Posts by: Julia Wailes-Fairbairn

UK research highlights the lack of Chief Data Officers at C-suite level

Research by the data science and marketing services company Profusion has revealed that UK businesses are falling behind their European counterparts. The report highlights the lack of Chief Data Officers at board level at a time when GDPR, Brexit and the new Open Banking standards (due to come into effect in January 2018) should be top of the corporate agenda.

The Chief Data Officer: Today, Tomorrow, Always? report analyses the role of the Chief Data Officer, finding that only 2 per cent of FTSE100 companies has elevated this position to senior level. This is in spite of the fact that research from global marketing intelligence firm IDC reveals that 77 per cent of FTSE100 company executives consider data and analytics to be the most important technology trend of the next three years.

So why is this the case? At a time when UK businesses need to put effective organisational structures in place to maximise the benefits of ‘datafication’ while ensuring that all regulatory, legal and security procedures are in place, why are the big corporates not acting? Of course, they are not alone; the dearth of board level data officers extends into all businesses, from public sector organisations to SMEs.

One of the key issues is recruitment. There are few individuals with the right skill set required for this challenging role. A Chief Data Officer needs to combine a degree of technical skill with a highly tuned commercial agenda. He or she is required to communicate with authority with their board level peers, putting forward innovative strategies for developing the benefits of properly managed data to create new revenue streams. They must drive business efficiencies while enhancing customer relationships and improving company performance and growth. Add to the lengthy job description the need to ensure the security of all data in line with all regulatory and legal requirements. No wonder there are so few about.

With such a tall order, it is not surprising that there is an increasing trend toward organisations looking to external partners to provide resource and support for specific aspects of the role. In this way they are able to supplement the wider experience of the individual with specific expertise. The role of Chief Information Security Officer (CISO) is an aspect of the CDO role; they are often one in the same person. Providing CISO support, or even fulfilling the CISO role in entirety, is a way to enhance the CDO’s role, while also allowing him or her to focus on the wider picture.

SRM has extensive experience of providing CISO support for businesses of all scales. Our service is entirely bespoke, delivering as much or as little as is required. From board level engagement to scoping and conducting penetration tests. From Red Team engagement which provides a hacker’s eye view of an organisations’ frailties to GDPR compliance. For smaller businesses we can provide a Virtual CISO (vCISO) with access to our specialist team whenever needed.

Given the fact that GDPR is yet to be enacted and some of the fine detail is still being confirmed, SRM’s GDPR expertise adds particular value to the CDO’s role. Our GDPR consultants are trained through a GCHQ-approved qualification and are able to advise on the strategic management of GDPR compliance or take on the full Data Protection Officer (DPO) role.

For a no obligation conversation about SRM’s CISO, vCISO and GDPR contact Mark Nordstrom.

Learn more

GDPR – The General Data Protection Regulation


Related blogs

After GDPR, what will happen to ICO notification fees?

How US internet giants are tackling the issue of GDPR compliance

Time running out for GDPR compliance

What does GDPR mean to SMEs?

VirtualCISO: the philosophy of product development

How a CISO can exert influence at board level


Yes, someone actually said that to me in an interview!

SRM’s GDPR specialist Melanie Taylor explains some of the challenges faced by women trying to get into the world of IT

‘I don’t understand why a woman with a family would want to work in IT’…

Is just one of the things an IT Solutions company in Catterick said to me during an interview.

To start at the beginning! In August 2012 I had an operation to fuse 2 of my vertebrae in my lower back and insert some ‘scaffolding’ to support the once above due to collapsed discs. I knew the operation was coming and had decided that once I could go back to work it would be in IT. I was not going to settle for less, having always enjoyed dabbling in IT and taking PCs, Xboxes and mobile phones apart to fix or clean them it seemed like a logical choice. Getting into Information Security was the ultimate goal but I needed to start with IT in general.

“An apprenticeship! that’s what I’ll do” I told my husband. So I started to apply for any IT apprenticeships I could find, sometimes 5-10 per week and then….. Nothing! Nothing at all. Not even a ‘sorry this place was filled’. I kept going and did, now and again, receive a reply, TOO OLD! You see I was 34. When a company wants an apprentice they want a young one so that they will be fully funded. I still kept going. Applying and chasing with telephone calls. Too old.

But then finally, an interview!

It was for a Network Technician Apprentice role for an IT solutions company in Catterick. I was currently living in Bishop Auckland and was more than happy to travel 25 miles to work each day.

On the day of the interview, I was extremely nervous and also excited at the possibility, this could be it…. The beginning. I arrived in plenty of time and smartly dressed with a little makeup on and hair done, anxious to meet with my interviewers.

