, which recently announced its intentions to pursue companies under the False Claims Act that fail to implement cybersecurity standards, and this is just the start. Both the House of Representatives and Senate have proposed cyber legislation in 2021 and the Securities and Exchange Commission is developing Cyber-risk Governance legislation (2021), with more legislation and regulations planned for 2022.”

Influencing the conversation

With so much change taking place so quickly, it is incredibly difficult for both public and private organisations to stay up to speed with their cybersecurity and risk management responsibilities. Andy explains how the Augusta Group can help: “The regulatory environment is changing rapidly but myself and the other Founders of the Augusta Group have vast experience in the cybersecurity arena. We have been fortunate enough to have some of our whitepapers presented to the Federal Government, for example. We are supporting the conversation around cyber-risk and beginning to influence thinking at a senior level.

“We have built a cybersecurity and risk advisory practice to support organisations who need to better understand what these new regulations are and most importantly, how it will impact them and what they need to do to comply. Our expertise is around regulatory compliance, implementing cyber-risk management standards and education. That means that we possess a lot of detailed knowledge which we can share with our partners.

“Finally, we offer bespoke training, unique to the specific requirements of organisations we work with. For example, we create and deliver training programmes for specialists or for senior executives. Having people in the boardroom who possess a deeper understanding of cybersecurity and cyber-risk is going to be crucial for all organisations moving forward. The Securities and Exchange Commission (SEC) are planning ‘Cyber risk governance’ legislation in 2021 that is likely to enforce public firms to oversee and manage cyber.”

To find out more about the Augusta Group and the services it provides, contact Andy Watkin-Child at [email protected] or please visit: www.augustagrp.com