The announcement of the National Cyber Force has put Britain's cyber capabilities firmly in the spotlight. But Strategic Command has been leading defence on cyber much longer than that. We asked people on the inside of the cyber world to share their stories in their own words.
This time, we join Simon. He explains his journey from Army Aircraft Technician to a forensic psychologist who leads Strategic Command's Cyber Awareness programme.
I’m the odd one out. I’m not saying that in any self-deprecating way, I just fully appreciate how strange it is for a forensic psychologist to be so deeply integrated into the way Defence does cyber-security governance, risk, and compliance. If anything, I like it. It reminds me that the world of cyber-security is changing to reflect the bigger picture.
Technology doesn’t exist in a vacuum; people built it, people use it and the malicious exploitation of those systems? Well, that’s people too. I’m the Head of the MOD Cyber Awareness, Behaviours, and Culture team and it’s been a long and very winding road to get here.
I joined the Army in 2003, a 16-year-old with no thought towards long-term career planning beyond being a soldier. Guided by my friendly AFCO sergeant, I was channelled into a role as a REME Aircraft Technician and, after phase 2 training, was posted to 5 Regt AAC in Northern Ireland. All in all, I had a pretty great time of it but I outgrew the job itself quickly so I sought out other things I could do - secondary roles, additional duties, short tours, detachments, courses, and loans but I couldn’t secure a permanent transfer to something that ‘scratched the itch’.
Impatient to a fault, I decided that I’d leave and try out something else. Unfortunately, I now had to keep a roof over my head, so I did a whirlwind of odd jobs. I taught first aid for a bit and I even tried making a living from my hobby as a magician. Eventually I took some security work for a small local firm.
Turns out, I was pretty good at it. The job morphed into security consultancy and sales with some light management on the side. Here, I saw an opportunity; training might make the staff a little better equipped, a little more professional. We’re great at that in the Army, so why not try it out here? I thought I’d take punt and honestly, it made a bigger impact than I expected.
A little while later, I thought I’d really try to make something of the enjoyment I got from training so I did two things; first, I started working on some higher education; a psychology degree, and secondly, I got a job in the Civil Service. This just so happened to be back in Arborfield teaching jet engine theory and basic maintenance practices to younger versions of myself. It was brilliant. Except, we were teaching on the Scout aircraft which went out of service in the early 90s. That’s no good – how are we supposed to shape and influence the next generation of technicians using old helicopters? So I figured I’d change that too. Except to do that, I needed to move jobs.
As a training analyst, I had a little more freedom to shape how aviation training worked in the Army but this also gave me a chance to learn some new project management skills alongside my developing passion for academia. I was specifically captivated by the psychology of influence which called back to a particularly fulfilling portion of my time in uniform.
As the externally designated training development computer geek I was ‘volun-told’ to be the local administrator for ‘TAFMIS’, the training information system in use at the time, but luckily this exposed me to a whole new world of IT system development and I found myself wanting to get more involved in this world. Security was an engaging part of this, but it was only when something was said, a passing comment about malicious actors, that something clicked. I’d already heard the words several times and it was something I already knew, but this time it really landed.
You don’t need to be a technical genius, running GPU supercomputers, cracking cutting-edge cyphers to hack into a system – you just need to just persuade someone to tell you their password. Cyber-security and influence psychology are fundamentally interwoven.
Social engineering became my obsession, linking together so many interests, passions, and experiences that I couldn’t ignore it – it was psychology, cyber-security, teaching, illusion, persuasion, and influence all rolled into one. I ran through every cyber course I could get my hands on; CISMP, CompTIA Sec+, CEH, Cybrary. I read every book; Hadnagy, Cialdini, Hughes, Carnegie. I practiced.
Having completed my undergrad degree with a focus on forensic psychology, I started work on a PhD specifically exploring malicious actor behaviour. Honestly, this might have been overkill but I wanted to immerse myself in this world and academia was the route that made the most sense to me.
Professionally, I next stepped over into Defence Internal Audit, where I worked on cyber and physical security audits (among others) and then, on to the Cyber Vulnerabilities Investigations (CVI) team as their socio-behavioural lead. Here, I set the direction for how human-centred cyber-security testing works in CVI. I did plenty of fieldwork all over the world and loved every minute of it. I even got involved in research groups specifically exploring forensic cognition and for the first time, I started to get comfortable presenting myself as a forensic psychologist as well as a professional social engineer.
Whilst I’d dedicated best part of a decade to this field, actually being a forensic psychologist was not something that that was binary for me. Almost out of the blue, it was suddenly the easiest way to describe my area of expertise. CVI truly captivated me and in many ways, still does, but after a while I noticed something; we can only point at problems for so long. There were technical solutions for technical issues but almost everything I saw, everything that had a human root to it was just too hard to fix.
As the pandemic hit, the amount of CVI fieldwork we could do in person dropped off so I offered to provide some input as a psychologist into the fledgling Cyber Resilience Programme who had been asked to look into risky cyber behaviours. That was a year ago and now I lead a diverse team of communications professionals, content creators, graphic designers, training and educational specialists, behavioural scientists, project managers, data scientists and more, all as members of the Cyber Awareness, Behaviours and Culture team.
Our aim is to help build secure behaviours across the enormous diversity of Defence including veterans, service families and cadets forces, all by drawing on sound psychology and best practice. If you’ve seen any Cyber Confident material such as our games, podcasts, videos, or webinars, if you’ve received a simple practice phishing email or, if you see some new, slightly more interesting cyber training, that’s us.
As I said, I’m probably the odd one out in the cyber profession, but I’m still working hard to make our organisation more cyber resilient.
There are both Regular and Reserve cyber roles in the Army, Royal Navy, Royal Air Force.
For more information on Army roles, click here.
If you are interested in joining the Navy, click here.
To find your force as a part of the RAF, click here.
There are also civilian cyber roles within the Ministry of Defence Civil Service.
You can sign up for a job alert on CS Jobs here. Simply create an account, select the Job Alerts tab and follow the on-screen instructions.