At the ETSI Security Conference 2025, we spoke with Ollie Whitehouse, Chief Technical Officer at the UK’s National Cyber Security Centre (NCSC), about the evolving global cybersecurity landscape, emerging threats in telecommunications, the role of standards and cross-sector collaboration, and how organizations can prepare for the challenges ahead.
Ollie, could you share how you view the current global cybersecurity landscape and what your main priorities are as CTO of the UK’s National Cyber Security Centre (NCSC)?
I’m the Chief Technical Officer at the National Cybersecurity Centre, whose mission is to make the UK the safest place to live and work online. You can think of our priorities through three lenses: one, how do we raise the resilience of our critical national infrastructure to the most sophisticated threats?
Two, how do we protect everyone else at scale against commodity threats, whether crime or similar?
And three, how do we ensure that the systems and technologies of the future are being built with cybersecurity in mind, so as to be kind to our future selves?
In your keynote, you discuss collective challenges for the next decade of telecommunications. Could you highlight the key risks and opportunities you see emerging in this sector?
In the talk, we outlined that the threat environment is only becoming more complex, yet we are still held back through technical debt and not building secure systems, which are becoming ever more complex and which we don’t fully understand. We outlined the opportunities around standardisation based on evidence of efficacy and how we build towards the future, but also some of the other opportunities we find. How do we increase the level of agility so more frequent updates to standards and software are deployed more quickly, moving from years and half-decades to half-years and years from concept to realisation? Realistically, the technology landscape is expected to change so much over the next half-decade that it’s going to be an imperative.
Standards and baseline security frameworks are often cited as critical for resilience. How can organizations effectively adopt and implement these standards across complex networks and systems? How are governments impacted?
The reality is that most organisations shouldn’t have to think about implementing the standards. The solutions they employ implement the standards, but it’s beholden on those who are producing technology and those key first-stage customers, such as telecommunications operators or similar, to be part of the standards-making process. That way, we know we have interoperable, secure, modular systems. But as soon as you get two steps removed, organisations should just know that the standards have led to more secure systems, not the intricacies of those standards.
NCSC is a member of ETSI for good reason. We see the value of international standards-making, reducing the cost burden on business. If we do one standard well and have that standard be global, we avoid the situation of having 54 subtly different standards in each country. The role of governments is to recognise that the standard does not need to originate from the standards-making body in their country. We can work in the international fora, and similarly, we want to avoid bifurcation in technology. How do we get international technology companies, whether from Southeast Asia or the US, to participate here? That’s how we work together: do one thing well, rather than many times driven by self-interest.
Supply chain security continues to be a concern globally. How is the NCSC approaching risks related to third-party components and international dependencies in critical infrastructure?
Our approach at the moment uses an arc—from left to right—and the beginning of that arc starts with transparency. At the moment, we would say that there is massive information asymmetry between those who provide a service or sell technology and those who consume it. Increasing transparency, so that those who are buying can make more informed decisions, is a great way to address some of the supply chain risks.
At the right of the arc, ultimately, there will need to be more regulation and legislation, likely because without that we probably cannot achieve the ultimate aim. But for now, let’s see where we get through good market forces, because we have more information out there.
So when you speak about transparency, is that related to SBOMs?
It starts with SBOMs. The position on SBOMs is that they’re great for telling you about third-party software, libraries, and versions. What they don’t do is tell you about first-party software that was written in a memory-unsafe language, is 20 years old, and of which only 4% has been touched in the last two years.
So, it goes beyond SBOMs, and we’ll have to go down to the hardware level as well. What we’re seeing at the semiconductor level is that actual chip designs can include third-party intellectual property, not necessarily from countries we may fully trust.
So, it will have to go down the full stack. SBOMs are a great start, but that’s probably not where it ends.
Emerging technologies, including AI, are transforming both threats and defenses. What are the most pressing cybersecurity challenges introduced by AI and other advanced technologies in the telecommunications sector?
The challenges presented by AI are not necessarily new. There’s a scaling factor that they enable. If you imagine all tooling and automation, it allows those with bad intent to do more of the bad stuff more effectively, potentially with less skill. AI is a compound of that, ultimately, but we hold the position that AI will still be a net benefit for cyber defence. There will be more people who want to use AI for good and who will have an outsized impact. The problem is that the path from where we are to that destination will be rocky and uneven, so the adversaries who do employ it will gain some advantage, probably in the short term, until the defenders can sufficiently employ it to counteract.
Cross-sector collaboration is often highlighted as key to resilience. What mechanisms or partnerships have proven effective in the UK and internationally for improving cyber defenses?
I think, selfishly for us, ETSI has been amazing. In our Telecommunications Security Act regulation, we have a technical code of practice, and within that code there is the concept of a privileged access workstation. We realized that actually wasn’t defined—what a privileged access workstation was. So we came to ETSI and worked with various constituents to define, in two parts, how a privileged access workstation manifests. We now benefit from that as an ETSI standard that can be adopted by network equipment manufacturers, telecommunications providers, and service providers. That’s one example. We’ve got others in AI, post-quantum encryption, and similar areas, but it’s a good example of how we are tying ETSI standards that chain up through our own national standards, regulation, and legislation.
Looking ahead, what trends or emerging threats do you see as shaping the global cybersecurity landscape, and how should organizations prepare?
I think your question is really about how organisations need to prepare. We see too many organisations who think it won’t happen to them, and so there’s a lack of preparation for when it manifests. How do you know it happened? How would you recover quickly? How would you communicate all of those things? We simply see such a lack of preparedness. On the whole, if organisations were more prepared—because we can’t predict what the future threat is going to be, let’s be really honest—I can give some opinion, probably evidence-based and directionally accurate, but the reality is that organisations need to be prepared for the unknown. They need to have confidence that they would be able to detect it, reduce the blast radius, and recover in a reasonable amount of time with an acceptable level of business disruption, which is not what we see in 2025 for the most part.
For practitioners and leaders just beginning to tackle these challenges, what foundational steps would you recommend to ensure both resilience and strategic foresight in cybersecurity planning?
You always have to continue learning. I think if you applied the methodologies and approaches that we were employing 20–30 years ago, they would seem arcane by 2025 standards. There is an expectation on all leadership—both technical leadership and business leadership—to understand what contemporary cyber defence and resilience looks like in your domain of expertise. So if you’re CEO, CFO, CISO, CTO… without that understanding, you can’t make informed decisions or provide the right guidance.
