Having previously worked in the Royal Navy for over 20 years as a communications and intelligence specialist, as well as leading in technical security roles across the government, defence and civil nuclear sectors, CDS Defence and Security's Martin Nash has since occupied the head of cyber security and information assurance role at one of Gloucestershire's leading security firms.
SoGlos caught up with Nash to hear more about how he forged his successful career, the triumph of CDS DS and how others may be able to follow the same path.
About the expert - Martin Nash from CDS Defence and Security
After a career as a communications and intelligence specialist, Nash left the Royal Navy (RN) in December 2006 and pursued a second career as a cyber security and information assurance professional. He has experience in lead technical security roles across the government, defence and civil nuclear sectors in the UK and spent a period of three years working in the USA as the director of information security for a bank, while his wife was posted there by the civil service. Prior to moving to the US, he was a co-director/owner of a small specialist consultancy company based in Gloucester.
What led you to your position at CDS Defence and Security?
When I returned from the US in late 2017, I went back to being a principal cyber security consultant for a company I’d previously worked for. I wasn’t really looking for a new role, but was drawn to CDS Defence and Security after meeting with them in the course of my work and then seeing the role I’m in now being advertised.
The opportunity to head up, formally establish and grow a brand-new cyber security services business unit was too good to ignore. I was also drawn by the fact that CDS DS was also delivering an Insider Threat programme for defence – something that I’ve had experience of in the past and was the topic of my MSc thesis in 2013.
After quite a rigorous interview process, I joined CDS DS in January 2020. Little did I know that a pandemic was about to challenge the growth plan I’d established and had approved just before it hit in March 2020...
Can you explain what your role entails/what a day looks like in your position?
It’s a busy, but very rewarding role! Since I joined and formally established our cyber security and information assurance services business unit, the team and revenue size has tripled to approximately 36 people and £3.25m, respectively.
I spend about half my time delivering and leading strategic cyber security and information assurance services for clients, alongside my teams.
The remaining time is spent on managing the day-to-day running of the business unit. I am responsible for profit/loss, strategy, recruiting, supporting business development and, most importantly, making sure we have quality people across my teams to deliver the services we offer.
I’m big on encouraging a collaborative approach and providing opportunities for my team to develop themselves professionally and am so proud of what we have and continue to achieve together.
Can you explain what information assurance is?
When I left the RN in 2006, the term ‘cyber’ didn’t exist (let alone the idea of ‘cyber security’). The more general terms used were ‘information security’ and ‘information assurance’ – both are still around today, but are mostly subsumed by the term ‘cyber security’. Both terms are complementary to each other – you can’t do one without the other.
Information security is all about managing the risks to information. Information assurance is about assuring that the controls implemented to manage security risk enable information to be protected, trusted and available to authorised people and that businesses and organisations are enabled and resilient.
Some people argue that cyber security is quite different from information security and assurance. I believe they are pretty much one and the same – all too often, people forget that cyber security is ultimately about protecting the confidentiality, integrity and availability of information – we mustn’t lose sight of this, particularly when you consider the ever-increasing importance of information/data to our everyday personal and work lives!
What is the most interesting part of your job?
I get a real buzz out of knowing we’ve helped to reduce our clients' cyber security and information assurance risk, so they are better protected from the bad guys. It’s always interesting to work with new clients and help them understand where they need to start, or what they should do next to help protect their information and technology systems.
While often scary, it’s also interesting to see how the different cyber threats out there (cyber criminals in particular) adapt and evolve their ability to exploit technology and information for illegal financial gain – they are unbelievably well organised, trained and efficient.
There are a lot of commonalities in what we find and advise our clients on, but we always need to consider the proper context of the organisation we are helping and make sure that’s considered also. I do find the management side of running my business unit interesting, too – I have awesome people working for me and enjoy the positive feedback we get.
What advice would you give those who would like to enter the cyber security field?
If you ask people what cyber security is, you will get wide and varied answers. If you just ask what the word ‘cyber’ is on its own, it becomes even more vague and confusing! So, I always tell people who are interested in the profession to at least create a view and understand what cyber security is from their own perspective first and foremost.
Most people think it's just about things like ethical hacking (also called penetration testing) and digital forensics – but it’s much, much broader than that. Fundamentally, it really is all about managing information security risk, but it requires a breadth of skills, experience and certifications.
You don’t need to be overly technical for a career in cyber security, but you do need enough technical knowledge to be ‘dangerous’. There’s a good diagram that summarises the breadth and depth of the cyber security knowledge and expertise required in the National Cyber Security Centre’s Cyber Body of Knowledge (CyBoK) – you can download it online.
Education and certifications are important, but so is the ability to communicate technical concepts to non-technical audiences. So, understand what cyber security is, decide what it is you want to do specifically and then look for realistic opportunities that will help you develop your skill, certifications and experience.
The salaries are generally very good, but you need experience first, so just be realistic when starting out – the financial benefits will come in time! Oh, and there continues to be a global shortage of cyber security professionals, which is another incentive to join the profession…
What can people across Gloucestershire expect to see from the business in the coming years?
Well, first and foremost, my cyber security and information assurance business unit in CDS DS is only one of four. Our operations support, training and enhanced learning, and support engineering business units also continue to achieve growth and success.
We are seeing more and more opportunities to provide integrated services across our business units, so I can see that becoming much more of the norm for us.
As far as our cyber security services go, we have stable, long-term contracts that will help us to reinvest to grow and mature new capabilities, particularly in our tech assurance practice (including ethical hacking services, cyber essentials certification, digital forensics, incident response/management, security architecture and secure use of the cloud).
I’d like us to do more to help smaller businesses and the charity sector understand where they can start to reduce their cyber security risk – doing the basics well will protect you against 70 to 80 per cent of the most common cyber threats and viruses out there!
I’m excited about the Golden Valley Development that is looking to make Cheltenham the UK’s cyber hub and very much expect CDS DS to play a prominent role in that initiative.