Decision

Advice Letter: Ciaran Martin, Advisor, CyberCX

Updated 26 September 2022

© Crown copyright 2022

This publication is licensed under the terms of the Open Government Licence v3.0 except where otherwise stated. To view this licence, visit nationalarchives.gov.uk/doc/open-government-licence/version/3 or write to the Information Policy Team, The National Archives, Kew, London TW9 4DU, or email: psi@nationalarchives.gov.uk.

Where we have identified any third party copyright information you will need to obtain permission from the copyright holders concerned.

This publication is available at https://www.gov.uk/government/publications/martin-ciaran-chief-executive-at-national-cyber-security-centre-gchq-acoba-advice/advice-letter-ciaran-martin-advisor-cybercx

August 2021

1. BUSINESS APPOINTMENT APPLICATION: Professor Ciaran Martin CB, Chief Executive at National Cyber Security Centre 2014 - August 2020

Professor Martin, former Chief Executive at National Cyber Security Centre (NCSC), part of Government Communications Headquarters (GCHQ), has sought advice from the Advisory Committee on Business Appointments (the Committee) under the government’s Business Appointments Rules for Former Crown servants (the Rules) on an appointment he wishes to take up with CyberCX as an advisor. The material information taken into consideration by the Committee is set out in Annex A.

The purpose of the Rules is to protect the integrity of the government. Under the Rules, the Committee’s remit is to consider the risks associated with the actions and decisions made during time in office, alongside the information and influence a former Crown servant may offer CyberCX.

The Rules set out that Crownservants must abide by the Committee’s advice. It is an applicant’s personal responsibility to manage the propriety of any appointment. Former Crown servants are expected to uphold the highest standards of propriety and act in accordance with the 7 Principles of Public Life.

2. The Committee’s consideration of the risks presented

The Committee noted that Professor Martin did not meet with CyberCX and there is no relationship between NCSC and CyberCX. Further, the department confirmed he did not make any decisions specific to CyberCX. Therefore, the Committee considered the risk he could be seen to have been offered this role as a reward for decisions made, or actions taken in office, was low.

The Committee noted that this proposed role overlaps with Professor Martin’s time in office. Therefore, there could be a perceived risk he had access to relevant privileged information, which could unfairly benefit CyberCX, this is especially relevant as CyberCX is looking to expand into the UK. Professor Martin could offer an unfair advantage over their competitors as it might appear as though he can offer privileged insight into the UK’s security sector. However, the Committee gave weight to the department’s confirmation that he had no access to information that could provide an unfair advantage and he has been out of office for over 8 months. Further, Professor Martin’s previous department, NCSC, has a purpose and commitment to be transparent and he has an ongoing duty of confidentiality.

The Committee noted there is an inherent risk that Professor Martin’s network of contacts within government could unfairly benefit CyberCX. The Committee would draw his attention to the lobbying restriction and the restriction on providing advice on the terms of a bid or contract relating directly to the work of the UK government imposed below. However, the Committee noted this was in keeping with his role as described.

The Committee also noted as the former Head of NCSC, there is a risk associated with his influence and contacts within the UK security sector. Given CyberCX is looking to expand into the UK his influence and contacts within this sector could unfairly benefit CyberCX. Therefore the Committee would draw Professor Martin’s attention to the below restriction that makes it clear he should not use contacts he has developed in the UK security sector and other organisations for the purpose of securing business for CyberCX.

The Committee also noted there may be potential risks associated with the unknown nature of CyberCX’s clients. Specifically, should they be a company or organisation Professor Martin or NCSC had a commercial relationship with or where he had some specific insight or influence in respect of their work whilst in post. Therefore, the Committee considered it would be appropriate to impose an additional condition to prevent him from advising CyberCX or its clients where it involves working on policy he had involvement with in office.

Taking into account these factors, in accordance with the government’s Business Appointment Rules, the Committee advises this appointment with CyberCX be subject to the following conditions:

  • he should not draw on (disclose or use for the benefit of himself or the persons or organisations to which this advice refers) any privileged information available to him from his time in Crown service;
  • for two years from his last day in Crown service, he should not become personally involved in lobbying the UK government on behalf of CyberCX (including parent companies, subsidiaries, partners and clients); nor should he make use, directly or indirectly, of his contacts in the government and/or Crown service to influence policy, secure business/funding or otherwise unfairly advantage of CyberCX (including parent companies, subsidiaries, partners and clients);
  • for two years from his last day in Crown service he should not undertake any work with CyberCX (including parent companies, subsidiaries, partners and clients) that involves providing advice on the terms of, or with regard to the subject matter of a bid with, or contract relating directly to the work of, the UK government;
  • for two years from his last day in Crown service, he should not become personally involved in lobbying contacts he has developed during his time in office and in other governments and organisations for the purpose of securing business for CyberCX (including parent companies, subsidiaries and partners); and
  • for two years from his last day in Crown service, he should not advise CyberCX or its clients on work with regard to any policy he had specific involvement or responsibility for as CEO at the National Centre for Cyber Security, or where he had a relationship with the relevant client during his time as CEO at the National Centre for Cyber Security.

Professor Martin must inform us as soon as he takes up employment with this organisation(s), or if it is announced that he will do so and we will publish this letter on our website.

Any failure to do so may lead to a false assumption being made about whether they have complied with the Rules.

Professor Martin must inform us if they propose to extend or otherwise change the nature of their role as, depending on the circumstances, it may be necessary for them to make a fresh application.

Once the appointment(s) has been publicly announced or taken up, we will publish this letter on the Committee’s website and where appropriate refer to in the annual report.

3. Annex A - Material information

3.1 The role

Professor Martin said CyberCX is a cyber security consultancy based in Australia with a small UK base in Oxfordshire. The website states it launched in October 2019, and brought together leading cyber security experts to become ‘…the leading end-to-end cyber security service’. It states it helps private and public sector organisations ‘…realise the opportunity of better cyber security in an increasingly complex and challenging threat environment’. CyberCX exclusively manages cyber risk, offering a number of services: consulting and advisory; governance, risk and compliance; incident response; penetration testing and assurance; managed security services and cyber security training.

Professor Martin said the company wishes to ‘…build out from its Australian roots into wider five eyes markets’[footnote 1]. He said his job will be to:

  • Provide occasional strategic advice on cyber security trends
  • Do conferences/ seminars on the company’s behalf
  • Mentor their small Oxfordshire team

He does not expect his role to involve contact with the UK government.

3.2 Dealings in office

Professor Martin said he did not meet with CyberCX while in service and there is no relationship between CyberCX and NCSC. Professor Martin also confirmed he did not have any involvement in policy relevant to CyberCX nor did he make any decisions affecting CyberCX while in post. He also said he did not have access to sensitive information relevant to CyberCX and did not meet with competitors of CyberCX.

3.3 Department Assessment

GCHQ confirmed the details given in Professor Martin’s application and stated it had no relationship with CyberCX. It also stated Professor Martin’s experience as CEO of NCSC gave him access to the UK’s cyber security policy but stated this is generally already available to the public. It also said his previous position provides significant additional credibility.

The department had no concerns with regards to this application.

  1. The Five Eyes is an intelligence alliance comprising Australia, Canada, New Zealand, the United Kingdom and the United States. These countries are parties to the multilateral UKUSA Agreement, a treaty for joint cooperation in signals intelligence. 

Back to top