After 20 years at Thales UK, the last five of them running the company’s e-security business, Phil Jones joined Airbus Defence & Space in March as the head of cyber security for the UK. While it may appear odd to see the manufacturer of civilian airliners involved in the cyber area, the group’s track record goes back a long way, with predecessor units of the Airbus Group involved in major programs such as the UK Ministry of Defence’s Defence Information Infrastructure (DII) project since its inception a decade ago. Jones spoke with ShowNews’ Angus Batey during the InfoSecurity Europe exhibition in London earlier this month.

In a market dominated – at least in terms of number of vendors – by small and very fast-moving companies, how can a giant like Airbus compete?

Large companies offer a route to market, existing customer relationships, and deeper pockets, sometimes, in terms of investment. We provide the longevity, corporate responsibility and corporate accountability that large institutions need. It's easy to believe that Airbus is going to be around for a long time. We're not going to disappear next year, we're not going to be bought out by somebody – that's not likely in our environment: quite the reverse. Also, Airbus is primarily a commercial organization, not a defense organization, and that differentiates us and gives us the ability to be more commercially agile. But I'm not trying to compete on agility – I'm trying to compete on service. Technological service, but also the type of people we employ, the way we've invested in those people, and their commitment to us as well.

Is this a market that defense companies are comfortable being in?

I think there's been this toying with the idea – trying to figure out exactly what the market is, and also trying to understand whether it's a defense market or a security market. And I think that debate's still going on. (Cyber) is a capability that needs to be part of a resilient system, as opposed to a specific tool in itself. Where I think it translates to being more of a security market – of which defense is one element – is the protection of the infrastructure.

Yet governments still seem to perceive a threat to a network as a defense problem, while a threat to a banking or power-generation network is seen as a civil problem – even though both could be an attack on a nation.

Traditionally we've been thinking of cyber as an offense/defense capability, very much at the military end of things. But actually it's as much about the enterprise of defense, the enterprise of critical national infrastructure (CNI), and the enterprise of the high-threat spectrum of businesses. CNI includes the utilities and the finance infrastructure, but it also includes the adjacent bits, like food-supply logistics. If you don't feed the nation for three days it'll riot. So we have this confusion in the marketplace, but I think some people are waking up to the confusion. I think we're at the cusp of having a clear understanding.

Where has the confusion come from?

The cyber community has not been a friend to itself in many ways because it's wrapped this whole thing in a difficult-to-penetrate technology psychobabble. As an industry, I think, we make it very difficult for people to address the issues that we've got – particularly because every day there's a very highly marketed pop-up organization that wasn't here last year, may not be here next year, and it's offering today's snake oil. I keep calling it “vacuum-packed vacuum.” There is that danger in this marketplace. Until we mature and understand that we're trying to offer a service, and in the market we're trying to talk to – whether it's military, CNI, or in our case the higher threat. And that is the end that we're looking at. Until we start appealing to the accountants and chief executives then I think we're probably missing our target audience.

What have you noticed since joining Airbus that's different to what you'd experienced or expected?

The thing I'd particularly note is that Airbus has got an absolute passion for cyber security. I haven't seen it anywhere else as much as I've seen it here. From (CEO) Tom Enders down, cyber security is important – not just as an out-facing business, but it's actually taken seriously inside the organization. And I think that really bodes well for the business, and for Airbus as well.