They say variety is the spice of life and that’s a phrase that comes to mind when reflecting on the illustrious career of Robert Hannigan; a career which shows no signs of abating.
Hannigan first came into prominence as a result of his involvement in the notoriously complex Northern Ireland peace process during the noughties, for which he was singled out for praise by former UK Prime Minister Tony Blair in his autobiography.
Following this experience, Hannigan held a number of high-profile intelligence and security roles in the UK government, where he played an instrumental role in developing the UK’s early approaches to cybersecurity at a national level. Hannigan now resides in the private sector, as chairman at early-stage cybersecurity services company BlueVoyant, alongside holding numerous advisory positions in the industry. Hannigan is unsurprisingly considered a leading authority in the field of cybersecurity, and can be regularly found speaking and writing on major issues affecting the sector.
The opportunity to discuss his exciting career to date, as well as get his perspectives on the world of cybersecurity more generally, was one that we here at Infosecurity found simply too good to turn down.
Sadly, but inevitably, given the ongoing COVID-19 crisis, we are forced to conduct the interview virtually. This is a shame, especially as this is the first time I have met Hannigan. Nevertheless, I am immediately struck by his friendly, unassuming manner, which allows the conversation to flow from the off.
From Peace Process to Cybersecurity
An interesting aspect to Hannigan is that by no means does he have a ‘typical’ background for someone so prominent in cybersecurity. As he modestly acknowledges, he doesn’t “have a deeply technical background,” and studied classics during his time at the University of Oxford. Although he has always held a strong interest in technology, borne out of his fascination with the incredible code-breaking work undertaken at Bletchley Park during World War 2, he admits that he didn’t expect his career to pan out in the manner it has. In many ways, this makes his subsequent journey in such a technical industry all the more impressive.
After an early career in the private sector, he served in the Northern Ireland Office for the UK government from 2000-2007, where he was heavily involved in ensuring the success of the peace process following the Good Friday settlement in 1998. This experience in Northern Ireland, where he and his family lived for a number of years, exposed him to issues around national security, including terrorism. Just as the ‘troubles’ in Northern Ireland were coming to an end, the threats posed by Islamic terrorism began to ramp up in the UK, and this led to Hannigan’s new calling – as the Prime Minister’s security advisor and head of security, intelligence and resilience at the Cabinet Office.
As Hannigan puts it in his usual humble style, “I guess the civil service thought I must know about terrorism having been in Northern Ireland and thought I’d be fit for the job.”
In this dual role, Hannigan advised the Prime Minister on “anything topical” in security, and assisted in shaping the government’s response to a range of crises that took place over this period. This involved “everything from floods – there was a lot of flooding at the time – to food shortages and [topically] a pandemic, swine flu,” he explains. He was also responsible for the funding and oversight of the three UK intelligence agencies.
During what he calls “an interesting time in government,” cybersecurity really came to the fore inside Whitehall, and Hannigan helped develop the UK government’s first cybersecurity strategy. “Both Tony Blair and Gordon Brown could see the strategic importance of cyber and said we need to sit down and work out who’s responsible and how do we get ahead of this,” he outlines.
In 2010 Hannigan took up the post of director general, defence & intelligence at the Foreign and Commonwealth Office, where he observed the beginnings of cyber-attacks being utilized by hostile state and non-state actors with the intent of damaging the UK state and its infrastructure. This differed from the financial motivations of traditional cyber-criminals.
"Cyber-attacks were growing, and we could see that was only going in one direction"
“It was clear that terrorism and other threats were going online, so there was a natural concern about cyber. Cyber-attacks were growing, and we could see that was only going in one direction,” he comments.
Amid this increasingly dangerous landscape, in 2014 Hannigan was appointed to the prestigious position of director of GCHQ, the UK’s intelligence and security agency. Here, he was at the heart of a number of transformational structural changes to the way the UK approached cybersecurity, which continue to have a profound impact to this day.
He notes that prior to taking up this post, “for some years GCHQ did a good job in raising awareness by talking to the private sector about the issues long before anybody was really focused on this.” However, with reliance on the internet growing throughout all sectors, including in critical national infrastructure, there “was a feeling that government had to intervene more and do more at scale for the country, and bring the expertise and some of the data available to GCHQ together with the private sector’s expertise and data.”
