Artificial Intelligence Replacing Human Jobs

The challenges of AI in the public sector

Artificial Intelligence (AI) is a growing topic of interest within the public sector. Government entities are showing increasing interest in using the capabilities that AI brings, to improve efficiency and deliver policy in volatile environments. At the forefront of these reforms are the healthcare sector and law enforcement organisations where the intention of enhancing operational speed and reducing cases of human error are vital. Despite this, collaboration between public, private and non-profit entities can bring complexities in AI delivery as opposing values and management strategies overlap.


The NHS is primarily interested in digital technologies to empower patients to actively participate in their own care. Its strategy emphasizes three key areas to direct its incorporation:
• Utilizing new tools to interpret patient data and deliver personalised self-management and self-care treatment strategies;
• The adoption of technology which gives more time for care and enhances the patient-clinician relationship;
• Treatment based on robust research evidence which aligns purpose with an ethical governance framework that patients, public and staff can trust.

An organisation may face significant barriers in AI adoption. Dedicated resources are required in order to develop machine-learning tools and train the workforce in their use. Possibly one of the biggest concerns affecting AI implementation is the protection of sensitive health data. Bespoke applications will be needed to handle complex patient data, alongside approval mechanisms to properly authorise its use by other healthcare providers, patients and regulators.

Confidence in this matter has already been shaken last year after the NHS experienced a data breach involving the medical data of 150,000 patients. The software developer TPP was blamed for a coding error found within its SystmOne application¹.  Whilst a national data opt-out programme was introduced to stop all patient data being used in research, these instances have had a detrimental effect on patient trust. The NHS must prioritise addressing patient confidence with AI to ensure a positive transition for machine-learning tools through the adoption of data handling and security principles.

Another issue is the impact that AI-driven diagnostic and treatment software has on doctor and patient relationships. Growing reliance on systems with a greater degree of direct-to-patient advice has led to fears that public trust in clinician advice may be diminishing. It has raised the question whether practitioners should inform patients on the technical design behind these applications. Without clarity over how treatment recommendations are made, patients are left to interpret automated results without the benefits of a consultation. Combined, these factors could pose ethical challenges over the accuracy of AI that leaves patients less confident on their appropriate treatment options.

Law Enforcement

AI has also had an influence on law enforcement as predictive policing continues to develop its processes².  The term originated from California’s police chief William Bratton who is a strong advocate of data-driven policing³.  Analytical tools have been applied to these institutions to forecast when and where crimes will take place in an attempt to optimize scarce resources. These include strategies such as:
• Predictive crime mapping to target efforts based on crime type, location, expected date and time;
• Forecasted risk assessments to identify priority individuals at risk of reoffending or engaging in serious crime.

Concerns have been raised over the use of algorithms for criminal justice purposes as there is potential for untended or indirect consequences to occur. An example is the stratification of data such as age, race, postcode or socio-economic groups which has led to cases of discrimination. Analysis of over 7000 arrestees by the investigative journalists ProPublica argued that there was a systematic bias against black defendants in an offender management algorithmic risk score tool. This can be caused by algorithms that use data sets which may have either been incorrectly recorded or influenced by its owner’s cultural bias. Avoiding these inaccuracies requires a framework to be established that outlines data gathering and verification policies.

Insufficient data may lead to discrimination as prediction accuracy is only as strong as the amount of data available. Larger data sets are available for the most commonly recorded crimes such as theft and violence making more accurate forecasting. Concealed offences such as sexual assault, fraud and cybercrime are more difficult to predict as the data collection process is far more complex and resource intensive. This poses a challenge for predicting policing tools as algorithms will have to make decisions based on a smaller range of data over when underrepresented crimes are likely to occur.

Furthermore, establishing accountability is another problem as there is uncertainty over who is responsible for algorithms when mistakes are made. False predictions can cause several legal challenges for law enforcement where individuals can be wrongly detained and accused. Whilst officers may take actions based on the guidance of analytical tools, misconfiguration or faults can be seen as the responsibility of designers, manufacturers and operators. The original developer of an algorithmic tool may not be involved with the subsequent implementation which can leave the installation to those with only limited exposure. Organisations need to establish a policy framework that defines the responsibilities and procedures to be followed when faults are discovered in AI tools.

