Nick O'Kelly

We’re already hearing the same pattern from clients: “We know DCC is coming… but we’re not sure what we actually need to do.” This guide breaks down the levels, the evidence and how it links to Cyber Essentials, ISO 27001, NIST CSF etc. Good explainer for anyone who wants a non-jargon version. Worth a read before DCC becomes a bottleneck in 2026 bids. #DCC #DefenceCyberCertification #MOD #infosec #UKcyber

6

Complex and costly defence programmes need to engineer solutions to achieve cyber resilience. The recent UK Strategic Defence Review (SDR) highlights the ‘intolerable levels’ of cyber risk carried by defence, and recommends that legacy systems are retired to reduce risk and enable robust cyber security. https://buff.ly/Ngc4F2R #cyberresilience

13

The defence supply chain is only as strong as its cyber resilience. For over 10 years, since the inception of the IASME Cyber Essentials scheme, RightCue has partnered with defence suppliers to strengthen that resilience. We’re proud to now be part of the initial cohort of IASME certification bodies ready to certify defence companies to Level 0 and Level 1 of the new Defence Cyber Certification, backed by our deep understanding of working in highly sensitive and controlled environments. #defence #cybersecurity #supplychainsecurity

14

1 Comment

More detail on the DCC has been released by IASME, including importantly the question set which will be used to assess companies aiming for DCC Level 1, 2 or 3. Initial thoughts: 📋 There are A LOT of questions - 242 for L1 up to 349 for L3. 🧠 Significant knowledge will be needed to answer the questions - some of them are very detailed (e.g. "Does the organisation use Transport Layer Security (TLS) version 1.1 or earlier for protecting any sensitive data in transit?" - spoiler - the answer should be "No"). 💻 As the DCC is effectively a compliance wrapper around DefStan 05-138 issue 4, the questions assess not just technology but also policy, process, training, governance, etc. So what? It's now even more clear that organisations are going to need help getting to the standard - either to achieve DCC or to be compliant with the DefStan. The AEGIS service we've developed at Nova Blue Technologies is designed to give organisations the help they need. Get in touch for more information and to arrange your free readiness assessment.

10

Three weeks. 12 specialists. Zero IR35 risk. When a leading organisation needed to rapidly scale their cyber capability, they needed a delivery partner who could take full accountability, not just provide resources. Definia deployed a complete cyber improvement programme team in just three weeks, under a Statement of Work model: 🔸 Full specialist team mobilised 🔸 IR35 compliance fully managed 🔸 Single supplier model with clear accountability for delivery 🔸 Embedded knowledge transfer The result? The CISO could focus on strategic outcomes while we delivered the capability, governance and results required. 🔗 Read the full case study: https://lnkd.in/egNYpNSH #Definia #CyberSecurity #Cyber #Security #DigitalTransformation #IR35 #ChangeDelivery #StatementOfWork

5

Our new report, Translating the new regulatory standards into a sustainable cyber strategy, presents a practical, standards-led framework to help critical infrastructure organisations meet evolving compliance requirements, and turn them into opportunities to strengthen the security and resilience of the UK’s Critical National Infrastructure. To explore the full set of insights, recommendations, and actionable guidance, read the complete report here: https://lnkd.in/e-97nVaC #CyberSecurity #CyberResilience #CriticalNationalInfrastructure #CNI #RegulatoryCompliance #CyberStrategy #OperationalResilience #RiskManagement #OTsecurity #NIS #CyberStandards #DigitalTrust #SecureByDesign #ExponentialE

18

An informative document from Make UK Defence and Lloyds, for anyone considering working with UK Defence. 'Good security isn’t about doing more – it’s about doing the right things, consistently'. 