This notion of the government playing a more active role in cyber-defense alongside the private sector, which held most of the cybersecurity skills and resources at this time, led to the creation of the National Cyber Security Centre (NCSC). The body, which became operational in 2016, offers cybersecurity guidance and support for both the private and public sectors. Hannigan also highlights the importance of the Active Cyber Defense (ACD) program in the NCSC, which was developed during his tenure at GCHQ. This provides tools and services, free at the point of use, to protect against a range of cybersecurity threats.
It’s fair to say that the rise in cyber-threats during his time working in national security and intelligence forced Hannigan to become an expert in this domain. He highlights two trends that he observed in this area while in government, the first of which was “the commoditization of hacking/cyber-attacks as a service or tools for sale, and that led to an explosion of cybercrime and new business models that really worked for cyber-criminals.”
The other, he recalls, “was as relations between countries began to deteriorate, nation-states started to do reckless things at scale and we’re seeing that now with Russia, China and North Korea.” He adds that “it feels like there’s no constraint now in nation-state behavior, and that’s really worrying.”
It’s easy to see why Hannigan was entrusted to take up such high-pressured security positions at the heart of government. His carefully measured and balanced responses to my questions suggests he’s someone who won’t be fazed in a crisis, or prone to making rash decisions that could escalate tensions.
Experiencing Both Sides of the Fence
After stepping down as Director of GCHQ in 2017, with a decade of experience in the sector under his wing, it is unsurprising that Hannigan decided to continue working in the field of cyber, albeit this time in the private sector with startup firm BlueVoyant. As well as being attracted to the company by its “highly skilled people with a strong sense of mission,” he relished having the opportunity to experience “both sides of the fence, to see how the private sector works.”
Hannigan believes more of this kind of crossover is vital, as it improves understanding of the challenges facing all stakeholders. His personal journey has provided him with these experiences, seeing “the sharp end of cyber-attacks against the country” while at GCHQ, and in the private sector, having the opportunity to undertake research into “where the threat is going.” At BlueVoyant, he regularly interacts with CISOs to understand the challenges they are facing in order to see how his organization can be of help.
Putting all these experiences together, Hannigan has concluded that the cybersecurity skills gap is the “biggest single issue” facing the sector. In his view, tackling this problem requires more collaboration between the government and private sector, and also increasing the use of automation to detect and combat threats. He believes the latter “has to be a big part of the future of cybersecurity because the skills shortage isn’t going to get much better for such a long time.”
Taking action to address the skills gap in cybersecurity is something Hannigan is just as passionate about now in the private sector as he was when working in government. This is even evident in his demeanor as he discusses this subject in great depth during our call, sitting up a little from the relaxed position in his chair and speaking at a faster tempo.
In particular, he believes it is not just morally right, but a strategic necessity to ensure that more people from underrepresented communities, such as women and ethnic minorities, are empowered to pursue a career in cyber. Not only will this provide a much wider pool of talent to select from than is currently the case, it will also ensure there is greater diversity of experiences and viewpoints, which will be important in keeping up to speed with the tactics of cyber-attackers. He points to a number of initiatives in this area that were first launched when he was director at GCHQ and are continuing to this day, including the annual CyberFirst Girls Competition, which is designed to inspire school-age girls to consider pursuing a career in cybersecurity.
At BlueVoyant, Hannigan highlights the use of US-based internships and mentoring schemes that are particularly focused on African American and other disadvantaged communities. However, he cautions that persistence and patience is required to see results emanating from such initiatives. “All those things are really great and will over time make a difference. There are lots of other people doing initiatives to try and get more people into cybersecurity, including those groups that are underrepresented and women especially – it’s a huge problem that over half of the population isn’t fully engaged in this,” he comments. “So we need to crack that, but these things will take a long time and they’re relatively small scale. It’s going to take some years to actually shift the overall picture on cyber-skills but we have to keep trying new things.”
"It’s going to take some years to actually shift the overall picture on cyber-skills but we have to keep trying new things”
Never Too Late to Enter the Industry
As well as making a cybersecurity career more accessible to those from underrepresented groups, Hannigan strongly believes the sector needs to become far more welcoming to those from non-technical backgrounds. “Within BlueVoyant, we no longer say you have to have a computer science degree; we’re much more open to experience and aptitude and I think that’s the way to go for everybody. We’ve been much too traditional in the cyber sector in the way we recruit and measure skills,” he says.