Our Recommendation

Regency recommends that organisations should consider incorporating policies and procedures on the handling of data associated with the use of AI tools. We can provide consultancy support to help your organisation establish:
• Security and data handling principles to preserve information continuity;
• Data verification and collection practises to reduce occurrence of bias and inaccuracies;
• An organisational framework to outline individual responsibilities and points of contact.

For more information please contact

¹ BBC, NHS data breach affects 150,000 patients in England, 2 July 2018. 
² Andrew G. Ferguson, ‘Policing Predictive Policing’, Washington University Law Review, 94, no.5, 2017.
³ Janet Chan and Lyria Bennet Moses, ‘Can “Big Data” Analytics Predict Policing Practice?’, in Stacey Hannem, Carrie B. Sanders, Christopher J. Schneider, Aaron Doyle and Tony Christensen (eds), Security and Risk Technologies in Criminal Justice: Critical Perspectives (Toronto: Canadian Scholars, 2019).

Nine consecutive years – Regency maintains ISO 27001 certification

We’re pleased to announce that our 2019 ISO/IEC 27001:2013 Surveillance Audit was, again, a resounding success. It was another example of a zero-nonconformity audit and the result is testament to excellent business balanced with first class information security throughout the company. This was our ninth consecutive successful audit by the Kitemark service quality trademarked British Standards Institution (BSI), a UKAS-accredited certification body.

For more than 13 years, it’s been Regency’s business to advise and help our customers in achieving certifications/accreditations against Information Security and Assurance Standards in both public and private sectors, and as such we see it as imperative that we act in a manner that echoes our advice.

The last few months in the Regency calendar have been very busy with the move from our offices in Cheltenham, to take up our new residence on site with our parent company Airbus in Newport. The move has tested our change and project management, our business resilience and our formal arrangements with suppliers. Our physical and environmental security has been transformed, and so it has been a timely opportunity to review our information security posture more generally. With the move complete, we were ready and eager to undergo the surveillance audit which examined our entire scope. Although we anticipated a positive result we welcome the independent assurance given by the external auditor.

GDPR (the European General Data Protection Regulation), closely tied with the UK Data Protection Act 2018, was in focus in this year’s audit (ISO 27001 requires the organisation to comply with all relevant legislative requirements), but as an information security consultancy we’ve taken additional steps to validate our knowledge by qualifying our ISO 27001 Lead Auditors as certified GDPR practitioners. Their knowledge has been and will continue to be indispensable for our own data protection compliance requirements and for our continued ISO 27001 certification.

For our Customers:

ISO/IEC 27001:2013
We can help you to unravel ISO 27001. If you’d like to embark on a brand-new ISO 27001 certification journey – we’ve done this ourselves, and we’ve done it for clients – we can help you too. Perhaps you already hold certification but you’re about to undergo organisational change – we can help you to prepare, perhaps project manage the change, but ultimately ensure that your ISO 27001 requirements are stabilised before, throughout and after the change. Perhaps, as an organisation, you just dread annual audits as you know certification continuation is far from guaranteed – in this position you need a friendly consultant with a fresh pair of eyes and audit experience to provide expert but pragmatic steerage.

GDPR & DPA 2018
The same applies for compliance with GDPR and DPA 2018. We know that many organisations see GDPR, in its current and largely untested state, as a minefield. With the exception of fines for not paying the data protection fee, there have been no civil monetary penalties in the UK against DPA 2018 / GDPR since its introduction in May 2018. Penalties awarded since May 2018 have been in relation to legacy DPA 1998 investigations only. However, we are led to believe that we will start to see the first DPA 2018 / GDPR penalties very soon. We know that CEOs throughout Europe are scanning their GDPR supervisory authority newsletters to learn of the latest penalties, to find out how organisations in similar sectors may be infringing and to what extent they are being fined. We can help you to comply, or simply give you assurance through audit that you are complying, ultimately taking the confusion and worry out of the GDPR minefield.

If you would like to explore how Regency can help your organisation, please contact us on our office number 01242 225699 or email

Who is really responsible for the Information Security Management System (ISMS)?

A Common Problem

We often find organisations where the Information Security team believe the next external audit could mean the demise of the ISMS. They know that the necessary stipulations have not been fulfilled during the last 12 months or longer. They also know that this is likely to be due to disjointedness within the organisation, and ultimately, a lack of clear leadership. They have struggled to persuade colleagues to comply with the requirements of the ISMS. They see the Certifying Authority threat of discontinued ISO certification from the as the only way to change attitudes, especially at the top of the organisation.

