Interviews

Building things and solving problems

Matt Palmer

Director/CEO, Jersey Cyber Security Centre

You grew up in Bradford, West Yorkshire, the word’s first UNESCO City of Film, attended Leeds Becket University and Inholland University of Applied Sciences studying Accounting & Finance. Could you tell us a little about your early years, your Uni choices and the decisions around the direction you hoped your career would take?

I didn’t work very hard at school and frankly did not appreciate being a child. You’re so disenfranchised. My A levels were mixed and I missed out on my first choice of University. It worked out well though as I had the opportunity to study in the Netherlands, which completely changed my outlook. Bradford’s an amazing place, and the people are something else. Taking my seat in City Hall was a real privilege.

You started your working life by training as a financial auditor at KPMG in the UK and are now a Commissioner and an experienced committee Chair at the JFSC and a Fellow of the Association of Chartered Certified Accountants. How did your career evolve from being an auditor to your current specialism?

I always knew I wanted to work with technology, but I’m all about delivery and outcomes rather than the technology itself. Finance is the language of business; technology is how it works. It seemed obvious at the time that you would need both, so I set out to do both.

You have over 20 years of experience in financial services both in Jersey and internationally, including senior executive experience across the trust and fund management, retail banking, insurance and Fintech sectors and are closely involved in Jersey’s digital economy. What brought you to Jersey?

After some years in local government, I stood for parliament in 2010. I actually got the best swing to my party in the constituency in my lifetime, but frankly politics was an increasingly toxic environment and I couldn’t see it getting better. Our son had also just been born and I couldn’t see how to combine being a good MP with being a decent dad. So we were up for a change and we could have gone anywhere, but being a lifelong Gerald Durrell fan, Jersey stood out. It was the right thing to do but I have sometimes missed the complexity and depth of community politics. Now I’m using my skills for public benefit, and it feels like the right place to be.

You are a specialist in quantitative risk management, with a focus on operations, technology, and cyber security risk and an advisor to start-ups across risk and capital markets. How do you see the link between these various activities?

Everything I’ve done has been about building things that solve problems. I didn’t plan it that way, but when I look back, that’s the recurring theme. I imagine I’ll keep doing that until I can’t.

Cybercrime funds terrorism, despotic regimes and has become incredibly profitable with a low chance of detection or punishment. People are now trafficked into cybercrime and subjected to violence and abuse.

Over the years, you have been responsible for various publication articles on Cyber-Security in the Wall Street Journal, the Telegraph, drafted a white paper for the World Economic Forum on Advancing Cyber Resilience in Aviation and have won Security Leader of the Year in 2018 and you were in the Top 30 Chief Security Officers and Cybersecurity leaders in the UK. From this extensive experience how would you say cyber security has changed over the years?

I’ve been fortunate to contribute to a number of publications and present at various places around the world. Davos was interesting but the place I most remember presenting was at Bletchley Park; you feel the full weight of history. In 1940 it wasn’t called cyber security, but it was the same basic problem. For most of my career it’s been about hacktivists and criminals, and now we’re back with geopolitical conflict as the biggest issue.

You are currently Director of Jersey Cyber Security Centre, working across the jurisdiction to ensure the Island is prepared for cyber incidents and can defend effectively against threats. What in your view are the main threats?

It’s an unfortunate truth that much of our time at the moment is spent responding to the threat posed by Russia – both organised cyber crime in that region, and nation state related activity. The invasion of Ukraine has changed the dynamic and it is clear that unfriendly nations are willing to use hybrid warfare techniques including cyber to gain an advantage at any time. Its not about Jersey, we’re just not immune.