Now I can tell you that when someone walks into the room, sees you, and their face drops, you do not get a good feeling, that sinking feeling. That feeling of dread. I was asked to have a seat and was made a cup of coffee. The interview started in an unstructured way and I remember being asked why I wanted the role. “Since leaving school I have wanted to get into IT but just didn’t know how back then. I have had a few years away from work due to a back injury but am now able to work again and decided to go for my career of choice” I said some other stuff and waited for a response. Awkward silence. Then one of the men said, “I just can’t understand why a woman with a family would want a job like this, it gets cold in server rooms you know”. I said I would wear a coat if I was cold. This seemed to be the theme of the interview and I was enlightened with some interesting statistics about how many women worked in IT or rather didn’t work in IT. On the plus side, I was told that the clients would love me although I’m not entirely sure that it was meant as a compliment. Near the end, I was asked if I would not rather take a position in admin! As a last attempt to convince these people (clutching at straws) I blurted out that having my hair done and wearing makeup was not me and I really wanted this opportunity. After I left it didn’t take long for the recruiter to ring to break the news to me, I was not experienced or knowledgeable enough for the position and the learning curve would be too steep, an interesting point considering that the interviewers had already told me that the role needed no experience being an apprentice role and that the last apprentice they had was completely starting from scratch with their knowledge and experience.

Desperately wanting to prove myself I emailed one of the directors that interviewed me and offered to do voluntary work so that they could see my work ethic and how quickly I would pick things up. Nothing! Not a thing back.

I was absolutely determined to keep going, everything happens for a reason right? and looking back at the interview I was beginning to think that maybe it was not the best place to work, for a woman anyway.

Thank you! Thank you so much for not taking me on! I would not be where I am today if you had.

After around 8 months of applying, I had an interview with Newcastle College which was successful and my journey began, but that is another story.

The point of telling you this is to say never give up on your dream career and never stop searching for your perfect employer. You’ll know when you get there and you may not stay forever but it’ll be right at the time.

I am so lucky to have found a company that not only let me fly, they give me wind beneath my wings. Thank you SRM!

Learn more

GDPR – The General Data Protection Regulation

How US internet giants are tackling the issue of GDPR compliance

Time running out for GDPR compliance

What does GDPR mean to SMEs?


After GDPR, what will happen to ICO notification fees?

When the General Data Protection Regulation (GDPR) comes into effect in May next year it will not require organisations to notify the ICO about what data they hold or to pay notification fees. However, little will change in reality. A provision in the new Digital Economy Act 2017, which addresses policy issues relating to electronic communications infrastructure and services, means that notification and fees to the ICO will still be a legal requirement for data controllers after GDPR is enacted. What is more, the fees themselves are likely to increase.

Under the current Data Protection Act (DPA), organisations which process personal information must, as data controllers, notify the ICO about what personal data they collect and what they do with it (unless an exemption applies). They are also required to pay the ICO a notification fee. This is either £35 or £500, depending on size.  These fees are currently used to fund most of the ICO’s work.

The Digital Economy Act 2017 paves the way for a new funding system for the ICO with the new model going live on 1 April 2018. As is currently the case, notification fees will be used to fund the ICO’s data protection work and any money the ICO receives in fines will be passed directly back to the Government.

What is still unknown is exactly what these fees will be, although we now have a clear indication of what is being considered. An update from the ICO on 31st October, confirms the range of fees which are currently being considered in consultation with the Department for Digital, Culture, Media and Sport. The draft proposal is for a three tier system, differentiating between small and big organisations and also how much personal data an organisation is processing. The aim is to keep the system as simple as possible, so that organisations will easily be able to categorise themselves.

  • Tier 1: small and medium sized firms that do not process large volumes of data. Applies to those with a staff headcount of less than 250, turnover below £50m a year and fewer than 10,000 records processed. Annual fee up to £55.
  • Tier 2: small and medium sized firms that process large volumes of data. Applies to those with a staff headcount of less than 250, turnover below £50m a year and more than 10,000 records processed. Annual fee up to £80.
  • Tier 3: large firms. Applies to those with a staff headcount of more than 250 and turnover of more than £50m a year. Annual fee up to £1,000.
  • Direct marketing top up: applies to organisations that carry out electronic marketing activities as part of their business. Top up fee £20.

Once approved by parliament, the ICO has undertaken to communicate the new fees to data controllers. In the meantime, organisations should continue to renew their notification as usual. It remains a criminal offence not to notify if an organisation is required to. Those who pay an annual notification fee will only need to pay the new fee once their existing notification, under the old model, expires. It is also expected that the exemptions will still operate and these are expected to be similar to those under the current regime.

Learn more

GDPR – The General Data Protection Regulation

How US internet giants are tackling the issue of GDPR compliance

Time running out for GDPR compliance

What does GDPR mean to SMEs?


eDiscovery: the issues facing law firms and solicitors

by Alan Batey

Information Security Consultant and Forensic Investigator

In today’s world, evidence in legal cases is sourced from the vast quantities of Electronically Stored Information (ESI) that exists across a range of platforms and devices. Acting on behalf of clients, large law firms may have access to eDiscovery platforms to sift, sort, redact and reduce the amount of data that is made available, keeping only those files with relevance to the case in a legally recognised format which preserves the integrity of the data and stands the ultimate test of court acceptance. Smaller firms may not have operated an eDiscovery platform, considering it too expensive or shying away from the complex technology. This is not altogether surprising.