The International Organization for Standardization (ISO) suggests that in some businesses “leadership from the business owner” ¹  is required. However, this is slightly confused in vocabulary standards such as ISO 9000 and ISO/IEC 27000, where the following language is used: “If the scope of the management system covers only part of an organization, then top management refers to those who direct and control that part of the organization” . ²

Many organisations prefer to start on the ISMS journey by limiting the scope to the organisation’s Information Technology / Information Management. Taking such a literal approach from the guidance, however, can lead to a scenario where business owners (CEOs / MDs) believe they are absolved of their responsibility for the ISMS as they come to believe the management system is in safe hands under IT/IM management.

There is a simple test in this scenario to establish if the ISMS is in the right hands. Imagine the IT Director approves a technical process that involves taking down operational systems during normal business hours. If there is somebody else in the organisation who can overrule the IT Director and prevent the process from taking place, then the ISMS is in the wrong hands.

This scenario is likely to lead to further undesirable consequences:

  • The IT Director’s information security leadership will be brought into question and may even be considered weak;
  • The external auditor will record their concerns around leadership as part of the audit, and will likely instigate further investigations;
  • Any negligence in the area of leadership would normally be reported as a Major Non-conformity as it represents a major stipulation within the Standard.

A Better Approach

We recommend establishing board-level ‘accountability’ for the ISMS. ‘Responsibility’ for its management may be delegated, but accountability must rest with those at the top of the organisation.

Most ISO management systems (certainly all those which follow Annex SL; 9001, 14001 and 27001) have a stipulation for Management Reviews. We recommend that Management Review meetings are held regularly (e.g. twice a year) and include board-level representation. They will be in the best position to report on any changes in external and internal strategic matters that could be relevant to the ISMS. They will need to be made aware of, and perhaps could report in to the meeting any feedback on, the organisation’s information security performance. They will need to be informed of information security nonconformities and the results from monitoring, measurement and audit activities. They may know why the nonconformities have come about, or they may be in the best position to propose the most effective corrective actions.

Policy for the ISMS needs to be written (signed off) by the head of the business in full knowledge of the requirements of the business, but with observance of all information security risks and mitigation options. The CEO/MD will be forgiven for not being the most IT-aware member of the business, but this doesn’t mean they cannot be counselled, where necessary, by the organisation’s IT experts. Contrary to popular belief the ISMS is not all about IT, it’s about leadership with an information security flavour.

In conclusion, the ISMS should be overseen by organisational leadership who know the organisation’s strategy, are aware (or can be made aware by their experts) of the ever-changing risks to the ISMS and the risk mitigation options, and should be the ones setting policy, based on the strategy, in balance of those risks.

How Regency Can Help

Regency ISO/IEC 27001 Lead Auditor consultants have a long track record in helping customers meet and maintain ISO/IEC 27001 requirements both in the UK and abroad. From initial assessment, through designing a pragmatic and effective ISMS, to audit support and ISMS maintenance, we provide a low-risk approach to achieving and maintaining ISO/IEC 27001 certification.

We won’t leave you with a library of standard templates that need experts to decipher. We will be with you every step of the way, including during your Certification Audit, confirming our support meets with the expectations of the Certifying Authority. We’ll be there to get you over the initial line but will be on hand for guidance, if you need us, in the months and years to follow as your ISMS matures.

If you would like to explore how Regency can help your organisation, please contact us on our office number 01242 225699 or email

¹ Source:
² Source: ISO/IEC 27000:2018

Regency helps the Wanderers Keep Warm this Winter

Regency are delighted to have been asked to provide support to the FC Highnam Youth Football Club U8 Boys (aka “The Wanderers”). One of our very own Regency consultants, Stephen Bottomley, not only coaches the team but also helps out as goal-erector, lace-tier, sub-rotator and (most importantly) is Dad to one of the players. A few months ago, Stephen presented this rather sad photo to the Regency Management Team, showing the boys looking wet and obviously freezing after one of their games last October…


… so we decided to buy them something to keep warm and dry for the harsher winter weather.