6

Ahead of the Strategic Defence Review formally published tomorrow, the UK Government has announced a bold move to modernise its defence capabilities with a £1 billion investment for the UK Ministry of Defence to develop a state-of-the-art Digital Targeting Web and the creation of a new Cyber and Electromagnetic Command led by General Sir Jim Hockenhull. This initiative is about more than just new technology, it’s about transforming how our UK Defence operates. By connecting systems across the domains of operation, including cyberspace, it will enable faster, smarter decision-making on the battlefield. It’s a major step forward in ensuring national security, supporting newly created high-skilled jobs, and preparing the UK for the challenges of a rapidly evolving cyber threat landscape. https://lnkd.in/eJj4w6GJ

50

1 Comment

Foreign interference in UK Higher Education. In a rare security briefing on 9 February 2026, MI5 and national cyber-security services gave 70+ universities operational detail on foreign interference tactics, professional network exploitation, financial lures, pressure to alter research. The new Academic Interference Reporting Route provides direct access to security services with clear escalation thresholds. For senior leaders in Higher Education, this means practical guidance on when legitimate collaboration crosses into hostile state activity. This framework gives the sector the necessary confidence to operate without fear of foreign state pressure, whilst preserving the international partnerships that underpin Britain's academic leadership. https://lnkd.in/e58K5C9M #mi5 #ncsc #AcademicSecurity #ForeignInterference

36

3 Comments

𝐁𝐞𝐲𝐨𝐧𝐝 𝐭𝐡𝐞 𝐏𝐞𝐫𝐢𝐦𝐞𝐭𝐞𝐫: 𝐓𝐡𝐞 𝐍𝐞𝐰 𝐅𝐫𝐨𝐧𝐭𝐢𝐞𝐫 𝐨𝐟 𝐂𝐲𝐛𝐞𝐫 𝐃𝐞𝐟𝐞𝐧𝐜𝐞 💻 In an era where digital threats evolve faster than our defences, the traditional model of cybersecurity is no longer sufficient. It's not just about building a stronger wall around our systems; it's about integrating resilience, agility, and innovation into the very fabric of our operations. The partnership between ALTEN LTD - UK, Methods, and Quick Release_ highlights this critical shift, offering a compelling blueprint for the future of cyber defence. The battlefield has expanded. A nation's defence capability now hinges as much on the integrity of its data and digital infrastructure as it does on its physical assets. Cyberattacks targeting supply chains, critical data, and operational technology can cripple readiness and erode strategic advantage. The challenge, emphasising the need to 𝐛𝐮𝐢𝐥𝐝 𝐭𝐡𝐞 𝐰𝐨𝐫𝐤𝐟𝐨𝐫𝐜𝐞, 𝐚𝐜𝐜𝐞𝐥𝐞𝐫𝐚𝐭𝐞 𝐝𝐞𝐥𝐢𝐯𝐞𝐫𝐲, and  𝐥𝐞𝐯𝐞𝐫𝐚𝐠𝐞 𝐢𝐧𝐧𝐨𝐯𝐚𝐭𝐢𝐨𝐧 providing a holistic approach that recognises cyber defence as a core component of operational readiness. This is where the power of a multidisciplinary partnership becomes clear. While Methods brings its expertise in 𝐝𝐢𝐠𝐢𝐭𝐚𝐥 𝐭𝐫𝐚𝐧𝐬𝐟𝐨𝐫𝐦𝐚𝐭𝐢𝐨𝐧 𝐚𝐧𝐝 𝐜𝐲𝐛𝐞𝐫 𝐫𝐞𝐬𝐢𝐥𝐢𝐞𝐧𝐜𝐞, ensuring data is secure and systems are robust, Alten’s deep 𝐞𝐧𝐠𝐢𝐧𝐞𝐞𝐫𝐢𝐧𝐠 𝐚𝐧𝐝 𝐭𝐞𝐜𝐡𝐧𝐨𝐥𝐨𝐠𝐲 𝐬𝐞𝐫𝐯𝐢𝐜𝐞𝐬 can embed security from the design phase of a new system. Meanwhile, Quick Release’s mastery of 𝐩𝐫𝐨𝐝𝐮𝐜𝐭 𝐝𝐚𝐭𝐚 𝐦𝐚𝐧𝐚𝐠𝐞𝐦𝐞𝐧𝐭 ensures that the vast amount of data generated by modern defence systems is a strategic asset, not a vulnerability. Ultimately, the future of cyber defence is not about a single solution or a piece of software. It’s about a comprehensive strategy that connects people, processes, and technology. It’s about creating an ecosystem of 𝐬𝐞𝐜𝐮𝐫𝐞, 𝐝𝐚𝐭𝐚-𝐝𝐫𝐢𝐯𝐞𝐧, 𝐚𝐧𝐝 𝐢𝐧𝐧𝐨𝐯𝐚𝐭𝐢𝐯𝐞 capabilities that can withstand and adapt to the threats of today and tomorrow. The Alten Defence partnership represents a significant step towards this vision, proving that true security is found not just in walls, but in seamless, strategic collaboration. #DSEI2025 #DSEI #Defence #DefenceIndustry #CyberSecurity #CyberDefence #DefenceTech #Aerospace #Security #Innovation #StrategicPartnership #Military #NationalSecurity #London #Methodsforgood

