For all the advancements in technology and the evolving nature of threats, our society’s cyber security flaws have remained steadfast for decades – ask someone who knows. Having worked in computer security at the highest level since the closing years of the Cold War, Chris Ensor of GCHQ is frustrated that “we are still making the same mistakes.”
He explains: “Even 30 years ago, people were blaming breaches on bad passwords and mistakes made by administrators. We haven’t learnt because it never killed anyone – if a plane falls out of the sky, we diagnose and fix. With cyber security we have let it slide because it’s everyone’s choice whether they take care online or not. How do we convince them all?”
It’s a challenge that Chris has been grappling with since 1989 when he joined GCHQ, inspired in part by his two boyhood TV heroes: Dr Who and Bernard Quartermass. “I think I wanted to be a Government scientist like Quartermass,” says Chris, “and I was intrigued by GCHQ. Back then it was a very secretive intelligence organisation and it just sounded cool.”
Just as the landscape in which GCHQ operates has shifted in three decades, so has Chris, taking on a wide range of roles within the organisation, albeit while maintaining a core focus on computer security. He currently works within the new wing of GCHQ – the National Cyber Security Centre (NCSC) – as Deputy Director for Cyber Skills and Growth.
“I’m not quite sure how I became the champion for skills,” says Chris, “but it’s such an important area. As well as helping existing businesses gain security skills, we are focused on improving the talent pipeline for the future. Ultimately, we are trying to increase the digital and cyber skills capacity and capability of the UK.”
The brief is wide, but one area he is passionate about is young people. His various projects aimed at upskilling youngsters include cyber contests, CyberFirst summer schools, and accreditation for university courses, all of which use the NCSC brand to help endorse and promote cyber subjects to our future workforce. He is one of the few public and visible figures at NCSC; a position that doesn’t sit entirely comfortably with him after so many years of secrecy.
“Most of our staff are kept anonymous for their own protection, but we need to be a bit more visible today. We can use the NCSC reputation to attract attention and promote cyber courses,” he says. “How can youngsters aspire to a career they don’t know about? You can’t be what you can’t see.”
In particular, NCSC puts focus on changing the image of cyber security to attract more females to the profession, as “diversity is definitely one of the major issues,” says Chris. NCSC currently runs girls-only summer schools and cyber contests, focusing on providing female role models such as Nominet’s Head of Cyber Security, Cath Goulding, at these events.
Diversity is also taken seriously across GCHQ. “I won’t speak on a panel if there isn’t a balance of genders on it,” says Chris. “Diversity should matter to us all because it helps to reduce group think – plus things always work better if you have a mix of skillsets and outlooks. Girls bring a different perspective.”
His own daughter is studying psychology, and his son is focusing on geography. Neither has followed their father into his profession, but Chris says he was always determined that both his children chose their own paths and careers despite his affection for his cyber security work. “This type of work is not for everyone; you’ve got to really believe in it. We’re here to maintain national security and keep the nation safe. It’s a mission for us who do it.”
However cyclical the issues of cyber security – and how long his working hours – Chris enjoys his role. “You can really make a difference working in Government – that’s why I’ve never wanted to leave,” he says. “Now I’m working on cyber skills, I’m even more determined. I know upskilling a nation is a long game, but I’ll see it through until we sense we have significantly moved the dial on this critical issue.”