Happily “The Wanderers” are having a successful 2018-19 season in both the Severn Valley Youth Football League and U8 Challenge Cup, with the boys growing in confidence, improving as individual players, and as a team throughout their first season together.  We wish the team all the very best for the remainder of the season, and for their footballing futures.

Cyber Security Consultant

Regency has a numbr of exciting opportunities for experienced Cyber Security Consultants to join our growing team.

The role involves:

  • Providing customer-facing Cyber security advice and guidance potentially across multiple client assignments simultaneously;
  • Working within multi-disciplinary teams against tight deadlines;
  • Delivering both tactical and strategic solutions focused around customer priorities;
  • Supporting the customer’s overall information risk management function to ensure they have a comprehensive understanding of their risk landscape;
  • Producing detailed risk assessments to the customer’s identified area of focus;
  • Producing risk management/accreditation artefacts across the full risk management lifecycle;
  • Developing innovative and novel approaches to mitigate risks in technically complex business areas;
  • Devising and recommending options for cost-effective security controls;
  • Conducting security compliance assessments against recognised best practice and industry standards as appropriate to the organisation;
  • Developing and implementing new security policies to address any deficiencies identified.

The Individual

  • You will be an experienced Cyber Security consultant comfortable with delivering into a variety of different, public and private sector client settings;
  • You will be a self-starter capable of taking a proactive approach to understanding customer requirements and responding by providing effective inputs that add tangible value to the customer’s business;
  • You will recognise that there can be many contributory factors to cyber security/information risk that require you to be aware of the wider technical, physical, and procedural context;
  • You will be an advocate for positive change and able to help the customer appreciate the benefits of challenging the status quo;
  • You will be able to tailor your delivery approach as appropriate to the requirements of the assignment, whether the work is within an established security/assurance team or working independently;
  • You will be capable of producing high quality deliverables to tight timescales;
  • You will be an excellent communicator, able to translate between business and technical requirements, and interpret these requirements back into relevant and insightful security advice at all levels of the organisation;
  • You will be expected to actively participate in all aspects of the business development lifecycle and support ongoing customer relationship management.


  • A minimum of three years consulting experience providing Cyber security advice, audits and guidance;
  • Experience of working within a recognised Information Security governance framework (HMG SPF, ISO-27001 or similar);
  • At least one of the following recognised IT Security certifications. (CISSP, CISM, CISA, ISO 27001) with demonstrable experience;
  • At least one of the following recognised Risk Assessment or Risk Management certifications or training. (HMG IS1&2, CRISC, COBIT, ISO27005, Octave) with demonstrable experience;
  • Experience of producing comprehensive information risk assessments;
  • Hold a Full UK Driving Licence;
  • Current HMG security clearance (or ability to obtain).


  • NCSC CCP certification in one of the following. (Accreditor, IA Architect, IA Auditor, ISSO, SIRA);
  • Membership of a recognised Information Security professional body (e.g. IISP, BCS);
  • Demonstrable knowledge of data privacy legislation (e.g. DPA, GDPR);
  • Experience of using recognised project management methodologies;
  • Experience with using enterprise architecture modelling approaches such as ArchiMate;
  • Military/MoD experience within the Air, Land or Joint domains (preferably with a cyber security dimension).


  • Salary and package will be highly competitive commensurate with experience and qualifications.

If interested, please email your CV and a covering letter to

Incident Response Planning

“Plan to Fail, don’t Fail to Plan”

It might be a difficult message for some in our industry to hear, but the reality is that at some point there will likely be a security incident in your OT system. Whether it is some forgotten about remote connection for maintenance that was never properly secured, or an inadvertent (or malicious) operator action that causes an event, the key to whether it brings your process down or is managed and contained in an orderly way will be down to your Incident Response Plan (IRP).

Whilst most businesses will have a response and recovery plan for their IT infrastructure, it does not necessarily follow that this plan can also be utilised in an OT context. There are key differences in the requirements and operation of Industrial Control systems that mean having a dedicated OT IRP will pay dividends when things go wrong.

For example, the loss of a part of your Industrial Control System (ICS) could mean the plant or process will stop, so you will need to ensure that Control Systems engineers and technicians should be on the key contacts list, rather than just IT focussed staff. Also, recovery from an incident can be more difficult because often ICS are within validated systems, so there needs to be some process to manage & revalidate the workstations and databases servers which have been reimaged from backups, before operations can start. Not to mention that Distributed Control Systems (DCS) and Programmable Logic Controllers (PLCs) can’t be reimaged in the same way that PCs can.

