<img alt="header" src="https://secure.gift2pair.com/209050.png" style="display:none;">

Meet your M8s: Tom Duffell

2024 has been a transformative year for M8 Solutions. We’ve rolled out innovative solutions to NHS Trusts nationwide and welcomed new experts to our team, enhancing our ability to provide top-tier service to our clients.

To give you an inside look, we recently interviewed one of our newest team members, Tom Duffell to find out a bit more about the amazing skills he brings to the company.

Here’s what he had to say.  

Tom Duffell

tom with outline

Can you tell us about your journey into the field of cybersecurity? What sparked your interest, and how did you develop your expertise in this area?

I grew up with my Dad working in IT, so I always held a general interest in anything with computers. I made the decision to study Computing and I particularly enjoyed computer networking, completing my degree with a 1st Class Honours.

I’m a firm believer that to understand Cybersecurity you need both an in-depth and broad understanding of all aspects of IT infrastructure, development, applications, and networks, but also the business itself and its strategy.

I began my career with an IT service provider, focusing initially on networking. As my journey progressed, I gained valuable experience with Surrey Police and later in the field of Defence. Over time, I transitioned into cybersecurity, where I discovered a passion for working on the cutting edge of technology.

After gaining extensive cybersecurity experience at Northrop Grumman, I joined the NHS. Three years later, I became the Chief Security Officer for Portsmouth Hospitals University NHS Trust, where I led the cybersecurity team and other departments for three years, including during the global COVID pandemic.

With your background in the NHS, how has your experience within the organisation shaped your approach to cybersecurity? Could you share some insights into the unique cybersecurity challenges faced by healthcare organisations?

 

Cybersecurity is incredibly complex, especially in an NHS environment. However, when you strip back the complexity, really it is just another business risk to be managed. Organisations need to ensure they appropriately manage cybersecurity risks to maintain business continuity and protection of their critical assets, usually their data, from potential threats. The difference between cybersecurity threats and for example, a flood or other natural disaster, is that a cybersecurity threat might be deliberately targeting your business and attempting to steal your data or disrupt the service you provide. Other types of disaster are indiscriminate and aren’t intentionally stopping businesses from meeting their objective, often making cyberattacks far more difficult to recover from.

In the NHS, the environment is even more complex due to the critical nature of the services provided to the population, often relying on IT devices and infrastructure that are vulnerable to exploitation because they lack built-in cybersecurity measures. Even newer systems are not always developed with security in mind. When these systems are used to deliver patient care, potentially saving lives, NHS Trusts must balance the cybersecurity risks with the clinical risk of not having those systems available. The obvious problem, as frequently reported in the news, is that more of these critical systems are becoming unavailable due to their weaknesses being exploited by malicious actors, and unfortunately, the impact is being felt by patients everywhere.

What motivated you to join M8 Solutions, and how do you feel your role here differs from your previous experiences?

 

I joined M8 Solutions for several reasons, the first of which is rather cliché, but it was the people. I first met the M8 solutions team whilst working at Portsmouth and they came across as very nice and genuine people, so working for M8 seemed a great fit.

I was looking for a role that would challenge me, and enable me to use the skills and experience that I’d built-up over the years. So a role as a cybersecurity consultant was a logical next step for me.

I also wanted to continue helping the NHS and its patients, so really it all just came together; the right company, with the right role, enabling me to continue protecting patient services from cybersecurity threats.

Could you share some specific examples of projects or challenges you've tackled since joining M8 Solutions? How did your expertise contribute to their successful resolution?

 

The whole of the first year has been challenging to be honest, but different challenges at different times. Firstly, I had to adapt to a new role at a small and relatively new company. This required me to be agile in my working practices and adapt to a new environment with new colleagues, all whilst working from home.

It was also a challenge returning to consult at Portsmouth. There were huge advantages for the Trust and myself, but being back in a very different capacity, working with old and new colleagues took some getting used to.

Going from working for a single company, to consulting across multiple NHS Trusts, with a lot of the work varying hugely and requiring the entire breadth and depth of my skillset and experience added an extra challenge. This has though enabled me to take my learning from one Trust and apply it across several different Trusts, so whilst it has been challenging, it has also been incredibly rewarding.

What do you find most rewarding about your work in cybersecurity, particularly in the context of supporting NHS organisations?

 

I sometimes think of myself as a defender of cyberspace! I enjoy knowing that my efforts are helping to thwart malicious actors from causing harm to individuals, whether that’s from data loss, fraud or by helping to maintain patient services.

