Stepping up on 
Cyber Defence

Client Conversations
Christine Maxwell is a woman on a mission – a cyber mission. She tells Mivy James about overseeing the ever evolving challenge of Cyber Defence and Risk at the UK’s Ministry of Defence.
Christine Maxwell, Director Cyber Defence and Risk, Ministry of Defence“As a girl did I ever think I’d end up working in national security? Oh god no – I wanted to be a doctor but went on to train as an accountant!”

Christine Maxwell’s answer is revealing on several levels. First, her self-deprecation and sense of humour, both of which loom large throughout our conversation.

Second, her intellectual prowess. She’s clearly far too modest to say so but you don’t rise to senior positions at KPMG, BP and RBS, as well as her current role as Director, Cyber Defence and Risk at the Ministry of Defence (MoD), without fierce intelligence and curiosity. And third, her friendly nature. When she says that “I’ve never been one for hierarchies – I just treat everyone the same”, you absolutely believe her.

Maxwell’s approachability belies the gravity of her role, however. In post for only nine months, she is directing defensive cyber for everything cyber related across the full spectrum of Defence in the UK. So all agencies, all organisations, all units. No wonder she says that she’s “never worked as hard in my life”.
 
 

Hitting the ground running


Running Start IconPrior to Maxwell coming on board, the MoD’s cyber activities were handled by different teams and in different ways. “There were lots of people doing bits of it but it was described to me as ‘a leg of the stool was missing’ because it was always just a bit wobbly as the direction wasn’t always clear,” she explains.

She goes on to say that the title “Director” was very much deliberate. “It was important to make it very clear that it was a Director role,” she says. “It involves the strategy, the policy, the risk, the capability building, the assurance and compliance – all these fall into my remit. So it’s my job to bring all these elements together and make sure we’re going in the same direction and mitigating that risk.”

Maxwell, it’s important to stress, is no novice. Sure, she may be a newcomer to the ways of Whitehall, but her experiences in the private sector have no doubt prepared her well for the challenges ahead. Her time in professional services, as well as oil and gas and banking, has exposed her to broad leadership and security governance, risk and compliance, as well as the challenges of leading large-scale transformation programmes.

These eclectic experiences helped shape her immediate observation that the MoD’s cyber team was in need of something of a North Star to guide them forwards. “People were doing loads of things but were they really mitigating the risk? Probably in parts but not in a strategically planned way – it was all too fragmented.”

Of course, this is not exactly an uncommon challenge in government – or the private sector for that matter. And partly, she adds, it was down to the perennial challenge of funding. “The teams themselves haven’t been overly invested in over the past few years, and so therefore the expectation that cyber was in a good place might well have been misplaced – how can it have been?”

And why was cyber defence not being focused on? “Because no one was fighting for it across the cyber framework. Lack of leadership was probably a core of it. I’m only one person and I haven’t got a big army of people to help me, yet, but it’s amazing what you can do when you do think strategically and in the right order. I’m a baby steps sort of a gal.”
 
 

A question of priorities


Another area of focus has been ensuring that cyber gets an equal amount of attention as more traditional Defence-related activities. It may lack the visibility of a new warship or helicopter fleet, for example, but it is no less important – particularly as the armed forces pivot towards all things artificial intelligence and machine learning. Nonetheless, Maxwell recognises that it remains a work in progress.
“People recognise the challenge and the impact cyber can have on Defence but is it embedded yet? Is it entrenched into the ways of working and compete against other items? Then no, we’re not there yet.”

Christine Maxwell, Director of Cyber Defence and Risk, Ministry of Defence

She is keen to stress, though, that she does not lack for support from her superiors – on the contrary. “Senior leaders have told me that this just needs to be seen as part of the course of normal business now, it’s just like finance, legal and all those bits that we take for granted.”
 
 

From private to public


Private to Public IconWe’re chatting amidst the hustle and bustle of a coffee area in the MoD’s main building in Whitehall. Maxwell looks right at home but it seems pertinent to ask how she has adapted to life in the corridors of power. Has there been a big culture shock?

“I think it’s been surprisingly similar, even though I’ve found things like the funding approval process totally bizarre,” she replies, shaking head in bewilderment.
 