Another point to note is that if you have an incident, but the systems are still operational, then one can’t simply remove and replace the affected items. Availability is crucial in ICS, so managing the running process is just as much of a concern as managing the security incident.

What are the key considerations you should be looking for when designing your OT IRP?

First, there are lots of good sources of information to help you to get started. Government agencies are typically a good place to start. The US ICS-CERT has published a document with recommended practices ( ).

In the UK, the new NIS Directive has a clear objective (D1. Response and Recovery Planning) to ensure that Operators of Essential Services have put some thought into their Incident Response Planning. The NCSC CAF ( has a list of Indicators of Good Practice (IGP) for response and recovery. These recommendations are useful not only for the operators who will be directly affected by the NIS regulation, but are also good advice for any company with ICS looking to develop and mature their own incident response plan.

Key areas to look at:

Planning – Plan the IRP, brief everybody who has a role, and make sure that the plan is tested in a table-top exercise or some other simulated scenario. Understand the most critical areas of your system, so a graded response can be enacted depending on the location of the incident.

Communications – how will you co-ordinate with team members in the event of an incident? If your internal network is unavailable due to the incident, then an alternative to email will be required, such as text messaging, WhatsApp etc. Make sure you have an up to date record of everyone’s phone numbers and other contact details.

One important area to consider as part of the IRP is the collection/storage of the system forensics to allow full analysis of the security event to take place, to understand how it happened which will enable the correct mitigations to be put in place to prevent future occurrence. Dedicated ICS tools are available that can detect these incidents and store all the system logs. Such tools can also push the information into a Security Incident and Event Management (SIEM) system which could be part of a dedicated OT Security Operations Centre (SOC), or a shared Enterprise SOC. (There are lots of additional questions on this topic: whether to go for a combined IT/OT SOC, or dedicated for OT; whether to go in-house or to a manged SOC service provider, etc etc. These will be the focus of a future blog post).

Sharing information within the community – you may be able to find answers to your problems, plus you can warn similar organisations of the incidents you are experiencing, the indicators of compromise etc, to help the community become more robust. In the UK, forums such as the CiSP ( are invaluable for this type of information sharing.

If you have any questions on Incident Response Planning or would like to explore how Regency / Airbus CyberSecurity can help your organisation, please contact us on our office number 01242 225699 or email us at

By Ben Worthy (Security Consultant – OT Cyber Consulting Team)

Cyber Security Monitoring Solutions for Industrial Control Systems

How to Select the Correct Cyber Security Monitoring Tool for Your Organisation

Critical National Infrastructure (CNI) typically relies on Industrial Control Systems (ICS) to provide the core operational function that our society relies upon. Previously, these control systems were isolated and run on special hardware and software, where cyber security was not considered in the design. In time these systems have become more complex, more connected, and use a high level of communication: this can increase their vulnerability and increase the likelihood they become a target for cyber-attacks. A typical industrial control system consists of Programmable Logic Controllers (PLC), Supervisory Control and Data Acquisition (SCADA) systems, Distributed Control Systems (DCS) as well as IT assets such as Windows computers, Historian Databases, printers, etc. ICS are connected via different industrial protocols which were initially designed to achieve the communication task without considering the cyber security requirements.

In recent years, many cyber-attacks have targeted industrial sectors and critical infrastructure such as Stuxnet, BlackEnergy, Industroyer, and TRITON. The result of these attacks led to major impacts on safety, availability, operation, the organisations reputation and ultimately a financial impact. Thus, there is a pressing need to monitor and secure these critical infrastructures.

Many tools (or solutions) are available in the market to monitor the cyber security posture of ICS/OT infrastructure, where alerts are triggered in case of any threat or vulnerability detected. These tools are connected to the OT network using either hardware appliances (such as network sensors), or software agents in order to monitor all network traffic. This enables the tool to detect the anomalous activities and, in some cases, block the traffic to prevent a cyber-attack. However, selecting a suitable solution that meets all requirements for each specific industrial application is a very challenging task due to the wide variety of features and supplier vendors. Also, the way these features can be deployed at customer site to gain the full visibility and resiliency of all critical and non-critical assets requires specialist knowledge and experience.

