A day in the life of... a cyber governance, risk and compliance officer 

I visit several websites to get the latest cyber security news. Because I am a well-rounded individual who doesn’t always think about work, I drop a message on my family’s WhatsApp group wishing everyone good luck for the day. 

Logging on 

When I work from home I have the luxury of a brief commute through the garden to my office/shed, so I spend time looking at the bulbs that are coming up. Gardening for me is a bit of an escape and I enjoy the simplicity of planting something and watching it grow. My success, however, is mixed.  

With the second coffee of the day on my desk, I fire up Teams and Outlook to see if there's anything that requires immediate attention. The team at Thomas Murray is very sociable despite working mostly remotely, and there will be a round of “good mornings” from people in different time zones that must be responded to with an appropriate gif (I favour one of a cartoon dog drinking coffee).  

My calendar today shows a combination of catch-up calls with existing clients, blocked-out time for delivery and analysis, and an initial call with a new client.  

One of the first things I will do is log on to the ongoing monitoring platform that has been built at Thomas Murray. The platform gives the team access to trends, threat actor patterns, and real-time alerts. Much like understanding the wider business landscape, it is crucial in my role to understand threat actors. Having this data at my fingertips is one of the things that sets us apart from other organisations, and something I’m incredibly proud of.  

Late morning 

I have a client who is concerned about the impact of the Digital Operational Resilience Act (DORA) on its business. The organisation is in the financial services sector and has an existing cyber security team, but DORA requires significantly more than what the organisation is doing at present.  We are working with the client to ensure it is ready for DORA compliance when the Act takes full effect in January 2025, and now that we’ve conducted a review of its current activities and identified gaps, we are managing the programme of work.  

We are assessing the organisation’s supply chain – always a complex and extensive task, but our technology makes the process efficient and accurate. Today I am vetting the responses and evidence captured about the high-risk third parties. Our team has identified a few challenges and, as part of my role, I have validated the issues. The next step is to inform my stakeholders, offer insights, and propose next steps.  

I prepare for a call scheduled for later in the afternoon. I give the kick-off deck a review and make some minor amendments. The client has recently suffered a cyber incident and is keen to understand its current capabilities, but also wants to understand what more is required for an organisation with its threat profile.  

Lunchtime 

Heading back through the garden to the house, I notice a clump of moss in the grass. I make a mental note to get the scarifier out and put some more grass seed down. Lunch today is a sandwich, a glass of squash and some raspberries.  

This year I have promised myself to read more, so I pick up my copy of Deterring Armageddon: A Biography of NATO by Peter Apps to read over lunch. I was lucky enough to meet Peter recently, and found his insights into geopolitics fascinating.  

Early afternoon 

Back in the office/shed, I log in. I see my client has responded positively and is supportive of my proposed approach, so I get the wheels in motion for addressing the issue.  

During my lunch break, the Cyber Threat Intelligence team has shared insights into a novel technique now being used to attack organisations. I review the document and share it immediately with a client who is likely to be impacted by the team’s findings, and I include a set of tailored recommended actions. I am a big proponent of sharing information; I also understand that the board is highly engaged and will appreciate the additional insights. 

Late afternoon 

We have a kick-off call with the client for an assessment against NIST CSF 2.0* and I outline our approach. Because I always keep in mind a challenge from an old boss – “Can you tell the client what you have done to make its organisation safer?” – I tell the client that we will bring to its attention any red flags as soon we find them, and that our output is extensive.  

We provide an executive report and an accompanying breakdown of remediation activities with corresponding timelines. By working through our recommendations, anybody would be able to rise to my old boss’s challenge. At Thomas Murray we have sought to answer the “what?” by using threat intelligence, the “so what?” by using our contextual insights about our clients, and the “now what?” by providing pragmatic advice and an easy-to-follow action plan. A series of actions is assigned and after the call ends I send a follow up confirming next steps. 

An internal call with the wider Thomas Murray team to get an overview of what’s happening across the business again makes me appreciate the organisation as a fantastic place to work with great people and interesting clients. 

*The National Institute of Standards and Technology Cybersecurity Framework. 

Logging off (sort of) 

I see a “thank you” note from my client for the additional information related to the new attack techniques and a request for more information about how it can assess the effectiveness of its managed detection and response (MDR) provider. I offer to set the client up on a call with the offensive security practitioners on our team for later in the week. My colleagues will leverage the threat intelligence to accurately replicate what a threat actor does, and in way that will give the client the insights it needs.  

I’m on call tonight, so I make sure that my work phone is charged, within reach, and with the notification sounds turned up loud. (I can snooze an alarm, but not a work emergency.) Now to tackle that moss and check on the sweet peas.