Heightened security: Anthony Dickinson and Nigel Stanley
Businesses that want to survive in this economic landscape must build digital resilience, according to Anthony Dickinson and Nigel Stanley of 2MC – TÜV Rheinland.
When German certification, testing and technical service provider TÜV Rheinland Group (TÜV Rheinland) acquired 2MC in 2017, it brought the leading British Governance, Risk and Compliance (GRC) implementation and advisory company into a global family of like-minded risk and cybersecurity businesses.
"This enabled us to accelerate our learning as well as share our decade-plus knowledge and experience in this space with our siblings," explains Anthony Dickinson, 2MC’s Chief Revenue Officer. Anthony, who has an MBA from Henley Business School, had started with the business the year before the acquisition. He says he was attracted to the potential to be part of something new.
"At the time, TÜV Rheinland was investing and expanding its global risk management and cybersecurity footprint into the UK," he explains. "This came after building a strong capability in its home region in Germany, and the acquisition of TÜV Rheinland OpenSky in North America."
"I’m a cybersecurity engineer and I saw the unique opportunity that TÜV had to bridge the gap between safety and cybersecurity." – Nigel Stanley
He became 2MC’s CRO in January 2020. Nigel Stanley, Anthony’s colleague in the executive suite and TÜV Rheinland’s Chief Technical Officer OT and Industrial Cybersecurity, was the figure charged with setting up the UK business.
"I’m a cybersecurity engineer and I saw the unique opportunity that TÜV had to bridge the gap between safety and cybersecurity," he comments when discussing why he joined the company in 2014. Nigel’s passion for operational technology (OT), which he explains is any ‘thing’ that is controlled or monitored by a computer, crosses sectors to encompass industries such as oil and gas, nuclear, transportation, rail and maritime. In TÜV Rheinland, he recognised a company strong in these areas as a leading safety, testing, inspection and certification company.
"There is a natural crossover into cybersecurity. In today’s world, you are no longer safe if you are not secure," he says. Which is where 2MC comes to the fore in the TÜV Rheinland stable of companies.
Founded in London in 2009, originally in partnership with RSA Archer (today, it remains the software platform’s principal UK consultancy), its USP is hinged upon what it calls its "multi-platform, vendor-agonistic approach" to GRC and integrated risk management (IRM).
"2MC stands apart in the industry because of its track record and expertise in the successful implementation of complex IRM projects," Anthony explains. "We’re driven by a passion to help customers realise the full and considerable potential of an effective IRM transformation program."
As the world around us becomes increasingly complex, he adds that "insight into the myriad of interconnected risks continues to emerge as a competitive advantage" for businesses that do invest in it.
"Yet it’s way too easy to mess these projects up, and our job is to ensure customers don’t do that," Anthony continues. "The platforms are infinitely configurable and customisable, and there is often a strong natural tendency for businesses to try and bend the technology to the way things have always been done. This is further exacerbated when programs cut across functions and geographies, which is often the case."
2MC, however, has grown up with the IRM industry. "After the successful delivery of more than 600 projects, we’ve got a deep and embedded understanding of what makes sense when it comes to navigating the long list of trade-offs," Anthony says.
"Few in the industry are better at what we do." With the arrival of Industry 4.0, there’s no better partner to have by your side as the business world undergoes what Anthony describes as "its most profound and disruptive transformation yet, which is fundamentally changing the risk landscape". And helping clients navigate their way through it is his current area of focus.
"Few in the industry are better at what we do." – Anthony Dickinson
"Most businesses continue to be managed in the same reductionist way for the past 100 years," he explains. "In the meantime, the world continues to become increasingly volatile, uncertain, complex and ambiguous. This has left traditional IRM and cybersecurity practices necessary, but by no means sufficient, and this is an issue of potentially disastrous proportions."
If the 2008 financial crisis wasn’t enough, Anthony says that the COVID-19 pandemic has highlighted the brittleness of "a century’s pursuit of efficiency over resilience".
"Evolution teaches us that it’s not the fittest that survive, but the most adaptable," he argues. "Efficient organisations are perfectly formed for the current environment but when that environment is disrupted, it can have unpredictable and catastrophic consequences for whole industries.
"We’re concentrating on the evolution of IRM and cybersecurity into an integrated whole that can enable organisations to build digital resilience. We believe that IRM programs are disconnected from what’s happening day to day in digital business environments and that cybersecurity – even the advanced facets – lacks the context to be meaningful, timely and actionable. It’s only by integrating the two and enabling them to provide feedback and insight into business in real time that digital resilience can be achieved."
"In my field of OT, the level of understanding and grasp of cybersecurity is arguably a few years behind those working in more conventional IT information security," says Nigel Stanley. "This is partly because the world of OT, Industry 4.0 and the Internet of Things is new and playing cybersecurity catch-up. Unfortunately, features and cost have trumped cybersecurity in many OT and IoT products – for example, the use of default passwords on the kit that don’t need to be changed when the product is commissioned. This has created an ecosystem of vulnerable OT and IoT kits. "Cybersecurity is all about business risk. Initially, you can forget the techy stuff – we are there to support the business in their mission and need to be attuned to that requirement. Cybersecurity is more than boxes with flashing lights. Business risk is the big issue and some form of risk assessment or evaluation needs to be undertaken on a regular basis. This will massively inform an organisation’s cybersecurity spend and focus."
Nigel, whose area of expertise is OT security, adds that, as increasing numbers of hardware and systems become IP enabled and make use of off-the-shelf commodity hardware and software, their associated level of cyber risk has increased enormously.
"Hackers and bad actors have taken advantage of this and, over the past few years, there has been a rise in attacks against OT systems," he says.
"This is only set to rise and is a perfect storm fuelled by technical, geopolitical, commercial and safety factors. At TÜV Rheinland, we have combined this increased need for OT cybersecurity with the need to ensure systems are safe."
The company has built a new offering that addresses the importance of what Nigel originally called GRC for OT but has now renamed Continuous Adaptive Risk Monitoring (CARM).
"This is a very exciting innovation and provides our customers with a single platform to help them understand the business impact of OT cybersecurity risks on their production or operational plant," he says.
"The landscape is shifting, accelerated by recent events and we believe there is an urgent need for CARM," Anthony says. "Digital resilience will be key to surviving the increasingly volatile, uncertain, complex and ambiguous economic environment going forward."