As Chief Information Security Officer (CISO) at Rolls-Royce, Muhittin Hasancioglu’s role begins with understanding the ever-changing cyber threat landscape – and never really ends. His principal aim is to help Rolls-Royce and its suppliers anticipate, mitigate and recover from attacks that are growing more sophisticated by the day.
“Within the next five to 10 years, I believe we will see more digital crime than physical crime,” he said.
Hasancioglu joined Rolls-Royce recently, bringing more than three decades of cybersecurity leadership from global energy companies including Shell and Petronas. In recognition of Cybersecurity Awareness Month, we spoke with him about the evolving threat landscape, the risks posed by artificial intelligence (AI), and why he won’t use any intelligent devices in his home. (Interview edited for clarity and length).
Your official title is Chief Information Security Officer (CISO), but you describe your responsibilities in terms of “risk management.” What does that mean to you?
MH: Rolls-Royce operates in some of the world’s most highly regulated industries where safety and security are non-negotiable. That’s why we uphold the strictest cyber security protocols. The safety and security of our products and data remains our top priority always.
I see myself first as a business leader, whose job is to help the company grow securely and sustain its value against cyber threats. That means understanding cyber risks and helping businesses to own and make informed decisions to mitigate or accept those risks. My job is not to be a policeman or regulator. It’s to help design secure solutions, and to be a trusted voice that says, “This isn’t good enough. How do we fix it?”.
Let’s dive into the main cyber issues confronting Rolls-Royce and its supply chain. Describe the current threat landscape.
MH: In the past six months, we’ve seen a shift in behaviour from organized crime and possibly even nation-states. Instead of immediately trying to make money, they are increasingly focused on disrupting manufacturing and supply chains.
What happened to Jaguar Land Rover and Marks & Spencer shows us how their businesses have been operationally impacted; M&S took about four months to recover its operations and JLR did not produce a single car for five weeks. These incidents impacted the entire supply chain. This is a change in behaviour. This tells us high-profile brands are being targeted deliberately and attackers are using AI to enhance various phases of their approach.
I worry the same could happen again. We need to be alert — to raise our alert level and continuously, proactively reduce our risk landscape or attack surface, and increase our resilience.
What’s your message to suppliers?
MH: We all need to get better – to recognize we are under constant threat and to act on that knowledge.
Suppliers must integrate cybersecurity components into their procurement processes — vetting their own vendors and ensuring partners can protect themselves. It's a cost consideration for them, yes but also a maturity issue. Rolls-Royce is committed to helping suppliers improve, but at the same time, they must take responsibility for their own resilience.
Is every Rolls-Royce supplier up to the challenge?
MH: There is definitely a gap. With 4 million cybersecurity jobs vacant at this point globally, there is a shortage of skills and capability everywhere.
That’s why supplier selection and validation is critical. We need to do this in a positive way, helping them to increase their resilience, rather than using it as a threat to end the relationship. The goal is to help suppliers mature and increase their resilience, not punish them.
How serious is the AI threat – particularly deepfakes?
MH: Very serious. Social engineering and deepfakes often go hand in hand. Attackers use them to extort money, damage reputation, or influence public opinion.
Anyone can be a target — politicians, CEOs, or people like me. If my voice or image ends up online, it can be cloned. It’s real and we need to be alert. For example, sometimes I get a call and if I don’t recognize the number, I don't answer because I don't want my voice to be captured by these people to be used for something else.
It sounds like you are thinking about the risks all the time.
MH: I do. Cyber awareness isn’t just about protecting Rolls-Royce, it’s about protecting yourself. Attackers use the same methods to access your bank account, your family member’s devices, or your private life.
That’s why I am cautious when using “intelligent” devices in my house. I don’t trust that anything consumer-oriented is strong enough to be protected. When products are cheap, the encryption is very limited. You can easily breach those kinds of things. I control my own heating and I control my own lights. It doesn't mean that smart devices are bad. But the problem is the industry needs to recognize the cyber threat and increase the resilience of their products.
If you’re doing your job right as CISO does that mean no cyberattacks?
MH: I will never say that there will never be a breach. My strategy assumes there will be one — and my job is to limit its impact.
Protect your crown jewels and make sure that your designs and capabilities reduce the risk to as low as possible. Be alert, and have detection, response, and recovery capabilities that are first-class so you can respond as quickly as possible.
You’ve talked about cybersecurity becoming a differentiator for businesses. What do you mean by that?
MH: Attacks will continue to increase and cybersecurity will separate the capable from the vulnerable. In the supply chain, those with strong cyber maturity will be preferred partners. Otherwise, companies like Rolls-Royce will be inheriting suppliers’ risks, and that’s something no business can afford to do.