“When I went to RBS I didn’t know anything about banking; when I went to BP I didn’t know anything about oil and gas; and when I came to MoD I didn’t know anything about Defence. Now, Defence has been the hardest to get under the skin of but at the end of the day, cyber is cyber – the fundamentals stay the same.” Maxwell’s penchant for ignoring formal protocol has also played to her advantage, it transpires. “I’ve got things done faster as a result,” she points out.
“Some things I’ve done myself, when I probably should have staffed them out but it’s faster if I do it. I don’t understand some ways of working – I just like getting the job done.”

Christine Maxwell, Director of Cyber Defence and Risk, Ministry of Defence

And then there is the fact that she is woman in an organisation still very much dominated by the opposite gender. Interestingly, though, Maxwell says that it’s not as bad as she first feared. “I’ve never been in so many meetings where I’m the only woman but having said that they are the nicest men I have ever worked with,” she says. “They are very different to what I expected. So I’m more of a minority here but I don’t feel as I have done elsewhere in my career, where there has been a very macho testosterone culture at times. We don’t have that here.”

She goes on to say that recruiting more people to her team – both men and women – is an ongoing priority but adds that it’s an uphill struggle, simply as the salaries cannot compete with what’s on offer in the private sector. “I could do with another 50 people but even if I had approval to recruit that number, I could never get that many because of the salary issue. So instead I would like to work with some strategic partners who can help me on certain tasks – the skills are there in the market, we just need to partner up.”
 
 

The Transformer


Transformer IconMaxwell’s activities – themselves transformational – are occurring alongside the MoD’s wider digital transformation agenda, which adds another layer of complexity to overcome. But rather than flinch at what lies ahead, she prefers to see it as an opportunity.  “Each new technology has their own set of cyber challenges for us to overcome but does this mean we can leapfrog in some areas? There is an opening there for us to make up for lost time.”

She is clear, though, that there is much to do and cites the example of identity management to illustrate her point. “When every equipment programme has to build some capability, it will build their own mechanism for identity management because there is nothing central for them to dock into,” she admits.

“So, we need a central capability and also make it compulsory for teams to use it as that would be the master identity and they shouldn’t build their own. This would save millions. It comes down to doing Secure by Design properly. This is one of my mantras and it’s about ensuring that cyber security is built in right from the outset on anything we’re doing, even from when it’s a twinkle in someone’s eye.”

Also on her radar is working with defence suppliers to inject greater flexibility into the procurement process, particularly when it comes to ensuring that new equipment programmes are as secure as they can be. “This is where I feel we could get better at,” she admits.

“We buy things to a contract but then projects slip and then security moves on. So we end up building something which has good security three years ago but not for today. I’ve lost the plot in a few meetings where I’ve pointed this out. This is where I have some criticism of some suppliers as not all of them seem to care – they’re just working to the contract, even though they know it’s not the right security. We’re so outsourced, we’ve got to get the suppliers in the right place on this. After all, we all say we work in national security for a reason.”
 
 

Looking forward


Maxwell has clearly come a long way from her accountancy days but she believes that her transition into cyber security merely reflects the need to always be open to new opportunities and interests. With that in mind, her advice to girls pondering a career in this area comes quickly.

“Don’t be frightened,” she says, firmly. “You don’t need to be super technical to do all the jobs in cyber security. It’s a business problem, not a technology problem. You absolutely don’t need a background in computer science.”
"We need to get it in people’s faces so that they are more cyber aware – let’s stop mucking about, it’s not difficult. Progress can be made but you have to do these things one by one.”

Christine Maxell, Director of Cyber Defence and Risk, Ministry of Defence

This advice reflects her objectives for the years ahead. Sure, the technical side is vitally important, but it is also about the bigger picture. “I want us on a stable footing and to get us working together across the whole of Defence so that we’re actually making a difference,” she says. “There will always be risks but there is so much we can mitigate. Things like why are there no cyber awareness posters on the walls here? We need to get it in people’s faces so that they are more cyber aware – let’s stop mucking about, it’s not difficult. Progress can be made but you have to do these things one by one.”

And for Maxwell, there is no doubt that she thrives under the pressure to get things done. “You really are making a difference here,” she concludes. “It takes me 40 minutes on the train to get to work – should I read something, listen to a podcast or write two or three complex emails? The emails always win out. From a work-life balance I know that that’s wrong, but it all comes down to making an impact.”

It's quite the responsibility – but it’s clear she wouldn’t have it any other way.
 

About the author​
Mivy James is Head of Consulting for National Security, BAE Systems
mivy.james@baesystems.com
 
 
Further Reading