IMG 3195 smallInterview with Matt Horan, Security Director of C3IA Solutions


Please describe C3IA Solutions and the services you provide?

We are a system engineering and cyber security SME with 10 years of experience in the delivery of secure communications and IT to UK Government, MoD and similar security conscious organisations. Although based in Poole, we operate across the UK and have provided services overseas. We feel that cyber security in particular is a topic that will be of interest to your members and customers alike and our status as a GCHQ certified company underpins our suitability to provide advice and services.

So who needs to consider cyber security?

Everybody needs to consider cyber security, but analysis of different motivations, responsibilities and interests lead us to believe that there are 3 generic cyber security models. There is the model for suppliers that wish to do business and then deliver services in an overseas location, for whom there may be risks around their supply chain and business information when working in and reaching back from a less secure country than the UK. Secondly there is a model for the event organisers responsible for the event itself and associated enabling services such as ticketing, stage management and media; a failure in these would lead to both reputational and revenue loss. Finally there is a much more sophisticated model for the event host, related to national security and either nation state, terrorist or serious organised crime activities.

Does cyber security need special planning and attention?

The difference with cyber security is that it calls upon skills and experience that are in relatively short supply and need to be applied to the context in which companies will be operating around the world, and in some cases a long time before the event takes place. Many companies don’t have the resources or skills to do this for themselves.

How much do your current customers invest in cyber security?

The level of investment is related to the interests that our customers are trying to protect. Some customers are just interested in meeting one of the many regulatory standards required to fulfil a contract, such as Cyber Essentials or PCI-DSS. Other customers understand the true risk of cyber security and focus their investment on protecting their business. They do this by protecting the personal information of their customers and staff, by protecting business critical information such as their Intellectual Property Rights and contracts, and increasingly they are protecting the technology that underpins their solutions and services, including the supply chain that supports it. It is difficult to give a generic figure for investment, but it is related to the cost of having to recover from the effects of a successful attack or event related to these interests.

Is this all about internet security?

Although cyber security is most associated with the internet, it is increasingly relevant to all aspects of technology associated with major events. To give you an example of some of the projects we undertake, we would look at the physical aspects of a location to check that information cannot be physically stolen or accessed through social engineering. We would look at the increasing use of technology for an event itself, technologies such as data links to vehicles and wirelessly controlled stage and light fixtures may not be connected to the internet but still have vulnerabilities that can be attacked. If we are looking at internet use, it is often the foreign and untrusted wireless access point in a hotel that provides the vulnerability to an otherwise secure system.

What is the biggest threat?

The biggest threat has been routinely identified across the security industry to be the insider. This is either an employee or someone that has legitimate access to locations and systems. Whether they are taking action because they are disgruntled, because they have been the subject of social engineering (the term used to cover bribery, blackmail and abuse of moral beliefs) or because they have simply made a mistake, their actions are often difficult to defend against. This risk can only be reduced through education and training, backed by monitoring across the whole organisation. This is something we stress on our accredited training courses.

So what does C3IA provide specifically?

There is a structured approach to cyber security that can be tailored to the needs of any customer. This normally starts with an analysis of critical business functions and an assessment of the risk to these functions, the business owners are then supported in deciding the level of worthwhile investment and finally the preparation of a risk management plan . This plan will outline the technical, physical, procedural and personnel measures that should be taken at each stage of the business being conducted, or event delivery. We are proud of the quality of the approach we take and it has earned us the status of being a CESG Certified Cyber Consultancy. We can also provide the solutions to achieve improved security from protected internet and telephone access to 24/7 monitoring of internet traffic to detect and respond to attacks. There is no ‘one size fits all’ solution and investment can be tailored to the scale, technical complexity and risk appetite of our customers.

C3IA Solutions is a member of MEI and Matt Horan can be contacted at This email address is being protected from spambots. You need JavaScript enabled to view it. telephone 01202 721123.


Additional information