Interview with Ciaran Martin, former CEO of the National Cyber Security Centre

It was Ciaran Martin’s idea to create a National Cyber Security Centre in the UK, and with the government’s full backing, he went on to action this bold innovation and to lead the centre from its opening in 2016 until August this year. Today the NCSC is an international role model in its collaborative approach to the world’s cyber security.

Both Ciaran’s parents were teachers and he grew up in Omagh, attending the Christian brother’s school where he was described as a true all-rounder. The broken society of 1980s Northern Ireland imprinted beliefs and values upon Ciaran that would go on to influence his course in life. A vision for sound administration, and competently run but ethical public service, and a belief in fairness became the road map that led him to a career in the civil service and the intelligence and security branches of government.

Since leaving NCSC this year, Ciaran has joined the faculty of the Blavatnik School of Government at the University of Oxford as Professor of Practice in the Management of Public Organisations. He has also taken on a managing director role with Paladin Capital Group helping guide investments in cyber security, Ciaran also advises Garrison, a world leader in web isolation-based security.

Ciaran joined us for a chat and filled us in about some aspects of his career spent bridging divides: marrying technology and security to government policy, remodelling classified intelligence to a public facing service and finding industry innovation for market place solutions.

At the CBI Cyber Conference in 2018, you outlined that there were 3 misconceptions that businesses generally held in relation to cyber security:

  1. Cyber is too complex so I won’t understand it.
  2. Cyber is too sophisticated so I can’t do anything about it.
  3. Cyber is targeted so I’m not at risk.

You also outlined that you wanted the NCSC to provide simple guidance to demystify a subject shrouded in jargon. That was two years ago, do you feel that those misconceptions are any less prevalent and, if so, what more can be done to reshape business thinking?

I think we’ve made progress in the two years since I said that, firstly, there is a broad realisation that a lack of awareness is no longer a defence, there is also a shift in understanding cyber as a business risk. However, we do have a problem and that is the gap between what consumer’s need and what is being developed, marketed and provided. Consumers don’t want beautifully put together PowerPoints or nice maps detailing cyber attacks, they need to know, what they can buy that will make a real difference. How do they know it will work? Is their business network, employees, intellectual property safer than it was before? Where is the normal information about quality and service that buyers expect in the commercial world?

Regarding, ‘Cyber is targeted, so I’m not at risk’, we still have someway to go. When I was leaving NCSC at the end of August, I drew attention to the summer of 2017 when we had the WANNACRY attack which hit the announcement boards at German railway stations platforms and it also hit the NHS administrative systems here in the UK . About 46 days later we had the NotPetya attack which was a Russian attack, directed at Ukranian business but which ended up, amongst other things, disrupting a merchant shipping company and chocolate factory in Tasmania. Well, I’m pretty sure when the Russians attacked the Ukraine, they weren’t going after a chocolate factory in Tasmania. But cyber weapons are called viruses for a reason – they spread. Cyber is targeted, but sometimes they miss the target and sometimes it goes viral.

In terms of demystifying cyber, we have made quite a lot of progress, but there is a lot to do in de-mystifying the market place. If we look at the Internet of Things, for example, can we find information to inform us about the security functions? This needs to improve and the market needs nudging to create independent assessment frameworks that are trusted by industry. Here in the UK we have decided to bring in some legislation around IoT consumer device security and this will come into effect in the near future.

NCSC is the new kid on the block but none the less has played a key part in the 100 year history of GCHQ which was celebrated last year. In that 100 years there have been tremendous advances in technology. What do you think are the key issues that cyber security must address as we head into the second 100 years?

We are coming out of a period of just over a quarter of a century where the internet has evolved. It has evolved in a way that wasn’t malevolent, but none the less, didn’t really provide for a good security framework – productivity was everything and it was all free. How do you make everything free? You have to give away your data. There are all sorts of problems with that which we are now beginning to realise and deal with.

Over the next generation of technology, we have the Internet of Things evolution, we have 5G, we have machine learning, we have quantum. We know that this is going to happen and the time is now to make sure that we show leadership in the public and private sector, implement regulation and consumer education, and build security into every business model.
I think the big theme in the next course is going to be trust in technology. It has certainly been our saviour in 2020, and kept many of us going professionally, as well as kept a lot of people in touch personally. We need to make sure we build security, trust and transparency into the next generation of technology.

It was you who recommended the creation of NCSC and that came to fruition in 2016. What were the biggest challenges in creating the NCSC and what would you consider its greatest success while you were CEO?

I want to thank the government for backing the idea and the really brilliant people on the technical, operational and communication side who were fully committed to making it work.
When people ask me, what was the hardest part? It was building an open subset of a secret organisation. We had to take risks, and de-classifying threat information is risky. It’s harder than you might think to build an open public facing capability within a secret organisation, but I think we managed to do it, and it will continue to go from strength to strength.

What advice would you give to early stage cyber security firms looking to develop their innovations?

My main advice is – solve a problem.
I would love someone to say I can really demonstrate how to make a strategic dent in the ransomware business model by stopping the money moving around or stopping the encryption of data by a hostile force. Fix something, don’t come with a bubble that looks nice on PowerPoint, come with a solution.

According to Wikipedia, In 2002, you were the phone a friend on the TV show, ‘Who wants to be a Millionaire’. Can you remember the question?

Declan Montague was my friend on ‘Who wants to be a Millionaire’, part of a group of school friends that thinks it’s great fun to edit Wikipedia! The question was, ‘where would you hear the division bell?’ and the answer was, the Houses of Parliament. I think I got him from £1000 to £2000 but then he missed the safety ladder, so my help was to no avail.

The UK’s cyber security posture received the 2020 European CYBERSEC award with particular reference to the creation of the NCSC. We’d like to congratulate you for your part in this achievement, and additionally for the CB that you were awarded this year for services to international and global cyber security.

What are your ambitions for the future?

Despite the ceremonies being cancelled this year, I was awarded a CB which stands for ‘a Companion of the most noble Order of the Bath’. It is one of the orders of chivalry I’m told, but not as high as the member of the Order of the Garter, referenced in the satirical sitcom, ‘Yes Minister’.
Looking forward, I believe that the more Governments from around the world share their experiences and listen to each other, the more they can learn. Often, there is technical expertise and operational expertise but there can be a shortfall in policy and leadership capacity. I want to use my role at Oxford University to improve and promote trust in technology for future Governments across the world.

Read articles by Ciaran Martin on Linkedin and read more of our previous interviews here.