Meet the expert: Tim Burnett to speak at PrivSec London

Live at Park Plaza, Riverbank in London on February 28 and March 1, PrivSec London gives global audiences the chance to learn more about Trust, Digital Transformation, Ethics, Data Protection, Privacy, Security and much more. 

The event will also provide a unique opportunity for industry professionals to network with peers and develop business relationships.

Tim Burnett is Head of Cyber Security and Compliance at Science & Technology Facilities Council. He has over 20 years’ experience in Information Security and Data Protection consultancy and technology services across a wide range of private- and public-sector organisations.

Tim will appear exclusively at PrivSec London to discuss ethics within Security and how Cyber Security must be at the heart of ESG initiatives.

We caught up with Tim for more on his professional journey to date, and for an introduction to the themes on the table at his PrivSec London session.

Could you outline your career so far?

My career spans over three decades, of which the last 20 years or so has been in information security. 

I moved from being the “do it all” computer and network manager in a couple of firms, working on Windows 3 and Netware 3.12 and a smattering of Linux and HP-UX, and switching focus towards networks as a test engineer at 3Com, before becoming a field engineer working with WinNT Server and Cisco networks and firewalls (across the wide range of network protocols including IPX, DECnet, AppleTalk, and so on). 

I then moved to a role as a presales consultant at C&W working on Frame Relay and ATM services, as things started to move towards IP-based networks. I subsequently joined Atos Origin (as it was) as a network technical consultant from where I moved further into information security, going on to become the UK CISO, then to security consulting and helped to develop a consultancy practice.

After leaving Atos, I joined a holiday cottage firm, ostensibly to be Head of Security but which also included acting as DPO, a role which took up all of my time and I transitioned to focus no data protection, privacy and compliance. I took a brief career break and then was persuaded to join Costain as an Enterprise Security Architect in an attempt to set up a security consultancy, until they made a strategic decision that this was not a direction they wanted to go in. I am now an independent consultant focussed primarily on data protection, privacy and compliance.

Over this time, my focus has moved from technology to information security, then towards strategy and now more privacy and data protection. These are not mutually exclusive but they require a quite different approach.

Could you summarise why cybersecurity has to be considered in an ESG context?

Both ESG and security are people-related. Data flows, secure access to information, accuracy of information, and so on; none of these can be considered in isolation. Just as you can’t build business without considering ESG, so information security is not an optional item.

Governance models must consider information security, data protection, and may be aligned to compliance, certifications, etc. 

There are environmental benefits to be had: minimising the amount of data being processed reduces costs, power requirements, and the amount of equipment. Reducing the number of printed copies is a simple yet effective measure: less paper, and also less risk of sensitive information being left available to others.

What primary challenges do organisations face as they bid to integrate cybersecurity into ESG strategy?

1. Getting staff on board – any change can be complicated and rejected by staff
2. There’s simply too much to do! Resources and money are tight. If it can be avoided, it will be.
3. A lack of understanding of what is required; without a clear strategy and program of work this will be difficult.