Perspectives: Looking ahead to the next couple of years, what are some of the ways we should be approaching the threat landscape? And what are some of the biggest opportunities you have ahead to address threats?
Joe: You want to have the best intelligence picture you can get. You want to understand what you're vulnerable to, so you can assess the risk properly. But even when you do that, ultimately that's still a guess, unless you have perfect information. So the approach that we take is that even though the intelligence picture is important, you need beyond that to be as highly capable as you can be, because you're going to need to cope with threats about which you have no prior knowledge. And you're not going to be able to predict with complete accuracy how the external environment is going to be changing — so you need to be capable and flexible enough to cope with that future uncertainty.
I tend to sit on the optimistic side of the fence. If you are harnessing good talent, you can develop quite quickly. You can also start to take advantage of whatever opportunities are out there. Take large language models, for example. Are they mature yet? No. Will they be able to mature quickly? Yes, if you use them properly, and ethically. You start harnessing that internally as quickly as you can. It ought to be more straightforward for a defender in the future than it is for an attacker because although you can't control what the external environment is going to do, you ought to be able control your own. So if we get that right, I'd say the balance might shift towards defenders if we act in concert.
Perspectives: So thinking about what the biggest challenges are for you or people in your role, is it less about that unpredictability and more about figuring out what actually worked afterwards? What would the biggest challenge be?
Joe: I would say that your biggest challenge is always yourself. It’s not the outside world, it's getting your governance structure sorted out properly in the first place, along with real clarity about why your cyber function exists. Once you've done that, problems that you think you might otherwise have had can start to disappear. Or, to put it another way, there is no excuse for not getting your own house in order. You can’t control the external elements, but you can control your own. That’s what I mean about the biggest challenge being yourself.
Also, the data says that there is a very significant skill shortage. The view we take is slightly different: there might be a shortage of fully formed skills out there, but there is no shortage of talent. So the way to solve that problem is to go for the talent rather than go for the ready-made experience. If you're going to do that, you have to be operating at a scale already that has enough critical mass to be able to absorb and develop that talent - then you can bring it on quickly. You can either do that on your own if you are large enough or you can do it collaboratively with other organizations.
Perspectives: This feels much more like a European approach compared to the U.S. In talking to your U.S.-based counterparts have you found that to be true when you discuss the talent pipeline?
Joe: I'd say the scale in the US is different and that might add complexity. There are a number of organizations and agencies that I think work really well – I think the key is to avoid isolation from the rest of the cyber community, both locally and nationally. It’s probably easier to do this in an environment that is geographically small, like the UK, but I think the principle is the same.
Perspectives: I feel like I've been hearing “I'm not looking for somebody who has a cyber security background. But if somebody who can work well on my team and I can train them up and they're smart, then maybe looking in more unusual places for that talent isn't really a bad thing.”
Joe: Around 20% of my team joined with no technical or security background, but with obvious talent. They include apprentices and mid-career professionals changing career from the private and public sectors to come and work with us. They develop quickly, give us different perspectives, work really well in a team environment and focus on solving problems.
In terms of the government security profession, it's only about four or five years old. So one of the things we're determined to do with the profession, because it involves every security professional in every department, is to make it behave as though it were a single entity. It should become really straightforward, for example, for people to be able to move from department to department with minimal bureaucracy. You can enhance your career prospects by doing so. That also means you're getting valuable practical knowledge that is being shared around, all the time. And one of the things we also need to do is make sure that we recognise and reward people consistently.
Perspectives: Are you getting more women or more underrepresented groups in the sector?
Joe: I think that is why we don't like the traditional way of recruiting, because what in effect you're saying is, “Can you tell us about a time when somebody else gave you an opportunity to be able to demonstrate your skill and experience?” You’re automatically then recruiting from what the system may have looked like say 10 or 15 years ago. You're not going to enable diversity and inclusion that way. Or you might, but you're going to do it years into the future rather than now, because the way you recruit has an in-built time lag. What we've seen through the apprenticeship scheme and from our academy for new entrants with no security background, is an amazing diversity of applicants who are very good. And then you can actually start to change the system pretty quickly. I think that the key is providing equality of opportunity and lowering the barriers to entry.
Perspectives: Last question. Could you speak to what you wish senior technology and security leaders would talk to each other about more?
Joe: How have you organized yourselves and, most importantly, “Who's in charge”? And then, maybe, “Who’s really in charge?” Cyber isn’t really about cyber, it’s fundamental to the resilience of operation of a business in the private sector or of public service in the public sector. So whoever heads up that business or leads that public sector service provision owns cyber, whether or not the current organizational construct says so or recognises it. It will be apparent that whoever leads the business actually owns cyber if a major cyber incident happens, and those organizations that recognise this in advance and organize and take action accordingly will be more likely to be resilient. And, for exchanges with senior leaders, once we've done talking about that, then let's start swapping details of everything we're capable of doing to prevent these threats from materializing.
I'd say one of the things senior executives could say, and it’s not an uncommon assumption that people make, is that it's just a question of time until we get breached. That might be the equivalent of being a self-fulfilling prophecy. It might then be more likely you're going to get breached because you automatically assume that it’s going to happen, so you don’t rigorously take the steps you might have done to prevent it. Our start point is that we are not going to get breached. We’ll look to be ready if it ever happens, but we’ll only believe it if we actually see it, because then you're putting your effort into preventing it in the first place rather than waiting for it to happen.
I'd try and rid that “only a matter of time” mentality from any board, on the basis that you should be careful what you wish for.
If you’d like to read more Perspectives like this one, please sign up for our newsletter.
