Major-General Jonathan Shaw is a decorated military leader and one of the UK’s foremost experts on defence strategy, national security, and international relations.

As a former Director of Special Forces and the UK’s Head of Cyber Security at the Ministry of Defence, Shaw has overseen critical military operations worldwide, including in Iraq, Kosovo, and Sierra Leone.

His distinguished career has made him a highly sought-after commentator on global security, geopolitical threats, and military affairs. Today, as one of the country’s most in-demand cyber security speakers, Jonathan Shaw advises governments, businesses, and organisations on navigating an era of digital disruption, escalating cyber threats, and geopolitical uncertainty.

In this exclusive interview, he offers expert insights on the future of cyber leadership, the realities of ransomware, national infrastructure risks, and why urgent, proactive preparation is essential for organisations hoping to survive and thrive in today’s hostile cyber environment.

Q: Leadership styles often struggle to keep pace with today’s evolving cyber landscape. From your perspective, what defines truly effective leadership in cybersecurity now?

Major-General Jonathan Shaw: “That’s the key point. Cyber is fundamentally disruptive. It concerns information, and therefore it’s hugely destabilising — it disrupts the whole hierarchy of information flow and knowledge. Organisations are typically set up on the assumption that people at the top get the information first, understand it, and direct others. In the cyber world, that’s simply not true.

“People of my generation — the senior ranks — are often what I call cyber tourists: they haven’t got a clue about it. Leadership must change, because you can no longer wait for people at the top to work out what’s going on and issue orders. You have to empower, train, and trust people — particularly those on the coalface. People your age, not mine, are much better at handling cyber issues.

“What’s needed is a shift from a top-down command-and-control system to one that empowers those at the front lines. This gives you the people who understand the issues and enables a much faster response, because hierarchical systems are too slow. In the military, we call it mission command rather than directive command — and it’s essential today for speed, knowledge, and effective response.”

Q: With ransomware now dominating headlines, what practical steps should businesses take if confronted by a financial extortion attempt — and why is paying the ransom not the solution?

Major-General Jonathan Shaw: “I was watching Lindy Cameron, the new Chief Executive Officer of the National Cyber Security Centre (NCSC), who recently gave a talk — it’s available online, and I encourage people to watch it. One key thing she emphasised is that ransomware presents the most immediate danger to UK businesses and organisations. It is, without a doubt, the top threat we face.

“As for what to do about it — I won’t try to second-guess the NCSC. I’d encourage everyone to visit their website, where they lay out full instructions. But as a taster, here are some highlights: first, always have a clean backup of your data on a separate, contingency server, isolated from your existing systems. That gives you a fallback.

“Implement layered defence — multiple layers of protection. Conduct regular backups. Prevent malware delivery and spread. These are some of the top tips the NCSC offers. The fundamental point they stress is: do not pay the ransom.

“You have no guarantee you’ll get your data back. Even if they give it back, they may retain parts of it and blackmail you again later. It’s a futile gesture. Don’t do it. Have a clean backup, take the hit if necessary, and follow the NCSC’s clear guidance. Yes, take ransomware seriously — it’s the critical threat right now.”

Q: National-level cyber attacks are often seen as distant or abstract risks. In practical terms, how severely can a coordinated cyber assault impact the daily lives of ordinary citizens?

Major-General Jonathan Shaw: “You don’t have to look far for real-world examples. Perhaps the most dramatic was when Russia took offence at the Estonian government’s decision to move the Bronze Soldier statue from the centre of Tallinn to a graveyard. They saw it as an insult, and in 2007, they essentially shut Estonia down.

“They crippled the country’s banking, government, and media — they couldn’t even report on what was happening. Russia unleashed a wave of botnets and DDoS attacks that paralysed Estonia for weeks and months.

“Interestingly, that’s why Estonia today is arguably Europe’s, if not the world’s, best example of cyber defence. They set up a cyber defence unit; the whole nation got involved, realising how serious this is. If you’re facing a major cyber attack, everyone has a role to play.

“If there’s one case study I’d urge everyone to examine, it’s Estonia’s response — it shows not just the scale and severity of attacks like this but also the importance of collective action. We all need to switch on to it.”

Q: With national infrastructure increasingly vulnerable to digital threats, how realistic is the risk of a successful cyber attack — and what real-world factors either heighten or reduce that risk?

Major-General Jonathan Shaw: “People will exploit weaknesses. If someone decides to launch such an attack, they will probably get through. The question is, how do you mitigate that?

“That might sound like bad news — but there’s both good and bad news. The good news is that nation-states haven’t taken each other out because of the old doctrine of nuclear deterrence: mutually assured destruction. If China could take down Britain, Britain could likely take down China, and neither side wants that outcome.

“However, the bad news is that actors often use proxies — criminal organisations that aren’t tied to national infrastructure we can retaliate against. So the real threat comes from non-state actors. Some would argue that those non-state actors are state-backed, and that may well be true.

“What’s more promising, though, is that these bad actors still have to operate in real-world geographical locations — Russia, China, Bulgaria, or elsewhere. Pressure can be applied. As China has shown with cryptocurrency, governments can still control what happens in cyberspace.

“There are levers available that can help prevent mass takedowns of entire countries, because, as it stands, it’s in no one’s interest to allow such devastation. So, yes — there’s good news and bad news. But ultimately, if someone wants to do it, they probably can — so we had better prepare.”

This exclusive interview with Major-General Jonathan Shaw was conducted by Mark Matthews.

