The Gaming Boardroom

Where the gambling industry comes to think

Landing at the NCSC (glad I brought my towel)

Steve Tyler Exec Content

Landing at the NCSC (glad I brought my towel)

Summary

Ollie Whitehouse joined the National Cyber Security Centre as CTO in October 2023 and, after two months, sets out his immediate priorities. He praises the highly capable technical workforce and frames the NCSC as a technical agency focused on preparing the UK for future threats while improving resilience today. His priorities centre on building evidence-based cyber practice, imposing cost on adversaries, tackling technical security debt, ensuring base-level security is not a premium feature, signalling market needs, and preparing the country for major cyber events.

Key Points

  • Make cyber a science: build rigorous, evidence-backed measures of what actually works in real-world defence.
  • Impose cost on adversaries by disrupting their tradecraft and reducing their operational effectiveness.
  • Address technical security debt systematically—measure it, incentivise paydown, and show clear benefits.
  • Stop treating security as a premium add-on; basic protections should be standard in products and services.
  • Use market signalling to direct investment and capacity-building (notably for OT/ICS capability gaps).
  • Advance Active Cyber Defence (ACD) 2.0 as a tool to increase adversary costs and improve national resilience.
  • Prepare for major incidents: shift the mindset to prepare for “when”, not “if”.
  • Continue NCSC work across AI security, post-quantum transition, passkeys, zero-trust and memory safety.

Content summary

Whitehouse argues there is a persistent gap between assertions about cyber defences and evidence of their efficacy. He highlights a few strong examples (seL4, CHERI/Morello, Rust, Trusted Types) but notes these are exceptions. The NCSC will prioritise creating and sharing robust evidence on what actually improves system resilience, using approaches such as chaos security engineering, near-miss analysis and regulatory red teaming.

He also stresses shifting more cost to attackers across the lifecycle (R&D, supply, initial access, persistence) and advancing Active Cyber Defence. Technical security debt remains widespread and poorly measured; Whitehouse wants improved literacy, measurement methods from academia and industry, and incentives to reduce that debt. He calls for a market where basic security is standard, not a paywalled extra, and for the NCSC to provide market signals so investors and entrepreneurs can build the UK capabilities that are lacking—particularly for OT/ICS. Finally, he emphasises preparing for major events alongside ongoing NCSC programmes in AI, post-quantum cryptography and other priority areas.

Context and relevance

This post is a strategic statement from the NCSC’s new CTO and sets the tone for national cyber priorities. It aligns with wider trends: demand for evidence-based security, increased focus on supply-chain and OT/ICS resilience, debates about active defence, and preparedness for sophisticated state and criminal actors. For practitioners, vendors, investors and policy makers, the priorities indicate where funding, regulation and collaboration may focus over the next five years.

Why should I read this?

Short version: it tells you where the NCSC’s CTO wants to push the whole cyber scene — evidence, cost for attackers, and real-world fixes — so if you work in security, run tech products, or invest in cyber, this is the map you want. Nice and readable; saves you the time of digging through speeches and policy notes.

Author note

Punchy and purposeful: Whitehouse’s tone is direct and strategic. He emphasises practical, measurable change over slogans and signals the NCSC will both convene market actors and push for tougher evidence and standards. If you care about national resilience, his priorities are worth paying attention to.

Source

Source: https://www.ncsc.gov.uk/blog-post/landing-at-the-ncsc-glad-i-brought-my-towel