Ciaran Martin
[University of Oxford]
Ciaran Martin founded the UK’s world leading National Cyber Security Centre and headed it for the first four years of its existence. Currently, after stepping down from his role with NCSC at the end of August 2020, Martin holds the position of Professor of Practice in the Management of Public Organisations at Oxford University’s Blavatnik School of Government and advises NATO and a number of private sector organisations on cyber security strategies.
The NCSC, part of GCHQ, where Martin served as an executive board member for six and a half years, is regarded as the world leader among public authorities for cyber security. The International Telecommunications Union now ranks the UK as the #1 country for cyber security as a result of the NCSC’s work.
Under Martin’s leadership, the NCSC took the lead in managing more than 2,000 nationally significant cyber-attacks against the UK, including the so-called Wannacry attack against the NHS in 2017. He led the detection work that prompted the Government to call out, for the first time, cyber aggression from Russia, China, Iran and North Korea.
He helped the NCSC transform the Government’s relationship with business on cyber security. In 2018, in a keynote at the CBI’s cyber security conference, he launched a board toolkit with five essential questions corporate leaders needed to understand. As a global cyber security leader, he travelled to more than 30 countries in five continents building partnerships with Government, national security and corporate leaders.
At the NCSC he was a much sought after guest of the UK’s major corporate boards.
Martin believes the essence of good cyber security is demystifying a complex subject and finding a way and a language for the specialists to engage with the leadership. That becomes more and more important as new technologies and technology platforms – 5G, the Internet of Things, quantum – become the new realities.
Martin is also a 23 year veteran of the UK Government, working directly with five Prime Ministers and a variety of senior Ministers from three political parties. He held senior positions at HM Treasury and the Cabinet Office as well as GCHQ. He was head of the Cabinet Secretary’s Office and led the official negotiations that led to the agreed terms and rules for the Scottish independence referendum.
In 2020 Ciaran Martin was appointed CB by Her Majesty The Queen and has received a range of awards domestically and internationally in recognition of his cyber security work.
Talk:
Cyber threats: what is a normal organisation with a normal budget and other priorities to do?
View this presentation on the AusCERT YouTube channel here.
Technical difficulty: Medium
We have unhelpfully ‘catastrophised’ cyber threats with talk of cyber war and unstoppable hackers. The reality is that cyber harms are real, but they are more likely to be pernicious and chronic, hitting businesses with costly data breaches, individuals with small losses of money or uncomfortable compromises of personal data, and important systems with disruption short of physical harm. Taken together, all of this adds up: it’s the aggregation of small harms into a huge social, national and international problem.
So what is to be done about it? There is a role for Governments, but each organisation has to do its bit to protect itself and its community: cyber security is now a public good as we need to work together to protect the cyber environment in which we all live and work. The problem is that most organisations and people don’t – and shouldn’t – primarily focus on cyber security. They are there to do other things. And yet the advice often given to them implies they need nation state cyber defences if they are going to be able to cope. And most ordinary businesses, educational institutions and small public authorities have neither the money nor skills nor focus to be able to do that.
So what are such organisations to do? The good news is that it’s not true that nation state capabilities are needed for good enough cyber defences. Organisations and individuals need an understanding of the risk, a good plan, and appropriate capabilities. Using real life examples, good and bad, from six and a half years running cyber security for the United Kingdom, in this session Ciaran Martin sets out practical tips as to what what a normal organisation with a limited budget and better things to be getting on with should do about the cyber risk