The MOD’s first head of cybersecurity explains how to navigate evolving threats

Major-General Jonathan Shaw’s expertise in cybersecurity and defence strategy has shaped the future of national security. The cybersecurity keynote speaker was the first Head of the Defence Cyber Security Programme at the UK Ministry of Defence, pioneering modern cyber defence initiatives. We spoke to Jonathan to explore how organisations can strengthen their cybersecurity, navigate evolving threats, and build resilience in an era of digital warfare.

As the Head of the Defence Cybersecurity Programme at the Ministry of Defence, you navigated a field that is both highly technical and conceptually complex. What was your proudest achievement in this role?

I think it was transitioning from someone who knew nothing about cyber to someone who could speak knowledgeably about the conceptual side of cybersecurity. Cyber clearly has a deeply technical aspect, but what I quickly learned was that the technical details were not as important as the broader implications – how cyber technology affects all our lives.

My greatest achievement was developing the ability to explain a digital subject in an analogue way, making it meaningful to those who didn’t understand it. That, I believe, was my most significant accomplishment.

Leadership in cybersecurity requires a different approach due to the disruptive nature of technology. In your experience, what does effective leadership in cybersecurity look like, and how should it evolve to address the challenges posed by this rapidly changing field?

Cyber is fundamentally disruptive. It concerns information, and as a result, it disrupts the traditional hierarchy of knowledge. Organisations are usually structured in a way that ensures senior leaders receive information first, but in the cyber world, that is not the case.

Many senior leaders I encountered were what I call ‘cyber tourists’ – they had some awareness but lacked real expertise. This means leadership must change because you can no longer wait for top executives to fully understand the issue before taking action. Instead, leadership must empower, train, and trust individuals at the coalface, who often have a far greater understanding of cybersecurity threats.

This requires moving away from a rigid, top-down command structure to a more decentralised approach. In the military, we call this ‘mission command’ rather than ‘directive command’. It allows for faster decision-making and a more agile response to threats.

Organisations face an ever-growing threat of cybercrime. What are the top three practical steps they can take to protect themselves and build resilience against cyberattacks?

When discussing protection, most people focus on shields and blocking mechanisms, but a military analogy can be useful here. In defending a vehicle against attack, there are multiple layers of defence, and only one of them is a physical shield. The first and most crucial step is to avoid being spotted – stay invisible.

Assume cyberspace is inherently insecure and act accordingly. If you make yourself highly visible online, you increase your chances of becoming a target. While this conflicts with advertising needs, organisations must find a balance. People also need to stop trading their privacy for convenience, which is something many of us have been guilty of.

The second step is to accept that you will be hacked at some point. The more successful you are, the more likely you are to be attacked. Therefore, preparation is key. Build resilience, establish redundancy, and train your team to respond effectively to a breach.

The third step is to ensure that your entire supply chain follows strict cybersecurity protocols. It is not just about your organisation; vulnerabilities often come through third-party vendors. Cyber hygiene must extend beyond your own systems to those of your partners. In summary: minimise your exposure, prepare for an attack, and ensure your supply chain maintains high cybersecurity standards.

Cyberattacks on national infrastructure have the potential to disrupt society on a large scale. To what extent can a national cyberattack impact our daily lives?

You don’t have to look far for an example of this. The most dramatic case was in 2007 when Russia took offence at the Estonian Government’s decision to move a statue of the Bronze Soldier from the centre of Tallinn to a graveyard.

As retaliation, Russia launched a massive cyberattack that effectively shut down Estonia. They disabled banking systems, government operations, and media channels, rendering the country unable to function properly for weeks, even months.

Interestingly, this attack forced Estonia to become a global leader in cybersecurity. In response, they set up a national cyber defence unit, recognising that cybersecurity is a collective responsibility. Their approach is now considered best practice in Europe, if not the world.

This case highlights both the severity of cyberattacks and the importance of national preparedness. A major cyberattack can cripple essential services, disrupt communication, and have lasting economic consequences. It is a reminder that cybersecurity is not just a government issue – it affects everyone.

With technology evolving rapidly, what do you predict will be the next major type of cyberattack, and what emerging risks should we be aware of?

Cyberspace is inherently insecure. In fact, the Russians previously hacked into the NSA’s database and discovered backdoors that had been deliberately built into various systems. Now, they have a list of vulnerabilities they can exploit. The SolarWinds attack was just one example of this, and we should expect more of these attacks in the future.

Another immediate concern is the misplaced belief in blockchain technology as a flawless security solution. Many people see it as a panacea, but it is not. Blockchain has backdoors, has been hacked before, and contains zero-day vulnerabilities. The assumption that blockchain automatically makes cyberspace secure is simply incorrect.

In the longer term, I see this as a cultural issue rather than just a cybersecurity concern. We are transitioning from what some call ‘United States digital colonialism’ – where the US controlled the development of digital technology based on Western values – to ‘Chinese digital colonialism’. The Pentagon’s former head of cybersecurity recently stated that the West has already lost the artificial intelligence battle and that China will dominate the future of AI.

This shift will fundamentally change the assumptions on which software is developed. As AI becomes more prevalent, we will need to navigate an era where software and cybersecurity frameworks are shaped by different cultural and strategic interests.

How likely is a successful cyberattack on national infrastructure, and what factors influence the probability of such an event?

If attackers find a vulnerability, they will exploit it. The question is not whether a national cyberattack is possible- it is about how well we can mitigate the damage.

The good news is that major states avoid direct cyber warfare due to the doctrine of mutually assured destruction. If China could take down Britain, Britain could likely retaliate in kind. Neither nation has an incentive to launch a full-scale cyberattack because the consequences would be catastrophic for both sides.

The bad news is that criminal organisations operate as proxies for state actors. These non-state groups have no infrastructure that can be targeted in retaliation, making them a greater threat. Some argue that these groups are indirectly controlled by states, and that may well be true.

However, because cybercriminals must operate from physical locations, they can still be pressured. These groups are not operating from outer space – they are based in Russia, China, Bulgaria, or elsewhere. Governments can and should use diplomatic and economic measures to disrupt their activities.

While the internet creates a vast attack surface, it is still possible to impose real-world consequences on cybercriminals. In the end, if an attack is planned, it will likely succeed to some extent, which is why preparation and mitigation strategies are so important.

If you could give your younger self one piece of advice, what would it be?

Nothing to do with cybersecurity, really. It would be to take opportunities and have more confidence in myself. Looking back, my biggest regrets are not the things I did, but the doors I didn’t open. Just having more confidence and going for things would have made a big difference.

Life isn’t a rehearsal – you have to take control and make the most of it because time moves quickly. I’m 63 now, and while I’ve done some great things, I know I could have done even more. Now is always the time to seize opportunities.

Image by Free stock photos from www.rupixen.com from Pixabay, and Champions Speakers.

Want to learn more about cybersecurity and the cloud from industry leaders? Check out Cyber Security & Cloud Expo taking place in Amsterdam, California, and London.

Explore other upcoming enterprise technology events and webinars powered by TechForge here.