Five Minutes With: A Chief Security Authority

BT’s Dave Harcourt has dedicated 33 years (and counting) of his career to BT. He’s optimistic about AI, hates the cybersecurity ‘ivory tower,’ and cherishes the time he spent working with NCSC’s Ian Levy. But there’s so much more to learn about the BT Fellow, including his love of playing the ‘Old Joanna’

What was your route into cybersecurity?

I fell into cyber by happy accident. It was around the early 2000s, and we suffered a significant outage in BT’s IP backbone. While this didn’t have nearly the same effect as it would do today, we needed to check if it was a security-related incident. Seeing as it was typically my role to write security policy compliance documents, I became the nominal ‘security expert’. The rest is history!

If you could retrain for a dream job, what would it be?

To return to the world of music and play keyboard professionally.

Who do you admire in the cybersecurity industry?

It’s almost impossible to narrow this down to one person. I truly admire any thought leaders out there who are dedicated to educating organisations on the big cybersecurity issues and helping make the world a safer place.

I looked up to my mentor at BT, John Regnault, for many years. John was always passionate about driving industry change during his time at the organisation. I also admire the work that Dr. Ian Levy did at the NCSC (as Technical Director) to defend the UK. I had the pleasure of working closely with Ian.

What’s the biggest misconception about cybersecurity?

I think a lot of people see cybersecurity as something of a ‘dark art’ that can only be understood by the technical experts in the weeds of vulnerability patching, for example. That’s simply not the case. Security isn’t a hard thing to do, it’s a mindset. The best security professionals out there aren’t necessarily taught security, they are driven by curiosity and are constantly seeking out the ‘what’, ‘why’ and ‘how’ of a problem. There’s much more of a human element to cybersecurity than many people realise.

What’s the best thing about your job?

I like the daily new challenges. There’s a lot of worry about the risks that quantum computing and Generative AI bring, but these are the exciting innovations that keep us thinking every day.

People definitely wonder how security leaders can sleep at night knowing about these evolving risks. In reality, there’s no ‘silver bullet’ to being 100% secure. But as long as you’ve done everything you can to protect your organisation, and you’re prepared for the inevitable – because a breach will happen to everyone – that’s all you can do.

And the worst?

Undoubtedly the worst part of cybersecurity is the misconception that security is security’s problem. In reality, it’s everyone’s responsibility to make sure they’re secure.

What advice would you give to industry newbies?

Firstly, cybersecurity is a very broad field. Before you jump into one area, make sure you explore all the options. It’s best to understand the full breadth of this industry before homing in on one discipline.

Secondly, security can be somewhat of an ‘ivory tower’ – it can become siloed and feel detached from what the rest of the business does day to day. That’s why it is really important that security teams understand what happens in other departments. It’s crucial to make sure your security advice is relevant to the people you’re advising.

What’s the biggest as-yet-unsolved problem in security?

Isn’t there always another unsolved problem just around the corner? Ultimately, I think it all comes back to culture. We still struggle to make security front of mind for those who don’t eat, speak, and breathe security in their daily lives. It remains an afterthought for many.

Especially with the move to the cloud – we need to adapt security practices in line with these new boundaries and it will require buy-in from every member of an organisation. And as zero trust moves from a buzz word to a reality, one big problem we need to address is how zero trust operations and behaviours changes much of the language and culture we’ve built over the years.

What industry or sector do you think cyber could learn from?

Every sector learns lessons in different ways, and there’s no singular industry I think we should learn from. However, there is a need for greater cross-sector collaboration. As a Director of Stop Scams UK, I’ve seen the immense value of leaders across communications, finance and technology coming together to discuss a key challenge that is affecting them (in this case, scams).

What are the pros and cons of staying with one organisation for so much of your career?

After 33 years here, I know BT’s pipework and can look broadly across the organisation to understand the biggest challenges and what these mean for the entire business. I’ve had a great career here—I’m seriously proud to be one of BT’s first Fellows and to see security professionals recognised across the organisation.

One of the cons, however, is the risk of less exposure to new thinking. It can be easier to become siloed if you’re not actively seeking collaboration.

Is AI a bigger threat or opportunity for the cybersecurity profession?

We’ve actually been using AI for many years already – it’s just the dawn of GenAI that has brought this to the front of everyone’s mind. The short answer is that only time will tell. I see GenAI dangers in its ability to create truly authentic-looking phishing emails, along with the heightened speed of reversing patches and exploiting vulnerabilities. But it has huge benefits, too, and holds massive opportunities to help people get security right.

I’m certainly not running away from AI. I’m looking at ways we can adopt it securely, which may mean I see it more as a great opportunity rather than a threat.

Tell us something that will surprise us about you?

It may not be as surprising now that I’ve mentioned my musical past, but I actually used to play keyboard semi-professionally. I played for a few dance and jazz bands and even dipped my toes into ballroom dancing, too.