In this SJUK exclusive, Simon Seymour-Perry, CEO of Logica Security, explores themes of leadership, security and compliance within the cybersecurity industry.
I founded Logica Security because I’d spent years watching organisations grapple with the same problem: security that slows things down rather than enabling what the business is trying to do.
We work directly with boards and executive teams across highly regulated and complex environments, including financial services, critical national infrastructure, government and the wider public sector.
We help to build genuine capability, reduce risk and to make sure that what these organisations are doing will hold up when it really matters whether that’s regulatory scrutiny, operational disruption or crisis.
Our role is to sit at that intersection of leadership, security, risk and compliance.
We combine enterprise-grade experience and offer everything from security strategy and governance to regulatory compliance, audit readiness, third-party risk management, AI governance and operational resilience.
What I’ve come to appreciate is that the organisations that get this right aren’t necessarily the ones spending the most, they’re the organisations that properly understand what they’re protecting and why.
Much of the cybersecurity market is focused on tools, platforms and technical solutions.
Don’t get me wrong, while technology is essential, it doesn’t address the underlying problem, which is usually organisational and behavioural.
What we do is rather different.
We help leadership teams get a clear picture of where they stand on risk, ensure their security approach lines up with regulatory expectations and design environments where people can operate securely without battling the system.
The other difference is pace.
Traditional consultancies tend to offer lengthy timelines and theoretical frameworks, whereas we focus on the decisions that matter to the board and aim to deliver value in weeks, not months as that’s what our clients are really after.
This is something I feel rather strongly about. Security is fundamentally a people and process challenge, not purely a technical one and I don’t think the industry talks about that nearly enough.
What I continuously see is organisations buying sophisticated tools, implementing them to tick a compliance box and then never quite getting the value out of them.
After this, the tool sits there but the risk is still being driven by inconsistent processes, teams not talking to each other and often, human error.
A tool can’t redesign how people work or influence decision-making and embed accountability as this takes leadership engagement, clear communication and proper governance.
Get those foundations right and your technology investments will start to deliver. Without them, you’re just accumulating shelf ware.
HCSD is a methodology we’ve developed in response to a long-standing challenge that brings together behavioural science, organisational psychology and technology, with the aim to make security an embedded cultural capability, rather than another compliance exercise.
The problem it addresses is one that’s been frustrating security leaders for years.
Traditional awareness training tells people what the risks are but it rarely changes how they intrinsically behave.
People sit through their annual training, pass the quiz and then carry on exactly as before. This may satisfy a requirement but it doesn’t materially reduce risk.
HCSD takes a different approach.
Rather than simply informing people, we look at redesigning the environment so that secure behaviour becomes intuitive and part of how work gets done, not something layered on top.
Critically, this gives leadership teams proper metrics they can take to the board.
Regulators increasingly expect evidence of cultural and behavioural maturity, not just training completion. HCSD provides the evidence to do that.
Most security programmes do a reasonable job of raising awareness but where they fall short is shifting cultural change and that’s the gap we’re trying to address.
The reality is that people often know perfectly well what they need to do but they just don’t do it.
Perhaps they’re under pressure, rushing to meet a deadline, juggling competing priorities, etc… In that moment, the secure choice needs to be the easy choice and if it isn’t, people will take shortcuts.
This emphasises that its not a knowledge problem, it’s an environmental one.
What HCSD does is change the environment itself.
We work with leadership to establish ambassador networks that cascade behavioural change right across the organisation.
We treat human error as a measurable business risk, not simply an inevitable cost and we give boards clear metrics that demonstrate progress and return on investment.
Another area that really matters is regulatory alignment.
HCSD maps directly to what’s expected under DORA, NIS2, PRA SS2/21, GDPR and the UK Cyber Security and Resilience Bill, so not only will you be building a better culture but you’ll also be able to collect the evidence that the regulators require.
The shift is already underway.
Resilience has moved from being a technical concern to a genuine board-level priority. Regulators aren’t simply asking whether you’ve got the right tools anymore, they want to see real, cultural and operational maturity.
They want evidence that your staff know what to do and are putting it into action.
For us, that means continuing to work closely with leadership teams to build environments where security is woven into how the organisation operates, not bolted on as an afterthought.
Our focus remains on delivering value quickly, embedding capability that lasts and helping our clients turn security from something that’s difficult to justify, to a key differentiator which genuinely supports the business.
Ultimately, the organisations that will succeed will see security as a reflection of leadership quality and organisational confidence not simply a function of technology.