The NHS helps so many people in this country and remains quite globally unique, offering healthcare free at the point of need. Being able to help such an establishment and the people that it serves is definitely the most rewarding aspect of the role.

How do you prioritise and address the unique cybersecurity needs of different NHS clients, considering their varying infrastructures and challenges?

 

It really varies from one NHS client to the next. Each have their own challenges, and each have varying levels of cybersecurity maturity.

Typically, I take a risk-based approach to prioritising cybersecurity issues, but particularly given the financial challenges facing the NHS, sometimes I have to identify quick wins or focus on problems that can be resolved within the envelope of a tight budget. Then there are compliance and regulatory requirements to adhere to as well. Flexibility in the approach is key to being successful working for the NHS, but ideally tackling the biggest risks first is always preferable.

How do you approach identifying system vulnerabilities, and what strategies do you employ to effectively mitigate cybersecurity risks?

 

There are lots of tools available to help with finding system vulnerabilities. It is also vital to perform regular penetration tests using a reputable company that is either CHECK or CREST accredited. These tests should be performed annually at a minimum, but also when a new system is introduced or a major change to a system is made.

Once you have visibility of your vulnerabilities, then once again, taking a risk based-approach to addressing the vulnerabilities is the best course of action. This could be based on the severity of the vulnerability, the exposure of the affected asset to threats, or the criticality of the service(s) that the asset provides.

In what ways do you collaborate with other members of the M8 Solutions team, both within the cybersecurity domain and across other consultancy areas?

 

We have regular team meetings to discuss cybersecurity and the other areas of M8 Solutions’ business. This usually takes place on Microsoft Teams, but we also collaborate via email, over the phone, using WhatsApp or on occasion, even in person!

Could you discuss any notable achievements or milestones you've reached during your time at M8 Solutions?

 

Well I’ve just completed my first year at M8 Solutions so that’s an obvious milestone. I think my achievements have been more general in nature however. Going back to my challenges, I’ve adapted to a new role at a new company. I’ve also overcome the challenge or returning to Portsmouth. I’ve worked with several new organisations and completed various different roles for each of them.

I suppose if I had to pick just one achievement, it would be the relationships that I’ve built with the different customers I’ve worked with. Having a good relationship with the people who work for our clients is key to successfully delivering a frictionless and effective cybersecurity service.

What do you find most fulfilling about your role at M8 Solutions, and what drives your dedication to delivering cybersecurity services with utmost integrity?

 

Definitely helping NHS Trust’s to maintain patient services. I really believe that what we do for our clients makes a difference, helping them to meet their business objectives. There is no more important an objective for the NHS than delivering excellent health and care services to patients, and the work we do in the field of cybersecurity is vital to ensuring that our clients can continue deliver those services, despite facing growing number of cybersecurity threats.

Given your extensive background, including work in the police force and involvement in defence projects, how do you leverage these experiences to enhance cybersecurity strategies for M8 Solutions clients?

 

I like to think that my experiences in the Police and in the Defence sector have helped to give me a slightly different perspective on cybersecurity. I believe that all experience is good experience and by taking what I have learnt in those fields puts me on a better footing than having worked in the same industry the entire time.

I also think that working on high profile projects, particularly in defence, has helped me to know what ‘good’ looks like. I then endeavour to bring those good practices into the NHS.

Looking ahead, what are your aspirations for the future, both personally and professionally, within the realm of cybersecurity and consultancy?

 

Personally I’d like to spend as much time with my boys as possible, having fun, getting outdoors and seeing them grow up healthy and happy.

With regards to consulting, I’m obviously relatively new on this journey, so really I just want to become as effective a consultant as I possibly can so I can deliver the best services to our clients.

I want to continue to help the NHS to maintain the provision of the best health and care services to patients. I think to achieve this we need to change the narrative in cybersecurity in the NHS. Too much of the time the focus is on data loss, but whilst I acknowledge the importance of protecting against this, I want to raise awareness that the loss of digital services resulting from a cyberattack has the potential to impact people in a far greater capacity, particularly as the NHS becomes almost completely reliant on the digitisation of clinical systems and patient records. Ensuring that Trust boards and executive teams understand this and start to recognise that cybersecurity should be managed similarly to other business risks, is something that I think would benefit everyone.

 

If you want to connect with Tom on Linkedin click here

We've really enjoyed sharing a bit about ourselves with you! If you'd like to keep up to date with all our latest goings on, click the buttons to follow us on Linkedin or Twitter

Leave a Comment