Gary Burnett meets…David Crozier, Centre for Secure Information Technologies
David Crozier is the Head of Strategic Partnerships and Engagement at the Centre for Secure Information Technologies (CSIT). CSIT is a world-class innovation and knowledge centre which is part of Queen’s University Belfast, based at Catalyst in the Titanic Quarter in Belfast. CSIT provides a unique environment which encourages collaboration among academics, researchers, engineers, industry and government to accelerate the results of cyber security research through to commercial application. It has been instrumental in helping to build what is now a thriving cyber security cluster in Northern Ireland, which now employs around 1,400 people and has attracted some of the world’s top cyber security technology companies to set up operations here.
David is responsible for the Centre’s strategic partnerships, oversees marketing and communications, and also for building international partnerships.
Gary: Looking round Northern Ireland, there is a small but growing and vibrant cyber security industry here. CSIT is right there in the heart of that. So, what is the importance of CSIT in the Northern Ireland context?
David: If you look back to the start of the Centre in 2008, 2009, there was limited activity in what we would now call cyber security in Northern Ireland. Since that time, we’ve been involved in generating world-leading research in this area, developing new concepts and ideas, new network processing for cyber security intelligence, machine learning for cyber security and a range of other important technologies. The building blocks of what has become a pretty well regarding cyber security industry here in Belfast. If you look back 8 years, there were maybe 50 – 100 people working in cyber security. Since then, that ecosystem has now grown to about 1,400 cyber security professionals. There are some very successful FDI companies focused on this area, like Alert Logic, Anomali, Black Duck (recently acquired by Synopsis), and IBM expanding its cyber security footprint here with their SIEM product. Aside from those core cyber security companies, there’s been quite a lot of investment from the big four consulting firms developing their cyber risk practices. Then you have some of the other FDI companies like Citi and Allstate, expanding and setting up global cyber security operations here. If you look at Allstate, you wouldn’t think of it as a cyber security company, but they’ve now got over 100 people working on cyber and a significant recruitment drive going on.
This is not all the result of CSIT, but we’ve had a significant input in terms of research, skills development, getting cyber security into undergraduate teaching programmes, in influencing government policy regarding cyber security, and in terms of investment in infrastructure for cyber. So if you look at our role, we’ve been a keystone organisation in bringing a lot of this together, driving it forward and saying to key policy makers – look, if we are going to take a limited number of bets on industries where there is huge potential, this is one of those ones we need to back, and here’s the evidence for it.
So now we’re seeing good numbers in terms of people employed in our cyber security cluster. Our own figures suggest it is generating about £60m in annual salaries – which has a very good impact on local economic development, it’s a good return on investment.
Gary: And how good is the economic opportunity for Northern Ireland in cyber security? Is there a lot more scope for us?
David: Absolutely, if you look at skills shortages globally – 1.5 to 2 million people needed in this industry globally – that is driving the adoption of automated technologies, new innovative technologies for detecting, preventing cyber attacks. It’s simple economics – supply and demand – there’s a huge demand for both skills and technologies. The cost of cyber-crime – we’re now looking at multi-million-pound impact of cyber security events. Maersk, the big shipping company, which shifts about 60% of the goods around the globe, had a large attack recently, which cost it about $300m. We’ve seen other attacks – the likes of the TalkTalk breach, which cost the company around £40m, and something like £100m wiped off their share value. So, those costs, plus new regimes like GDPR, where companies can be fined up to 4% if their global revenues if they don’t take sufficient steps to secure their networks against breach – all this has created a perfect storm of demand for security skills and talent and technologies. So it’s ripe for Northern Ireland to take advantage of.
And, we have been ahead of the curve for once, because we have been putting in skills and research and investment, and attracting FDI cyber security companies.
Gary: So, in order to take advantage of the opportunity, what do we really need to pay attention to and invest in. Is it funding for new companies, is it skills, or what?
David: I think it all starts with human capital. And the skills required for cyber security overlap significantly with other digital careers – strong science, engineering, maths programmes. Growing young people with good analytical skills, good problem-solving skills, the ability to analyse data. These aren’t necessarily technical skills – they are more deeply rooted – but you start with that, and then encourage them into the industry. Previously we would have targeted people who were completing their undergraduate studies and were thinking of post-graduate work in our Master’s degree in Cyber Security or maybe a PhD. But we held a residential course over the summer for 14 and 15-year-olds to help them think about a career in cyber security. We are planning something in January for 11-13-year-olds, with an eye to the future, in terms of a talent pipeline. And the local exams body has been looking at trying to include cyber security more into GCSE and A level digital technology courses. But we could always be doing more.