17

2 Comments

This is an excellent approach by the MOD, and a great opportunity for industry and academia to contribute. from the post: “Successful adoption of ‘Secure by Design’ requires a step change in design thinking about security. However, the range of military capabilities that need to be supported means its adoption within UK defence also introduces challenges not found in enterprise settings, or other parts of government.” “MOD has neither the capacity nor the expertise to investigate all of these problems on its own. … We present a collection of research problems associated with MOD’s approach to ‘Secure by Design’. In doing so, these problems are presented as opportunities for suppliers, from industry and academia, to propose solutions that address them." The headline questions are very broad, then broken down into more specific problems to be solved. https://lnkd.in/d2bZpquZ

7

Defence Holdings is pleased to announce the appointment of Jim Clover OBE to its Advisory Board. Jim is a former UK national security and cyber operations senior leader, with over 25 years’ experience across cyber operations, open-source intelligence and digital forensics. He previously served as Deputy Director of Cyber Operations within HM Government, with senior responsibility for cyber and digital activity in support of UK Defence and national security objectives, including work with allied partners. He was awarded an OBE for services to UK and overseas national security. Jim’s appointment significantly strengthens the Advisory Board’s depth of experience across Defence, national security and cyber operations. It directly supports the expansion of Defence Technologies’ National Security pillar, as the Group builds defence-led, mission-aligned software capability for real operational environments. As software, data and decision advantage continue to shape modern Defence, board-level insight grounded in operational delivery is critical. Jim’s experience brings valuable perspective as Defence Holdings advances from capability development into deployment-aligned delivery.

119

4 Comments

Is it time to Rethink #IPSA (Industry Personnel Security Assurance) Accreditation Access? A question for #ISAC (Industry Security Assurance Centre) and the wider security community: Why is IPSA accreditation still restricted to companies with MOD contracts (or supporting MOD contracts) when so many UK government departments outside MOD require SC-cleared personnel? This policy is increasingly out of step with reality. SMEs play a vital role in delivering secure services across policing, justice, infrastructure, and other sensitive sectors. Yet without MOD contracts, they’re locked out of IPSA despite needing to meet the same vetting standards. This isn’t just frustrating. It’s counterproductive. By excluding capable SMEs, we’re limiting the pool of trusted suppliers, slowing down delivery, and creating unnecessary barriers to compliance. In a world where agility and trust are both essential, this feels like a missed opportunity. Isn’t it time IPSA evolved to reflect the broader needs of government and industry? I’d welcome views from others in vetting, compliance, and security—especially those navigating this challenge firsthand.

8

3 Comments

Important announcement from Ciaran Martin, ex-CEO of the National Cyber Security Centre (NCSC) re: the accusations that China had access to state secrets in the alleged 2020 breach: 1. China is a significant threat. 2. But this did not happen. 1: "For many years China has been, and continues to be, a significant cyber security threat to Britain and British interests. Chinese state actors target British government, commercial and other networks for espionage purposes." 2: "But it is categorically untrue that in 2020 briefings were given to the effect that the Chinese state had compromised the bespoke systems used for circulating Strap and other highly classified state secrets."

5

2 Comments

🔒 The UK is building the world's most secure defence supply chain through Defence Cyber Certification (DCC). To help organisations working with the Ministry of Defence understand and meet the requirements, we’ve created a practical playbook that explains it all in plain English. It includes a clear breakdown of the requirements and step-by-step guidance to help you prepare with confidence. Check it out below, and download the PDF here: https://lnkd.in/dnQaNEct I hope you find this helpful. When you’re ready to get certified - for your organisation or your clients - feel free to book a call with our team.