Cyber crime has also become incredibly profitable and has a low chance of detection or punishment. It was estimated to be an $8 trillion industry in 2023, which would make it the world’s third largest economy after the USA and China. People are now trafficked into cyber crime and subjected to violence and abuse – it’s not at all the victimless crime people sometimes think it is. If you pay a ransom, that’s what you’re paying for. Ethically I struggle with that. Cyber crime also funds terrorism and despotic regimes like North Korea. Yet at any point in time JCSC will be tracking thousands of vulnerabilities across the island, many of which have easy fixes. You don’t know how cyber crime feels until you lose your business or your life savings, but then it’s too late. There is a lot more we can do together to reduce and manage this risk effectively.

Why is Jersey introducing a new Cyber Security Law?

There’s no effective legal framework around what we do at JCSC, because nobody did it here before. We need to fix that so we can protect the island effectively.

What in your view are the main learnings about Jersey businesses and culture from the recent consultation on the Cyber Law?

Jersey businesses are very committed to the island and strongly connected to their customers, but there is also a tendency to assume if it hasn’t happened here, then it can’t happen here. Unfortunately that’s not the case and we are in the same boat as everyone else. You can see a fire because there is smoke and a fire engine. Cyber attacks are often invisible outside an organisation, and JCSC doesn’t have flashing lights. That doesn’t make the problem any less real.

Culture from the top is key. Most cybersecurity incidents are caused by companies not consistently implementing controls they have previously agreed on, because they are inconvenient or hard. Hackers will keep looking at your people, processes and technology until they find a hole.

Do you have any key messages for the IoD Jersey membership on their approaches to cyber resilience?

Culture from the top is key. I’m often told most cybersecurity incidents are caused by people, but that’s simply not true and the surveys saying that are mostly vendor led drivel. In reality, most incidents are caused by companies not consistently implementing controls they have previously agreed on, because they are inconvenient or hard. Hackers don’t care about your risk assessment or your signed exception or your management reporting. They will keep looking at your people, processes and technology until they find a hole.

I also know how hard it is to secure large and complex infrastructure. Instead of adding more security technology, try to make it simpler. Have fewer systems and designate a business owner to be responsible for each of them. Lots of companies don’t even have a list of applications with identified owners. Imagine not knowing who is responsible for the money. It makes no sense. 

Do Cyber Essentials Plus. Everyone has an excuse not to, but for most it doesn’t really wash. It’s only four controls and they are all perfectly sensible. If you can’t do it, make your environment simpler or isolate the risky bits and do the rest. 

Security should work with people, not against them. If your security controls are painful, people will find a way around them. It’s rational human behaviour. Instead of fighting them, aim for better processes. 

Finally, incidents are not fun and how you respond often determines the cost. Practice beforehand so you are ready.

You have held a variety of volunteer roles over 21 years; School Governor, Bradford City Councillor, Chairman of the Channel Islands Information Security Forum, Governor at Bradford Teaching Hospitals NHS Foundation Trust and in 2022, you were Treasurer for the Jersey Aero Club, relaunching an aviation and hospitality operation during a global health pandemic. What have you learned from these roles and where do you feel you made the most impact?

I’ve been a volunteer since I was 15. I find I’m more effective when I have a few points of focus.

Volunteering lets you make a difference to something you are passionate about, it keeps you grounded, and it builds new skills. Without that experience I couldn’t do what I do now.  At Bradford Hospitals we had to replace the chair, the board and the auditors to pull it out of a financial hole that was compromising patient care. I was 25. We set up the channel islands security forum because when I moved to Jersey I couldn’t find anyone else doing cybersecurity. Three of us met in a coffee shop, and it’s now 500 strong. Helping to save Jersey Aero Club after the pandemic has been rewarding. It was in lots of debt and now runs sustainably with cash in the bank. I had to step back from it when I took on JCSC, but I am still on the Committee because I made a promise to someone that I wouldn’t walk away. 

What would be really great is to find a future for the historic De Havilland Heron aircraft the Duchess of Brittany. I bought her for a pound to try to find her a future, but she really belongs to the Island. She’s a crucial part of Jersey’s history and needs a local home, however it’s a hard problem and I don’t know how that story will end.