At CyberUK in Liverpool on 14 March 2017, I was given the rare opportunity to sit down with two of GCHQ’s NCSC directors, Alex Dewdney, director of engagement, and Chris Ensor, deputy director for cyber skills and growth. Here is what they had to say.
Eleanor Dallaway: What are your thoughts on the professionalism of the industry and what more can and should be done?
Alex Dewdney: There’s a broader point about to what extent should the government – specifically the NCSC – give a stamp of approval to cybersecurity products and services? I think absolutely we should do that, that’s a role for us, and I think we need to change and diversify the way we’re doing it.
CESG ran a whole set out of accreditations and schemes for all sorts of cybersecurity products and services: consultancy, incident response, pen-testing and so on. Those schemes were running for many years and were – to a greater or lesser extent – successful, but we hit pause on those and are currently going through a review to see that they are fit for purpose, or consider if any can be improved in the way in which they run. Some have been, and will continue to be, successful, and others need a bit of reform. What’s really important is that we think of the customers and the beneficiaries in terms of those organizations that will be helped to do cybersecurity better, and not necessarily the people who are delivering the services.
Over the next few months, you’ll start to see communications about what the NCSC is putting in place in terms of a new set of schemes.
Chris Ensor: Technology is really complicated so trying to say anything is good or bad is really difficult. That’s the challenge we’ve got, so more and more we try to simplify things down to make it as black and white as we can, that’s what people want.
Eleanor Dallaway: What’s your opinion on whether the information security industry needs a Royal Charter?
Chris Ensor: We’d like the industry to be recognized with a Royal Charter. IISP is currently going through the application process.
A Royal Charter is all about raising the profile of an information security professional – they’re not just IT people. Having a Chartered status brings another level of recognition, a bit of gravitas, so that’s great.
However, you still need hiring managers to want a Chartered professional. It’s easier to stimulate the supply side if you get people demanding this status. That’s what we have to crack. Chartered status will be a great move forwards, but we still need companies and organizations to recognize that they need competent people.
You could imagine that under GDPR, if you have a breach, the investigators will want to know if you had competent people on your staff able to manage data risk. If you can say ‘my CISO is Chartered’, then you’ve done due diligence in putting in place the right person. If you take a risk decision not to hire someone who is recognized that way, then that’s your risk and it may come back to haunt you.
A Royal Charter is all about raising the profile of an information security professional – they’re not just IT peopleChris Ensor, NCSC
Eleanor Dallaway: Would a Royal Charter proposition be stronger if it came from a joint consortium of industry bodies?
Chris Ensor: We are working with DCMS on this, we ran a workshop with professional bodies and there are two or three models which could be used, and we’re not quite sure which is the right one. We need to talk to industry about where they think we should go.
Option 1: We could define a set of areas and have a body, or bodies, responsible for each area with an overarching umbrella.
Option 2: There’s nothing to stop the existing bodies coming together as a consortium and working together for this Royal Charter, but they’ve not managed to do that yet.
Or, option 3: We just go for one organization – like the IISP.
The challenge with the council is managing all the different stakeholders. There are a lot of qualifications and a lot of bodies playing in this space. If you’re a user, does that help or hinder you? Simplification is something I really care about. Does a council make it simpler and allow people to navigate and know what body to go to for the particular skills they want? I don’t know, but certainly the principle of whatever we come up with should be simplicity.
One idea we had was to put out a competition and say ‘who would like to be the partner of choice for government and industry?’ as a professional body. If we did that, you could encourage a consortium to apply, but they’d have to be a legal entity.
I don’t think we have a preference, as long as simplicity and quality is maintained. There are a lot of organizations out there, like the CRESTs of this world, like CyberScheme, like (ISC)2 who have a lot to offer. How do we make the best of that?
Eleanor Dallaway: When the NCSC opened in London, how did the staffing work and how does the relationship with GCHQ work?
Alex Dewdney: We are GCHQ. The NCSC has between 600 and 700 people at the moment and the majority are Cheltenham based, but not all. We have over 100 in London. Some have already moved into the building and the rest will move within four weeks. We want to grow as an organization so we’re going to look to recruit in London but also there’s scope for a little bit of relocation as well. Over time as the organization grows, the Cheltenham to London balance will shift. Constitutionally, the NCSC is a directorate of GCHQ so that means we are able to operate with a lot of flexibility in terms of moving people apart different parts of GCHQ’s mission. As Robert Hannigan said, a lot of GCHQ’s best people always worked on the cybersecurity part anyway.
Eleanor Dallaway: In his speech this morning, Ciaran Martin, CEO of NCSC, said that GCHQ’s 3000 private sector consultants are just as – if not more – dedicated to the cause as its 6000 civil servants. Is this true?
