Robert Hannigan has had an illustrious career spanning both government and the private sector in cybersecurity. He played an instrumental role in developing the UK's early approaches to cybersecurity as well as advising Prime Ministers on national security issues. As Director of GCHQ from 2014 to 2017, he oversaw transformational changes including the creation of the National Cyber Security Centre. Hannigan now works in the private sector to address ongoing cybersecurity challenges like the skills gap, and promotes diversity and opportunities for people of all backgrounds in the field.

1. 16 www.infosecurity-magazine.com
PROFILE INTERVIEW

2. www.infosecurity-magazine.com 17
@InfosecurityMag
@InfosecurityMag ROBERT HANNIGAN
They say variety is the spice of life
and that’s a phrase that comes
to mind when reflecting on the
illustrious career of Robert Hannigan; a
career which shows no signs of abating.
Hannigan first came into prominence
as a result of his involvement in the
notoriously complex Northern Ireland
peace process during the noughties, for
which he was singled out for praise by
former UK Prime Minister Tony Blair in
his autobiography.
Following this experience, Hannigan
held a number of high-profile
intelligence and security roles in the
UK government, where he played an
instrumental role in developing the UK’s
early approaches to cybersecurity at a
national level. Hannigan now resides
in the private sector, as chairman at
early-stage cybersecurity services
company BlueVoyant, alongside holding
numerous advisory positions in the
industry. Hannigan is unsurprisingly
considered a leading authority in
the field of cybersecurity, and can be
regularly found speaking and writing on
major issues affecting the sector.
The opportunity to discuss his
exciting career to date, as well as
get his perspectives on the world of
cybersecurity more generally, was one
that we here at Infosecurity found simply
too good to turn down.
Sadly, but inevitably, given the
ongoing COVID-19 crisis, we are forced
to conduct the interview virtually. This
is a shame, especially as this is the first
time I have met Hannigan. Nevertheless,
I am immediately struck by his friendly,
unassuming manner, which allows the
conversation to flow from the off.
From Peace Process
to Cybersecurity
An interesting aspect to Hannigan is
that by no means does he have a ‘typical’
background for someone so prominent
in cybersecurity. As he modestly
acknowledges, he doesn’t “have a deeply
technical background,” and studied
classics during his time at the University
of Oxford. Although he has always held a
strong interest in technology, borne out of
his fascination with the incredible code-
breaking work undertaken at Bletchley
Park during World War 2, he admits that
he didn’t expect his career to pan out in the
manner it has. In many ways, this makes
his subsequent journey in such a technical
industry all the more impressive.
After an early career in the private
sector, he served in the Northern
Ireland Office for the UK government
from 2000-2007, where he was heavily
involved in ensuring the success of the
peace process following the Good Friday
settlement in 1998. This experience
in Northern Ireland, where he and
his family lived for a number of years,
exposed him to issues around national
security, including terrorism. Just as
the ‘troubles’ in Northern Ireland were
coming to an end, the threats posed by
Islamic terrorism began to ramp up in
the UK, and this led to Hannigan’s new
calling – as the Prime Minister’s security
advisor and head of security, intelligence
and resilience at the Cabinet Office.
As Hannigan puts it in his usual
humble style, “I guess the civil service
thought I must know about terrorism
having been in Northern Ireland and
thought I’d be fit for the job.”
In this dual role, Hannigan advised
the Prime Minister on “anything topical”
in security, and assisted in shaping the
government’s response to a range of crises
that took place over this period. This
involved “everything from floods – there
was a lot of flooding at the time – to food
shortages and [topically] a pandemic,
swine flu,” he explains. He was also
responsible for the funding and oversight
of the three UK intelligence agencies.
During what he calls “an interesting
time in government,” cybersecurity
really came to the fore inside Whitehall,
and Hannigan helped develop the UK
government’s first cybersecurity strategy.
“Both Tony Blair and Gordon Brown
could see the strategic importance of
cyber and said we need to sit down and
work out who’s responsible and how do
we get ahead of this,” he outlines.
In 2010 Hannigan took up the post of
director general, defence & intelligence
at the Foreign and Commonwealth
Office, where he observed the
beginnings of cyber-attacks being
utilized by hostile state and non-state
actors with the intent of damaging the
UK state and its infrastructure. This
differed from the financial motivations
of traditional cyber-criminals.
“It was clear that terrorism and other
threats were going online, so there was
a natural concern about cyber. Cyber-
attacks were growing, and we could see
that was only going in one direction,”
he comments.
ROBERT
HANNIGAN
Former Director of GCHQ, Robert Hannigan, has navigated a somewhat unexpected
cybersecurity career through government and now the private sector. He talks
to James Coker about his days advising the Prime Minister and his passion for
increasing diversity in the industry
Both Tony Blair and
Gordon Brown could see
the strategic importance
of cyber”
“

3. 18 www.infosecurity-magazine.com
Amid this increasingly dangerous
landscape, in 2014 Hannigan was
appointed to the prestigious position of
director of GCHQ, the UK’s intelligence
and security agency. Here, he was at the
heart of a number of transformational
structural changes to the way the UK
approached cybersecurity, which continue
to have a profound impact to this day.