ESI comes from a number of sources; from emails, texts, voicemails messages, word-processed documents and databases, including documents stored on portable devices such as memory sticks and mobile phones. In totality it includes an unfeasibly large and complex volume of files. SRM was recently involved in an eDiscovery case where the original ESI involved 1.2TB of data which, in this particular instance, was reduced to 160GB. Although hundreds of gigabytes is more usual, this is still more data than can effectively be processed in a legally acceptable manner without the use of sophisticated management and tools.

Yet many who engage with eDiscovery Platforms find the process is unsatisfactory. They may require assistance with the forensic discovery of electronic documents or need more support in managing the information security risks surrounding the placing of confidential information on a Cloud or server based platform. They may feel their technology partner is unsupportive or that the cost of the exercise lacks transparency. Ultimately, some are worried about the security issues of releasing sensitive information to a third party.

eDiscovery  projects require extremely high levels of skill, technical expertise and diligence. At SRM we work in conjunction with the legal team to advise and execute the eDiscovery requirement for their client. We define each stage and advise on the ongoing process and progress giving a full breakdown of costs for each stage. Our service is at the cutting edge of eDiscovery technology, saving the clients time and money while achieving best results. We also work effectively and strategically to ensure that disruption to the client’s business is minimal.

When such large volumes of data are made available to a third party, trust is crucial. Our eDiscovery  team includes individuals who have worked with the police, MOD and FTSE100 companies. We are the leading PCI Forensic Investigation company in the UK and cyber security supplier to HM Government.

SRM provides a range of highly professional cost-effective solutions, suitable for all sizes of law firms. From the provision of a low cost ‘E-Discovery Lite’ package to the involvement of Expert Witness Forensic Consultants or the use of a Virtual Chief Information Security Officer VCISOtm.

PCI SSC Europe Community Meeting: free one to one meetings with PCI DSS industry thought leaders

Delegates at the PCI SSC Europe Community Meeting in Barcelona this week will have a lot on their minds. Changes to compliance, the security of customer payment card data, issues concerning the Cloud and the ever-present threat presented by hackers and cyber criminals will have brought the industry together to share in a range of seminars and talks which will help to address these issues.

The agenda is diverse ranging from the keynote presentation by the PCI Security Standards Senior Team on Wednesday to an outline of the security road map for the next generation of payments; from the Miracle on the Hudson to the weaknesses in IoT. So why, with all this information readily available, and so many people offering advice, should you spare half an hour to talk to the guys from Security Risk Management (SRM)?

The short answer is this: people. Yes, we are the leading PCI Forensic Investigation company in the UK and cyber security supplier to HM Government. Yes, our team boasts some of the most highly qualified professionals within the world of information security and, yes, our clients range from enterprises and government departments to SMEs and the third sector so we understand all sizes and types of organisation. But when it comes to working with your business, it is the individuals who really make the difference.

Paul Brennecker has been with SRM since 2008. Formerly he was PCI Compliance Manager with Barclaycard and successfully drove the compliance programme forward, working with both VISA and Mastercard in the process. With many years’ experience and a host of high level qualifications (including QSA), Paul is widely recognised as a PCI DSS compliance thought leader, regularly speaking at events. Known for his approachable manner and depth of knowledge, he has a particular skillset in conducting pre-compliance scoping and de-scoping exercises, conducting gap analysis assessments, creating remediation plans and assisting with intrusion detection and prevention systems. Paul is available at the Barcelona event for free one to one consultations.

James Hopper is SRM’s Operations Director, having worked previously within the worlds of consultancy and local government service improvement, delivering significant Transformation Programmes. He also has experience in consultancy, operations and innovation with a large FTSE 100 outsourcing company and a large NHS organisation. James brings this vast strategic experience to the process of company-wide information security solutions. At SRM he ensures that our service is constantly evolving to deliver first class service to a range of clients across many sectors. With a reputation as a clear-thinking no-nonsense problem-solver, James can cut through to what is specifically required so that top level compliance can be achieved in a cost-effective manner. James is also available at the Barcelona event for free one to one consultations.

James and Paul are interested in meeting those involved with PCI DSS compliance programmes. They also have a thorough knowledge of the whole information security sector and can advise on other issues as part of a company-wide strategy. But they are only two people from a highly skilled, experienced team and, where necessary, they can put you in touch with someone with a specific expertise.

Established in 2002, SRM has a proven track record in the industry. As a company it continues to grow in excess of industry norms. It is structured to respond to the continual changes within the world of information security and to ensure that its innovative service offerings evolve to better suit the needs of existing and future clients.

To book your free consultation simply email or

To find out more about us, visit or to read our blog visit

SRM Blog

SRM Blog