Alex Dewdney: I don’t think he meant to say that. They are not more dedicated – they are as dedicated. We’ve run a staff engagement survey for many years and get really high scores because people love the mission. They come to work for us because it’s public service ethos but it’s also deeply fascinating, you get to play with great technology and learn all sorts of secret stuff which is absolutely brilliant. Over the last two years, we've done a similar survey for our industry colleagues who are embedded in the organization and that threw up really good engagement scores – they love being a part of our mission.
Eleanor Dallaway: Tell me about the Industry 100
Alex Dewdney: It was announced by the Chancellor when we opened the NCSC. The idea is that companies lend effort to us to work with us on common cybersecurity challenges in a way that benefits us but also the company because it helps with giving their staff more experience. Our initial ambition is to get 100 individuals into the organization from industry.
They come to work for us because it’s public service ethos but it’s also deeply fascinating, you get to play with great technology and learn all sorts of secret stuff which is absolutely brilliant
Eleanor Dallaway: How does that work in terms of security clearance?
Alex Dewdney: We are working a bit differently in the NCSC. One feature of our building in London is that you don’t need to have a DV to work there. We are increasingly open to recruiting people who don’t have a DV. They may be on their way to a DV, which is what we’re initially looking for, but getting a DV can take several months and given the nature of a lot of our work, you don’t necessarily need a DV to do that. So we’re looking at a lot more flexible recruitment model, which will in turn, give us more diversity of workforce.
Eleanor Dallaway: Why is diversity so important to GCHQ?
Alex Dewdney: Because all the evidence suggests that a more diverse workforce is more effective. One of the biggest risks for us is a shortage of skills, so if there are lots of factors in the environment that mean less women are going into STEM and cybersecurity and staying there, then we’re missing out on a bunch of talent. We can’t afford to do that because we’re short of talent and short of skills. Additionally, we’re a public service organization and we need to reflect the population that we’re serving.
Eleanor Dallaway: At the Neuro-diversity in Cybersecurity event I attended a few weeks ago, GCHQ got many mentions for employing so many autistic people. From your perspective, what do neuro-diverse people bring to GCHQ?
Chris Ensor: It’s about diversity of thinking. Going back to Bletchley Park, if you look at who was at Bletchley, and the characters there, there was a fascinating set of people and it just shows what can be achieved. We want to do that!
Eleanor Dallaway: In his speech, Ciaran Martin said the NCSC do what the private sector can’t and shouldn’t – what is that?
Alex Dewdney: Obviously there’s a huge overlap and that’s where I think the magic happens when we’re doing stuff together. One obvious example is that we have the legal authority to gather intelligence in a way that industry can’t. We can provide unique insight and knowledge because of that.
Chris Ensor: We rely hugely on the private sector at the end of the day. A lot of the time, we just help the private sector to do more. We provide consultancy and should be working with industry, giving them the work that is appropriate for them to do. If you look at the active cyber-defense stuff, that’s about the ISPs and CSPs doing things to prevent their customers getting malware. We can’t do that and it’s not appropriate for us to do that. We might be able to give the information about the bad websites, harvest them from different places, but we need to give those over to the ISPs and CSPs to protect their customers.
We run an accelerator in Cheltenham and we’re keen that new start-ups should be doing new and different things and not competing with other start-ups. We’re trying to find niches to problems that people don’t have solutions for. We don’t fund the companies, we give them as many opportunities we can, but the big thing they want from us is our expertise. The 2010 National Cybersecurity Strategy has a paragraph about GCHQ using expertise to improve the UK prosperity and this accelerator is the embodiment of that.
The challenge we have is that we are a donut with razor-wiring around it. It keeps people out, but it also sometimes stops people working with others. It’s taken us a long time to encourage our staff to work with the academics and share knowledge.
Eleanor Dallaway: Are we any further forward in bringing the private sector, public sector and academia together to work on a shared mission?
Chris Ensor: We created CyberInvest, a government, industry and academic partnership, which is all about getting the three lots working better together. Yesterday, we had members from all the academic centers of excellence, the research centers in a room with all the 28 industry members that have signed up to invest in academic research. Larger organizations pledge to offer half a million pounds to academia over five years, and that goes down to a purely ‘in kind’ contribution from a SME. We have made improvements but there is a long way to go.
Eleanor Dallaway: Various NCSC spokespeople at this event have suggested that the NCSC is about prevention, and that the NCA pick up the investigation. Is that correct?
Alex Dewdney: The NCSC is actually end to end. Some of our operational partnerships are really critical. We work with law enforcement and the NCA on jointly investigating in cybercrime, but the NCSC is end to end. We do run operations that set out to detect, attribute and analyze cyber-attacks. That runs right through, we have an incident management function, and runs right through to advice. The idea is to get the information flow moving in both directions.