He notes that prior to taking up this
post, “for some years GCHQ did a good
job in raising awareness by talking to
the private sector about the issues long
before anybody was really focused
on this.” However, with reliance on
the internet growing throughout all
sectors, including in critical national
infrastructure, there “was a feeling that
government had to intervene more and
do more at scale for the country, and
bring the expertise and some of the data
available to GCHQ together with the
private sector’s expertise and data.”
This notion of the government playing
a more active role in cyber-defense
alongside the private sector, which held
most of the cybersecurity skills and
resources at this time, led to the creation
of the National Cyber Security Centre
(NCSC). The body, which became
operational in 2016, offers cybersecurity
guidance and support for both the
private and public sectors. Hannigan
also highlights the importance of the
Active Cyber Defense (ACD) program
in the NCSC, which was developed
during his tenure at GCHQ. This
provides tools and services, free at the
point of use, to protect against a range of
cybersecurity threats.
It’s fair to say that the rise in cyber-
threats during his time working in
national security and intelligence forced
Hannigan to become an expert in this
domain. He highlights two trends
that he observed in this area while in
government, the first of which was “the
commoditization of hacking/cyber-
attacks as a service or tools for sale, and
that led to an explosion of cybercrime
and new business models that really
worked for cyber-criminals.”
The other, he recalls, “was as relations
between countries began to deteriorate,
nation-states started to do reckless
things at scale and we’re seeing that now
with Russia, China and North Korea.”
He adds that “it feels like there’s no
constraint now in nation-state behavior,
and that’s really worrying.”
It’s easy to see why Hannigan was
entrusted to take up such high-pressured
security positions at the heart of
government. His carefully measured
and balanced responses to my questions
suggests he’s someone who won’t be
fazed in a crisis, or prone to making rash
decisions that could escalate tensions.
Experiencing Both Sides
of the Fence
After stepping down as Director of GCHQ
in 2017, with a decade of experience in the
sector under his wing, it is unsurprising
that Hannigan decided to continue
working in the field of cyber, albeit this
time in the private sector with startup firm
BlueVoyant. As well as being attracted to
the company by its “highly skilled people
with a strong sense of mission,” he relished
having the opportunity to experience
“both sides of the fence, to see how the
private sector works.”
Hannigan believes more of this kind
of crossover is vital, as it improves
understanding of the challenges
facing all stakeholders. His personal
journey has provided him with these
experiences, seeing “the sharp end of
cyber-attacks against the country” while
at GCHQ, and in the private sector,
having the opportunity to undertake
research into “where the threat is going.”
At BlueVoyant, he regularly interacts
with CISOs to understand the challenges
they are facing in order to see how his
organization can be of help.
Putting all these experiences together,
Hannigan has concluded that the
cybersecurity skills gap is the “biggest
single issue” facing the sector. In his
view, tackling this problem requires
more collaboration between the
government and private sector, and
also increasing the use of automation to
detect and combat threats. He believes
the latter “has to be a big part of the
future of cybersecurity because the skills
shortage isn’t going to get much better
for such a long time.”
Taking action to address the skills gap
in cybersecurity is something Hannigan
is just as passionate about now in the
private sector as he was when working
in government. This is even evident in
his demeanor as he discusses this subject
in great depth during our call, sitting up
a little from the relaxed position in his
chair and speaking at a faster tempo.
In particular, he believes it is not
just morally right, but a strategic
necessity to ensure that more people
from underrepresented communities,
such as women and ethnic minorities,
are empowered to pursue a career in
cyber. Not only will this provide a much
wider pool of talent to select from than
is currently the case, it will also ensure
there is greater diversity of experiences
and viewpoints, which will be important
in keeping up to speed with the tactics of
cyber-attackers. He points to a number
of initiatives in this area that were
first launched when he was director
at GCHQ and are continuing to this
day, including the annual CyberFirst
Girls Competition, which is designed
to inspire school-age girls to consider
pursuing a career in cybersecurity.
At BlueVoyant, Hannigan highlights
the use of US-based internships and
mentoring schemes that are particularly
focused on African American and other
disadvantaged communities. However,
he cautions that persistence and patience
is required to see results emanating from
such initiatives. “All those things are
really great and will over time make a
difference. There are lots of other people
doing initiatives to try and get more
people into cybersecurity, including
those groups that are underrepresented
and women especially – it’s a huge
problem that over half of the population
isn’t fully engaged in this,” he comments.
“So we need to crack that, but these
things will take a long time and they’re
relatively small scale. It’s going to take
some years to actually shift the overall
picture on cyber-skills but we have to
keep trying new things.”
Never Too Late to
Enter the Industry
As well as making a cybersecurity
career more accessible to those from
underrepresented groups, Hannigan
strongly believes the sector needs to
become far more welcoming to those
Robert Hannigan, as Director of GCHQ, hosted
the Queen and the Duke of Edinburgh at the
official opening of the NCSC on 13 February
2017, at its headquarters in central London
PROFILE INTERVIEW

4. www.infosecurity-magazine.com 19
@InfosecurityMag
@InfosecurityMag
END
from non-technical backgrounds.
