Cyber security in the Water sector: talent, trust, and the supply chain

The ACE SME Council recently brought together engineering and technology professionals from across the Water sector for a focused session on cyber security, one of the most pressing challenges facing suppliers and contractors operating in critical national infrastructure today. 

Matchtech was proud to sponsor the event, and given the subject matter, it provided the ideal opportunity to introduce our colleagues at InfoSec People, the cyber security and technology recruitment specialists within the wider Gattaca group. Together, we are uniquely positioned to help organisations across the water sector find the talent they need to strengthen their cyber posture, from experienced OT engineers to specialist security professionals. 

The session delivered clear, practical insight from two expert speakers: Liz Banbury, who brought an in-depth perspective on supply chain risk and regulatory expectations, and Ben Craig, who examined the talent dimension of how organisations attract, retain and develop the right cyber security people. 

Speaker Highlights  

"Attackers often target suppliers first, not the regulated entity." 

This point landed with real weight. The supply chain is frequently the path of least resistance, and it is therefore the responsibility of every supplier, regardless of size, to take their own cyber security seriously. As Liz put it: 

"Reducing your own risk, reduces the risk of the customer." 

On the question of where to start, Liz was direct: Cyber Essentials. For SMEs in particular, achieving this certification is not a bureaucratic exercise, it is a meaningful signal to customers and a genuine baseline of protection. 

"Cyber Essentials is not 'tick-box' it's a passport into supply chains." 

Liz also highlighted the practical, proportional steps that all organisations can take, including password hygiene, multi-factor authentication, and ongoing staff education, particularly around social engineering attacks, which remain one of the most common and effective routes into an organisation. 

Regulatory expectations are rising across critical national infrastructure, and Liz was clear that organisations which move early gain more than just risk reduction.  

"Cyber security is a people problem before it is a technology problem." 

Skills shortages disproportionately affect smaller organisations, which often struggle to compete with larger utilities and consultancies on salary and career progression. The result is a retention challenge that compounds over time: limited progression paths, burnout from always-on security roles, and the constant threat of losing experienced people to better-resourced competitors. 

Ben's argument was that strong retention strategies are themselves a form of risk management. Retaining experienced people means retaining institutional knowledge, continuity, and the contextual understanding that cannot be hired in from outside. The most effective retention approaches, he suggested, centre on role clarity and realistic expectations, meaningful investment in training and development, and a clear sense of purpose protecting critical national infrastructure is genuinely meaningful work, and organisations should not be afraid to say so. 

On the question of what good hiring looks like in the sector, Ben pushed back on the assumption that technical skills alone are sufficient. The most effective cyber professionals in the water sector combine sector understanding with strong communication skills and risk-based, proportionate thinking. 

"Right people, not just more people." 

The session closed with a clear vision of what good looks like for water sector SMEs: cyber security embedded in organisational culture, teams aligned to operational and business needs, people who are supported and retained, and recruitment that is targeted, realistic, and sector-aware. 

Post-event interview

After the event, we sat down with Liz Banbury for a deeper conversation on supply chain risk, skills gaps, and the future of cyber talent in the water sector. 

Q: What are the biggest cyber risks when contractors and partners hold sensitive asset data outside the organisation?

The core risk is where data classified as confidential or sensitive could expose weaknesses, vulnerabilities, or information about network infrastructure and site layouts. In the wrong hands or when correlated with other data it can enable both cyber and physical incidents. There is also a compounding concern around 'open data' held elsewhere, such as with councils for planning permissions or engineering works orders. Security-minded communication is the primary mitigation: revealing only what is necessary, and being very clear with contractors and partners about mandatory requirements for safeguarding that information. 

Q: Where do you see the greatest risks technological or talent-related? 

The industry needs both experienced engineers and cyber security specialists there is no either/or. From a cyber perspective, the crucial skills right now come back to mindset: the ability to engage senior stakeholders, to know what good looks like, and to form a view quickly on whatever the latest threat or topic is. From an engineering perspective, the supply chain in some areas is still at a low level of maturity, and engineers play a significant role in 'secure-by-design'  but like most professionals, they face the challenge of keeping pace with a fast-moving threat environment. Given how frequently the supply chain is targeted as an indirect route to the regulated entity, it is imperative that organisations invest in both cyber talent and in upskilling their engineers. 

Q: How should organisations approach building more diverse, high-performing teams?

It takes conscious, ongoing action not simply hiring to fill demographic models. The individuals and teams still need the capability to perform. It also requires a genuine belief that diversity makes a team stronger and more able to pivot to challenges. Building from the ground up matters: working with schools, apprenticeship programmes, graduate programmes, and recruiting from non-standard channels including ex-military and neurodiverse communities. Hiring managers need to be mindful of their own biases. And culture must be set at the top senior leaders need to live the values of the organisation. 

Q: How do you see the cyber talent landscape evolving over the next five years?

The profession needs people with skillsets that simply weren't foreseen a generation ago. Quantum computing, once considered a distant horizon, is now a present risk, the NCSC has already published guidance on how organisations need to prepare. AI presents similar questions. Cyber practitioners need to be increasingly tech-savvy and able to move fast on emerging technologies. At the same time, experience will count more than qualifications: understanding the context of threats to a specific organisation, and being able to prioritise action accordingly. There is also a human dimension that the industry cannot ignore. Many practitioners have been operating at a heightened level of intensity for years. Automation and AI will raise the bar further, particularly at entry level. That places even greater emphasis on strong career pathways and genuine attention to wellbeing, burnout in this profession is a resilience risk in itself. 

Want to talk talent?

Whether you are looking to grow your in-house cyber capability or need specialist support across engineering and OT, speak to the teams at Matchtech and InfoSec people.