Many criteria should be considered when selecting a cyber security monitoring tool. Noting that this blog focuses on the technical criteria only, these criteria are:

  • Asset and network discovery,
  • Real time network activity monitoring and threat detection,
  • Vulnerability management,
  • Alerting system, and
  • Tool interoperability.

The selected tool needs to be able to discover all OT assets and inventory passively without affecting the operation of the ICS; identify the network topology and extract the asset artefacts such as: model, part number or serial number, firmware version, OS version, IP or MAC address, open ports, and installed software. Furthermore, some tools can also model or arrange these assets to zones or layers which reflect the actual network architecture.

Additionally, the selected tools should have the capability to monitor and detect all threats and suspicious activities using detection techniques such as signature-based detection, statistical anomaly-based detection, protocol deep packet inspection detection, and operational risk detection. The tool also needs to detect all vulnerabilities for each asset, prioritize these vulnerabilities using a scoring system, alert the operator and provide a remediation recommendation. It should then be able to generate a report for all security measures and provide different Key Performance Indicators (KPIs) tailored to suit different stakeholders’ requirements. Finally, the tool needs to provide connectivity with other tools such as SIEM, backup server, Historian server, SCADA and other third-party service tools.

Regency IT Consulting can provide targeted research to customers in order to support them in selecting the most appropriate cyber security monitoring tool for their environment. Different tools can be recommended according to the industrial application requirements in energy, oil & gas, water and waste water, manufacturing, transportation, nuclear and other critical infrastructure. Regency’s methodology for selecting cyber security monitoring solution follows four phases:

  • Define end customer site requirements,
  • Perform market research and identify all tools (solutions) that fit customer requirements,
  • Conduct evaluation for each identified solution based on research, vendor meetings and test bed deployments.
  • Report the findings and propose recommendations based on the outcome of the study.

In summary, cyber security monitoring tools are recommended to be used to enhance the cyber security posture for CNI, the correct selection and implementation of these solutions can minimise the downtime and increase the overall cyber security resiliency of industrial plants. However, selecting the correct solution and tool is a crucial step to achieve these targets, and ensures the ICS system availability, integrity and confidentiality.

For more information on how Regency can help your organisation, please contact

Protecting Modern Manufacturing from Modern Cyber Risks

The whole concept of Industry 4.0 is one of  “super-connected plants” with product and service on demand and instant access to real time data. The principle it embodies include the creation of interoperable manufacturing environments, integrated sales and delivery data sets, real time plant management data and remote and autonomous service and maintenance management. It is the embodiment of the future that was imagined in the science fiction of the seventies and eighties.

However with this all connected, autonomous and self managed industry environment come a set of risks and threats and the potential for system breakdown that the same science fictional world relied on for its story lines. Continue reading “Protecting Modern Manufacturing from Modern Cyber Risks”

Developing the cyber security profession – have your say!

Whilst wading through all the social media items that I had marked as interesting and should read futher, I came across this blog article from the NCSC describing some of hte work being performed by DCMS and NCSC around the future of the cyber security profession and requesting comments on the proposal.

The blog article goes on to explain that there are plans to create a Cyber Security Council and to  integrate and harmonise the existing schemes (including CyBOK, NCSC and CCP) and asks for your thoughts (which can be submitted as an individual or company) which need to be submitted by 31 August 2018.

The public consultation document can be found at and thoughts can be submitted via

Please note that Regency does not take any responsibility for the content of any of the links contained within this article.  The links have been directly copied from the NCSC blog article.


Top Tips on Human Training

Despite an increased awareness about cyber threats among the general population, hackers continue to prey on people because they believe them to be the weakest link in an organisation’s security. Continue reading “Top Tips on Human Training”

NIS Directive – 9th May is the Starting Point, not the Finishing Line.

The forthcoming NIS Directive is being studied keenly by Operators of Essential Services across the UK to understand the impact on their business. Whilst it does not have the same public attention as the more wide-ranging GDPR (another piece of EU cyber security legislation coming into force in May) NIS-D is of vital importance to the UK’s Critical National Infrastructure. Continue reading “NIS Directive – 9th May is the Starting Point, not the Finishing Line.”