National Cyber Resilience Advisory Board minutes: September 2022

Minutes from the meeting of the group on 6 September 2022.

Attendees and apologies

Board members

  • David Ferbrache (Chair)
  • Bob Hayes (Vice Chair)
  • Anne Moises (AM)
  • Helen Nisbet (HN)
  • Deryck Mitchelson (DM)
  • George Fraser (GF)
  • DCC Malcolm Graham (MG)
  • Jordan Schroeder (JS)
  • Freha Arshad (FA)
  • Natalie Coull (NC)
  • David Aspinall (DA)
  • RA
  • Keith Nicholson (KN) via phone

Partial attendance

  • Head of ScotlandIS Cyber
  • Scottish Cyber Coordination Centre (SC3) Data Sharing and Threat Intelligence Management Lead

Also in attendance

  • ON
  • Head of the Cyber Resilience Unit (CRU)
  • CRU Public Sector Lead
  • CRU Private Sector Lead
  • CRU Programme and Policy Lead
  • CRU Policy Manager
  • CRU Business Support Officer


  • David McNeill (DM)
  • Dave McClure (DMC)
  • Gordon McGuinness (GM)
  • Christian Toon (CT)
  • David Hartley (DH)

Items and actions

Welcome, minutes and actions 

The Chair welcomed members to the meeting. Minutes were approved and action log reviewed.

Conflict of interest

No conflicts of interest noted.

Cyber threat landscape 

ON provided an update on the current threat situation from the National Cyber Security Centre's (NCSC) perspective.

MG provided an update on the current threat landscape from a Police Scotland perspective. 

SEP22/01: Cyber Resilience Unit (CRU) to work with Police Scotland and NCSC to align cyber security messaging linked to scams related to cost of living crisis.

SEP22/02: ON to look into any research around the impact of the cost of living crisis on the proliferation of attacks and impact on preparedness of organisations. 

Update on year 1 strategic framework activities, followed by discussion of future priorities

Head of the CRU spoke to paper 1, with a focus on the public sector action plan. 

SEP22/04: CRU to consider elevating the staffing and recruitment risk to very high and opening it as a live issue. 

Head of CRU presented Paper 2 which highlighted the breadth of activity that has been delivered by partners during year 1 of the strategic framework. The Board were keen on seeing more analysis of the difference this activity has made. The analysis report is now planned to be published at the end of year 2 of the strategic framework.

SEP22/05: FA to set up working group to examine what activity would impact most on the private sector, in working with the CRU to examine previous activity.

The Chair led a discussion on what the Board thought were the priorities going forward. The Board agreed the following priorities:

  • cyber assurance of the public sector
  • education and skills – general and growing the skills pipeline
  • supply chain cyber security
  • procurement processes
  • supply chain security

The Board also felt that it was important to demonstrate how cyber resilience underpins wider government priorities.

The Board requested that the scale and complexity of the challenge needs to be set out.

These would be taken into consideration as the CRU prepares next programme of work and will also be referred to when the Board meets the Cabinet Secretary for Justice and Veterans at the next Board meeting. 

Update on cyber security industry in Scotland 

Head of ScotlandIS Cyber presented a short update on the cyber security industry and key events coming up in Scotland.  

Cyber Security Month activity 

CRU Policy Manager provided information to members on upcoming cyber events during Cyber Security Month. 

SEP22/06: CRU Policy Manager to send members a list of upcoming events. 

SC3 update

CRU Programme and Policy Lead summarised project progress and presented future priorities and likely recruitment timescales. 

SC3 Data Sharing and Threat Intelligence Management Lead shared information on progress with the intelligence and data sharing workstream.  

CRU Private Sector Lead shared information on progress with the incident co-ordination and exercising workstreams.

Any other business

SEP22/05: CRU to follow up with Board members who could assist in moving forward the audit and assurance activity.


The next Board meeting will be on 6 December 2022, 10.00- 14.00. Location to be finalised.

Back to top