You could say this is something of a personal issue for Hannigan. While interested in technology throughout his life, he has essentially been forced to learn this side of things ‘on the job’.
As a result, he knows it is very possible for people to learn technical skills outside of traditional academic settings, and initiatives like apprenticeships are especially important in enabling this. Hannigan notes: “We really expanded and accelerated those at GCHQ because a lot of people don’t want to go to university but they enjoy technology and are good at it.”
These skills can be garnered in a number of ways. Hannigan highlights how he regularly speaks to - and asks questions of - colleagues with greater levels of technical expertise than himself in order to learn from them. Additionally, he notes, there are a number of great online training resources in cyber that can be utilized by those considering switching careers. “The great thing about the cyber age is that yes there’s a skills shortage, but if you want to acquire those skills you can go and do it online,” he outlines.
He is also is at pains to emphasize that it’s never too late to join the industry. “The other thing I’d say is that you should never assume it’s too late to learn new skills in cyber,” he outlines. “So as well as focusing on underrepresented groups, such as women, we should look at, and try to encourage mid-career people to switch across and to learn at least one niche area of cyber. You don’t have to be 20 to do this.”
Cybersecurity: A Team Sport
Hannigan also strongly believes that cybersecurity is a team endeavor, made up of different, but equally important, component parts. “We focus on technology in cyber, but actually it’s all about people,” he explains. “If you get the right people with the right skills and accept that they will know much more than you about whatever specialism they’ve got and then you put the right mixture of people together, that’s when you get amazing things happening. That’s true in GCHQ and it’s also true in the private sector.”
Drawing on his own extensive experience in leadership positions in the industry, both in the public and private sectors, he emphasizes that individuals can only be effective as part of a wider group, all pulling in the same direction. “The one thing I’ve learned from day one is that cybersecurity is a team sport,” Hannigan comments, adding that “cyber involves so many different technical areas of expertise and so many wider areas that it has to be team.”
The promotion and development of new cybersecurity startup companies is another passion of Hannigan’s, as displayed by his involvement at BlueVoyant, which he joined near the start of its inception in 2017. As with the skills gap issue, I can see his passion come through on this topic in his slightly more intense body language and voice, which have generally been very relaxed throughout the discussion. He says: “It’s great to see how a company develops as you go through stages of maturity and expansion, and as somebody coming from government and used to really big organizations, it’s been a really interesting journey.”
Hannigan is also able to act on this passion through his role as chairman, industry advisory board at the London Office for Rapid Cybersecurity Advancement (LORCA). This is a UK government-backed initiative designed to act as a launchpad for early-stage cybersecurity companies, connecting them with investors. It has proved very successful so far – last year it was found that cybersecurity startups and scaleups that have progressed through LORCA’s innovation program since it started in 2018 have collectively raised over £150m in investment.
Amid increasing and more sophisticated attacks, Hannigan believes the innovative and fluid nature of startups will be critical in developing the solutions needed to counter increasingly sophisticated threat actors. “That’s been fascinating to watch, and I think they’re doing great things – there is a really dynamic sector out there,” he notes.
In terms of those he most admires in the industry, Hannigan explains that particularly through his role at BlueVoyant, he has gained an enormous appreciation for the job CISOs do, and the challenges they have to navigate on a day-to-day basis. “I think they parallel what government tries to do: they’re trying to manage current events and challenges and there’s a huge workload,” he explains. “But they also have to keep their eye on future developments. The day job is really tough and I admire those who do it.”
Hannigan also expresses admiration for initiatives undertaken by tech giant Microsoft in recent years, particularly in the area of cloud security, which he feels “will transform and improve security for many companies.” He adds: “I admire them because I think here’s a global tech company using its awesome global metadata on cyber around the world to make things better. And it’s not always said that tech giants do the right thing.”
It’s noticeable that the recurring theme throughout our discussion with Hannigan is that of teamwork – both in reference to internal teamwork, and externally, with public sector bodies and small and large private companies all having a vital role to play in keeping society secure amid an increasingly dangerous threat landscape.
As someone who has experienced all areas of the industry in one way or another, it will be characters like Hannigan who will be pivotal in bringing the sector together to fight our common foes.