Some of the skills required are challenging, and we need to focus on helping teachers to teach those skills. And the Department of Education has a role there. But we see industry stepping up and partnering with schools to teach the teachers the requisite skills.
In terms of investments, yes, good cyber security start-ups always need investment. But the challenge there is around the scale of investment – if companies were in Silicon Valley or Austin or Boston or the DC Metro area, they would get a lot more than a local company might expect. All that does is to give the company more runway so they can seek further investment. It’s not sufficient to really light a fire under them.
Last year the largest VC investment in Northern Ireland was into a cyber security company. B-Secur is a company we’ve worked with closely. Companies like that who partner with us at CSIT get access to world-class research. So we work quite closely with a lot of start-up companies through our CSIT Labs programme to translate our research into real world product. And VCs are looking for this sort of really innovative technology.
Gary: Looking outside of Northern Ireland. You’ve started a major new initiative in London?
David: The London Office for Rapid Cyber Security Advancement (LORCA) is a collaboration between CSIT, Deloitte and Plexal, who look after developing the old communications centre in the what was the Olympic Park. The UK government wanted to support indigenous innovative cyber security to help companies scale up and grow. So, they put out a tender for this London cyber innovation centre aimed at taking companies which had a couple of years of trading history and helping them really accelerate their growth and access international markets.
Our input into that is to enable companies avail of our engineering resource. Although we are a university research lab, we also have a significant engineering practice and the LORCA funding will enable companies to avail of that engineering talent pool to help them develop novel technologies. So that’s what we bring to the table. The 1st cohort of companies is well under way – there are 9 companies on the programme. So, we’re helping companies all over the UK build out new technologies and new product for a global marketplace.
Gary: So that’s very significant for CSIT – a Northern Ireland organization being at the heart of a major cyber security initiative in the heart of London.
David: Since our inception, we’ve always been a national innovation and knowledge centre. We were originally funded under national programmes so we’ve tried to work with the whole industry across the UK. And that has benefited Belfast and Northern Ireland. And it’s a good news story in terms of export for the region – our skills, experience, research is being exported out to the rest of the UK and further. And the investment in CSIT is supporting just over 80 highly skilled jobs in the Centre itself.
Gary: And then, David, looking beyond the UK, you’re involved in an international grouping of cyber security organizations?
David: The global ecosystems of ecosystems partnership in innovation and cyber security – bit of a mouthful! – Global EPIC for short. If you look at CSIT, there is a three-way link in terms of academia and research, a strong government supporting environment and the cyber security industry. We then started to build bilateral relationships with similar ecosystems around the globe – organizations such as CyberSpark in Israel, the Global Cyber Security Resource at Carlton university in Ottawa, the Hague Security Delta – all with the same academia, government, industry links.
The more we developed these, the harder it became to manage them. So the 4 organizations I’ve mentioned decided to form a partnership, whereby we could share a lot of this knowledge and expertise, and get access to each other’s markets and skills and experience through a more formal engagement. So Global EPIC came into existence in October of last year, being launched with 15 global cyber security ecosystems – including Canada, the US, Israel, Spain, Italy, Netherlands, and Poland. And we’re now sharing knowledge about taking academic research to help start and grow new companies.
And this geographic spread, allows the start-ups that we work with here to use that network to access global markets. So, if a company wanted to get into the US, they could soft land with our partners over in Maryland. Over the past 6 months I have been the board appointed President of Global EPIC and during my time have been able to help grow the organization to 25 global members. We’ve signed our first keystone organization in India, in Bangalore, also in Taiwan, we’ve had our first engagement in Africa in Nigeria, and we’re about to bring on board new members in West Africa in Benim, and in Australia and New Zealand. So, this is a powerful vehicle for us to get our ideas and innovation out to the wider world.
But it also aligns well with the World Economic Forum, which has established a new centre for cyber security headed by Troels Oerting in Geneva. WEF is looking at cyber security as a global threat to economic growth. They’re looking at it as an economic opportunity for cyber security companies. WEF is a thought leadership organization, but we have this partnership of companies and institutes and government agencies on the ground which can act as a delivery mechanism. So, now we’re looking at partnering with the WEF to deliver projects around human capital development and cyber resilience – informed by WEF, but delivered by Global EPIC. This is a very exciting global opportunity for CSIT to be involved in, in fact leading in.
Gary: Thank you David.
