Interview with Joe Dolan, Head of Northern Ireland Cyber Security Centre

Cybercrime is a rapidly developing and significant threat to individuals and businesses in the UK. In 2016, as a direct response to the growing threat, the UK government launched its cyber strategy and set up the National Cyber Security Centre in London. Just a year later, Northern Ireland developed its Strategic Framework for Action.

Joe Dolan was brought on board in March 2019 to head the Northern Ireland Cyber Security Centre which is based in Queen’s Centre for Secure IT in Belfast. The formal launch occurred in February 2020 just before the country went into lockdown for COVID 19.

Joe talks to us about the region’s impressive cyber ambitions and how, when you’re dealing with such huge goals, a  gentle, baby steps approach is the smartest way to win the race.

What are the goals for Cyber Security in NI?

Our goals are both very ambitious and also very simple. We aim to make Northern Ireland cyber safe, secure, resilient and prosperous for our businesses and citizens.

Cyber safe is about awareness. Ensuring businesses and individuals know about the most common cyber threats.

Cyber Secure is about action. What do people need to do to protect their homes, businesses and devices from the majority of attacks? Much of this is not technical , it involves training staff, making policies, taking ownership. Where it is technical, it is mostly already available on our computers and  devices and is simple actions like creating strong passwords , turning on the firewall, antivirus software and auto update.

Cyber Resilience refers to thinking about how you would respond to a cyber attack. We want people to consider what is important and valuable to their business or home and how best to protect it. Is your valuable data reliably backed up and tested? Do you have a recovery plan? We are asking people to simply be prepared.

As well as ensuring we are properly protected, we also aim to boost prosperity by capitalising on the opportunities the connected world offers. Prioritising cyber security and developing training pathways to encourage people into the cyber sector makes Northern Ireland an attractive location for organisations. Earlier this year, Microsoft opened a brand new cyber security centre in Belfast bringing around 85 jobs to the region, and we are well on our way to the ministerial target of creating 5000 cyber jobs by 2030.

What do you see as the greatest threats to small and medium sized businesses?

Cyber is not always a priority on people’s agenda, especially for SME’s who are least likely to have access to cyber expertise. The greatest threat is for these organisations to do nothing.  Even just putting the basics in place wil make them a harder target for cyber criminals.

Providing some cyber training  and education for staff can help with some of the most prevalent attacks such as phishing. Anyone can fall victim to these scams as they are becoming more professional in their appearance and more clever in their tactics.

It is very important that a business knows what they need to do to quickly contain a cyber incident, the key to this is speed of response. If you have a culture of support then this gets reported quickly. If you have a culture of blame then these things get hidden and time is of the essence to limit the impact.

What educational projects does the centre promote?

The Centre is keen to promote any educational project or initiative that contributes to improving our young people’s opportunities in the cyber industry.

We work closely with the NCSC and the NI Cyber Cluster in promoting the CyberFirst programmes and are also doing more with Invest NI and the Department of Economy and Education in helping support our schools and young people in the development of opportunities for cyber.

We are lucky in Northern Ireland as young people have great access to cyber through the Apprenticeship schemes, Assured Skills programmes via Belfast Metropolitan College and through our local universities at Queens and Ulster University offering degrees and post graduate courses specifically in Cyber.

These opportunities are not only available to young people, there is also great opportunity to re-train later in life, whether you’re currently unemployed or having a mid life crisis and wanting to change your career. In previous times, you might go and work on a goat farm, now you can retrain to work in cyber if that’s your bag.

What was the path that took you to where you are today?

If I say I’m a career Civil Servant, I think people will start to glaze over, but what people don’t realise is that the public sector has an excellent well skilled IT workforce that I am proud to have been a part of, and in some ways, part of the shaping of over my 30 or so years. My career has taken me across all of the key disciplines, from networking, operational security, risk management, software development and testing.

What has been consistent across all of these varied disciplines has been the need to understand the security context. What is not consistent is those risks and the technical landscape we operate in, this is constantly changing. The change is what makes it exciting and fresh as a career and  in these 30 years I’ve enjoyed every minute.

What is your advice to small and medium sized businesses who are worried about cyber security but don’t understand it?

Don’t be afraid of it. It’s just another risk area. When many businesses first setup they needed to find out about tax, employment law, health and safety, finance, and leasing,  all of these needed a bit of digging, expert advice and an appreciation for the risks and penalties for not knowing.

Get good advice and put the basics in place. Just by doing the basics and sticking to them significantly makes it more difficult for cyber criminals to exploit you.

How can businesses be encouraged to protect themselves? Is change happening too slowly?

If we’re changing at all, its positive, not changing is staying at risk . ‘Perfection is the enemy of better’ which means that if we always try and strive to be perfect then we stagnate , it’s better to do baby steps.

Its also true to say that when we are given too much leeway, we do not act. For example, in the wearing of face masks, it was only when it became mandatory that more people made the effort. Its also true of GDPR, when it came in as legislation there was a really significant change in the management of information. People do want clarity, and we have to ask how we can help and support businesses and individuals to be able to make changes.

What can you tell me about the Cyber Security Leadership Strategies Programme  that you are supporting with IASME?

At the Centre we want to get as many businesses to recognise the need for good cyber security, to start the journey and ultimately be demonstrable in their good practices through assurance schemes like the Cyber Essentials certification.

We recognised that to participate in the Cyber Essentials scheme you need to know what cyber is and if this knowledge and awareness is not yet there, we need to find a way to bridge the gap.

The Centre proposed the development of a course for business leaders to introduce them to cyber security.  IASME recognised the issue and took on board the challenge and the Cyber Security Leadership Strategies programme was created.  IASME based the course around their excellent IASME Governance certificationwhich includes Cyber Essentials but also covers data protection requirements and other important aspects like staff training and incident planning.  It is a flexible course that allows managers to learn in  bite sized chunks that can be organised around a busy schedule. The programme was piloted this month via an online platform and met with very positive reviews.

How can managers find out more about this course?

Information about the course and a wealth of other cyber information for small businesses can be found on our website. We’ll also be tweeting it out once launched if people want to follow us @NIcyberSC . You can find out more about the course on the IASME website.