28

2 Comments

After years of work, we have decent security standards, but we'll continue to struggle until we adopt security by default. Take the relationship between TLS 1.2 and 1.3, for example. Both protocols can provide reasonable security, but TLS 1.2 supports a kitchen sink of options, and you need to know what you're doing to configure it correctly. TLS 1.3, on the other hand, just works, no further work needed. This is just one example; there are dozens of standards and situations for everyone to consider when it comes to their network infrastructure. Until we get security by default, the only way to stay ahead is to have comprehensive configuration monitoring to catch problems and drift. I created Hardenize to solve exactly this problem. Our free test is still available at hardenize.com, and the commercial product has been rolled into Red Sift's. Now that Mail Check and Web Check are being retired, I am very happy that there is still a way for Hardenize to continue to serve.

13

1 Comment

I listened with interest to this week’s speech at CyberUK by Pat McFadden MP, Chancellor of the Duchy of Lancaster and Minister for Intergovernmental Relations and welcome the government’s commitment to prioritising cyber security as part of the new industrial strategy. This recognition of our sector’s true potential, both as a driver of economic growth and a shield for UK businesses, is long overdue. However, it’s vital this isn’t just a short-term reaction to recent high-profile attacks. If it’s going to be genuinely effective, investment in cyber security must be part of a long-term, sustained and coordinated strategy that embeds resilience across industries and regions. SMEs in particular remain highly vulnerable. They often lack the resources and in-house expertise to defend against certain threats, but they’re an integral part of the wider supply chain and need to be protected. If any investment into a nationwide cyber security strategy is to succeed, support must be accessible and practical for businesses of all sizes. There is a real opportunity to help build a more secure UK, but it will require more than investment. What’s needed is genuine collaboration between government, academia, enterprise and local business communities, with initiatives such as the UKC3 - UK Cyber Cluster Collaboration, of which I’m proud to be a part, showing just what can be achieved through true partnership working. #CYBERUK25 #CyberSecurity #IndustrialStrategy #SMEs #DigitalEconomy #CyberResilience #KIT365

4

Empathy is an important skill for a consultant, not just technical and professional acumen. Find consultants with an open mind, who are willing to make an effort to understand your problems/challenges and tailor solutions that meet your needs. I would advise caution if you come across a consultancy who assures you that they have the answers you need before asking you any questions.

9

Over the past year I have been quietly developing the MVR Framework – Multi-Vector Resilience. Not as another control catalogue. Not as a re-packaging of NIST, CAF or ISO. And certainly not as “framework for framework’s sake!” It was built to address a resilience gap that almost all organisations do not yet recognise. We have mature cybersecurity frameworks. We have compliance regimes. We are addressing better governance structures. What we do not have is an integrated model that answers a far more uncomfortable question: Can the organisation survive deliberate, intelligent, adaptive, contemporary attack across multiple vectors simultaneously? Modern threat actors do not attack in silos. They combine cyber intrusion, supply-chain compromise, cognitive manipulation, dependency exploitation and operational disruption. Increasingly, they do so at machine speed with a wide array of AI powered toolsets. Boards are still receiving risk dashboards from legacy GRC roles that fragment this reality into separate domains: • Cyber risk • Operational risk • Third-party risk • People risk • Information risk But adversaries do not respect those boundaries. The result is a structural resilience gap. The MVR Framework was designed to close that gap. It integrates six resilience pillars into a single strategic model that aligns technical security, human factors, operational continuity, supply chain survivability and strategic adaptation into one coherent architecture. It is not about assurance. That ship has sailed! It is about survivability. It is not about passing audits. It is about withstanding coordinated pressure. And it is not sector-specific. While Critical National Infrastructure and Defence environments are the most obvious use cases, the principles apply wherever systemic failure would be catastrophic. The progress so far has been significant: – Pillar architecture defined and stress-tested – Alignment mapped to NIST CSF 2.0 and RMF principles – Board-level articulation refined – Maturity modelling underway – Early advisory conversations validating the problem statement The feedback has been consistent: organisations feel the pressure, but lack a strategic model to address it holistically. The MVR Framework is intended to provide that model. The coming decade will not reward organisations that are merely secure. It will reward those that are structurally resilient under sustained attack. More to follow. #OperationalResilience #CriticalInfrastructure #CyberSecurityLeadership

5