“Within BlueVoyant, we no longer say
you have to have a computer science
degree; we’re much more open to
experience and aptitude and I think
that’s the way to go for everybody. We’ve
been much too traditional in the cyber
sector in the way we recruit and measure
skills,” he says.
You could say this is something of
a personal issue for Hannigan. While
interested in technology throughout his
life, he has essentially been forced to
learn this side of things ‘on the job’.
As a result, he knows it is
very possible for people to learn
technical skills outside of traditional
academic settings, and initiatives like
apprenticeships are especially important
in enabling this. Hannigan notes: “We
really expanded and accelerated those
at GCHQ because a lot of people don’t
want to go to university but they enjoy
technology and are good at it.”
These skills can be garnered in a
number of ways. Hannigan highlights
how he regularly speaks to - and
asks questions of - colleagues with
greater levels of technical expertise
than himself in order to learn from
them. Additionally, he notes, there
are a number of great online training
resources in cyber that can be utilized
by those considering switching careers.
“The great thing about the cyber age is
that yes there’s a skills shortage, but if
you want to acquire those skills you can
go and do it online,” he outlines.
He is also is at pains to emphasize that
it’s never too late to join the industry.
“The other thing I’d say is that you
should never assume it’s too late to learn
new skills in cyber,” he outlines. “So as
well as focusing on underrepresented
groups, such as women, we should look
at, and try to encourage mid-career
people to switch across and to learn at
least one niche area of cyber. You don’t
have to be 20 to do this.”
Cybersecurity:
A Team Sport
Hannigan also strongly believes that
cybersecurity is a team endeavor, made
up of different, but equally important,
component parts. “We focus on
technology in cyber, but actually it’s all
about people,” he explains. “If you get
the right people with the right skills and
accept that they will know much more
than you about whatever specialism
they’ve got and then you put the right
mixture of people together, that’s when
you get amazing things happening.
That’s true in GCHQ and it’s also true in
the private sector.”
Drawing on his own extensive
experience in leadership positions in the
industry, both in the public and private
sectors, he emphasizes that individuals
can only be effective as part of a wider
group, all pulling in the same direction.
“The one thing I’ve learned from day
one is that cybersecurity is a team sport,”
Hannigan comments, adding that “cyber
involves so many different technical
areas of expertise and so many wider
areas that it has to be team.”
The promotion and development of
new cybersecurity startup companies
is another passion of Hannigan’s,
as displayed by his involvement at
BlueVoyant, which he joined near the
start of its inception in 2017. As with
the skills gap issue, I can see his passion
come through on this topic in his
slightly more intense body language and
voice, which have generally been very
relaxed throughout the discussion. He
says: “It’s great to see how a company
develops as you go through stages
of maturity and expansion, and as
somebody coming from government
and used to really big organizations, it’s
been a really interesting journey.”
Hannigan is also able to act on this
passion through his role as chairman,
industry advisory board at the London
Office for Rapid Cybersecurity
Advancement (LORCA). This is a UK
government-backed initiative designed
to act as a launchpad for early-stage
cybersecurity companies, connecting
them with investors. It has proved very
successful so far – last year it was found
that cybersecurity startups and scaleups
that have progressed through LORCA’s
innovation program since it started in
2018 have collectively raised over £150m
in investment.
Amid increasing and more
sophisticated attacks, Hannigan
believes the innovative and fluid
nature of startups will be critical in
developing the solutions needed to
counter increasingly sophisticated
threat actors. “That’s been fascinating
to watch, and I think they’re doing
great things – there is a really dynamic
sector out there,” he notes.
In terms of those he most admires
in the industry, Hannigan explains
that particularly through his role
at BlueVoyant, he has gained an
enormous appreciation for the job
CISOs do, and the challenges they
have to navigate on a day-to-day basis.
“I think they parallel what government
tries to do: they’re trying to manage
current events and challenges and
there’s a huge workload,” he explains.
“But they also have to keep their eye
on future developments. The day job
is really tough and I admire those who
do it.”
Hannigan also expresses admiration
for initiatives undertaken by tech giant
Microsoft in recent years, particularly
in the area of cloud security, which
he feels “will transform and improve
security for many companies.” He adds:
“I admire them because I think here’s a
global tech company using its awesome
global metadata on cyber around the
world to make things better. And it’s
not always said that tech giants do the
right thing.”
It’s noticeable that the recurring
theme throughout our discussion with
Hannigan is that of teamwork – both
in reference to internal teamwork, and
externally, with public sector bodies
and small and large private companies
all having a vital role to play in keeping
society secure amid an increasingly
dangerous threat landscape.
As someone who has experienced
all areas of the industry in one way
or another, it will be characters like
Hannigan who will be pivotal in
bringing the sector together to fight our
common foes
ROBERT HANNIGAN
We’ve been much
too traditional in the
cyber sector in the
way we recruit and
measure skills”
“
Robert Hannigan
will be the
Keynote Speaker
on Day 3 of the
Infosecurity
Europe event,
taking place
from 13-15
July at Olympia London. He
will be discussing a range of
topics, including nation state
sponsored cyber-attacks