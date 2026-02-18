After a 30-plus-year career in IT architecture, Curley joined the company in 2022. He now works alongside National Gas’s CISO, Polly Cameron, to align the cybersecurity strategy across three domains: enterprise IT systems, industrial systems and critical national infrastructure (CNI) systems.

As chief technology officer (CTO) of National Gas, Darren Curley oversee the technology strategy of one of the most critical entities in the UK, maintaining Britain’s high-pressure gas transmission system, transporting gas to homes, businesses and power stations through 5000 miles of pipeline.

Infosecurity Magazine: As a CTO, to what extent are you involved in the cybersecurity strategy of National Gas?

Darren Curley: I've been working in IT for 34 years. During those years, my involvement in setting up the security architecture for the organizations I worked for has increased quite a lot.

Today, at National Gas, my role as CTO consists of defining the IT and security strategy from a solution perspective: choosing the tech stack, the vendors and overseeing the implementation, then handing it over to our security team.

Everybody gets quite excited about security, but it's just another capability that you deploy through technology. At National Gas, we knew we didn’t have time to select the best of breed for each solution we needed and integrate each of them one by one. The approach we have taken has served us well so far.

It's quite nice, really, to be able to oversee a holistic tech stack implementation in an organization.

IM: How do you interact with other the security roles, like the CISO or the SOC team?

DC: The definition of the security components falls under my area and the implementation and every day running of the security functions falls under the CISO’s.



Of course, there will always be tensions in that relationship, because everybody has a different perspective. These are usually technology choices and it's usually from historic context. One person is used to a certain technology stack, but another one believes it doesn't fall in with our strategy.

We need to balance it up and potentially reskill staff members so that they've got the skills they need for the strategy we have chosen and the solutions we have selected. The people aspect often gets overlooked, and it's the bit that usually creates the most tension.

My way of dealing with this is to set out a common future that we want to achieve. Then I go through proper security architectural review with the CISO, the SOC team and other cyber roles so that we get the right solutions.

As a CTO, I can only see so much, but when you bring in the views of the SOC and the CISO and other people, it's a bit like a diamond, the more facets you have on it, the brighter it shines. I always look for a different facet to my own to make sure that we've got everything covered or at least we are aware of what we are missing.

I think that sometimes choosing the simple solution and retraining people is much better than trying to shoehorn something in that they used to use. A change in totality is sometimes easier to land than trying to be a facsimile of something that they thought they understood before.

Thankfully, at National Gas, we didn’t have to add budget constraints to these contentious points - which is quite unique in our sector.

IM: Do you and the CISO have a seat at the board?

DC: No, we both report to the CIO, who's on the executive board.

However, when it comes to key things – for example, the digital strategy of the organization – I'll work with the CIO and we'll land that with the board jointly.

Actually, we only just got the CIO’s seat at the board, he used to report to the CFO, who was the only board representative directly involved with the security strategy. That’s a progress! But I think the number of seats that we get at the board will always be hamstrung.

IM: We often hear from CISOs that they have to deal with too many security solutions and that their technology stack is growing exponentially. How do you deal with that at National Gas?

DC: It is true for us, but not for the usual reason. At National Gas, we've got different security domains: operational technology (OT), which I equate to the muscles that open the valves or start a compressor to pump gas; critical national infrastructure (CNI) systems, the nervous system that drives the muscles; and enterprise IT systems, which is the productivity area for the general workers.

For reasons of separation and segregation, those areas sometimes have repeats of security capabilities, which is a common pattern across all energy sector clients.

My aim has been to try to move us more towards the same tools with similar approaches in all three domains but with different deployments. For instance, if we're using Palo Alto Networks in enterprise IT and it's working, why don't we use Palo Alto firewalls on a perimeter or some of their scanning technologies inside those zones as a separate deployment?