At the start of February, we announced plans for the Cyber Security Challenge (CSC) to cease operations. Launched in 2010, its mission was to introduce cybersecurity careers to students, schoolchildren, and even those in full-time careers seeking a new direction.

SC UK was there from the beginning, attending press days and meeting contestants at early competitions—held in locations ranging from the offices of QinetiQ to Westminster Abbey, from the BT Tower to HMS Belfast. The initiative had a strong start, with winners including students and postal workers alike.

Led by figures such as Judy Baker, Stephanie Daman, and Robert Nowill, and under the watchful eye of patron Baroness Pauline Neville-Jones, the CSC became a driving force in the industry. Supported by industry sponsorship and guided by some of the best minds in cybersecurity, the Challenge attracted hundreds of applicants in its first decade. Its management team also became regular speakers at conferences.

However, the momentum didn’t last forever. The passing of Stephanie Daman in 2017 marked a shift, with the CSC focusing more on schools and education programs. In its next phase, its content will be donated to The Cyber Trust, and the CSC will officially cease operations at the end of this month.

The CSC had a significant impact, pioneering the use of gamification and challenges to develop cybersecurity skills and helping many people enter the field. SC UK spoke with several individuals involved over the past 15 years. In this first article, we examine how the Challenge was established and those who made it happen.

Head of Competitions

At the time he got involved, Jay Abbott was a member of the UK Security Practice at PwC UK. He volunteered for the CSC as Chair of its competitions.

Recalling early meetings, Abbott noted that there were 20-30 people in attendance. “It was clear I was the only techie in the room—everyone else was a ‘head of’ or ‘strategic lead of’—but no one really knew what the Challenge could achieve.”

Abbott recalls an American counterpart once asking Judy Baker, “What are you doing about the skills shortage?” She admitted she didn’t know, and that moment became the genesis of the Challenge.

As the resident technical expert, Abbott was asked what the Challenge could offer. He suggested games, hackathons, and other interactive activities, leading to his appointment as Head of Competitions. “Genuinely, I didn’t know what the hell I’d signed up for!” he laughs.

In the first few years, the CSC secured sponsorships, but many sponsors didn’t know how to contribute beyond providing funding. What the Challenge truly needed were competitions and people to design them—something no one had expertise in.

“So, in the first year, we did everything in-house,” Abbott explains. “We wrote the competition structures and took them to sponsors, asking, ‘What do you want to do?’ That gave them something to support.

“As the years went on, the more we worked with sponsors, the more they bought into what we were doing. It became their passion project, and that’s when everything really started to grow. The competitions improved, engagement increased—it had a natural momentum.”

Now, in 2025, online training programs and certification platforms are widely available, but back then, the CSC was one of the only initiatives of its kind. Abbott notes that as new cybersecurity platforms emerged, some mimicked CSC’s model. “Our audience went where the content was.”

That shift marked the beginning of the end for the CSC’s core competition structure. Although in-person competitions remained popular, they were logistically challenging to organise year after year. “The cost versus effort versus reward equation stopped adding up,” Abbott says. “I personally believe that’s why they pivoted to schools.”

Start of the Decline?

When asked whether the CSC ran out of steam in the later years, Abbott responds, “It never had steam—it was always driven: and I think that’s what people didn’t understand from the outside looking in.”

He recalls visits to Stephanie Daman’s home, where they would strategise and problem-solve. “She was constantly looking for funding opportunities.”

Daman’s passing dealt a major blow to the CSC. “She was the Challenge,” Abbott says. “No one could take that mantle from her.” While Judy Baker had been the driving force in the early days, “Stephanie was the perfect successor, embodying everything Judy envisioned,” he adds.

Abbott reflects that cybersecurity is an industry “full of introverts.” Without something to attract and engage people, interest fades. “Each year, it got harder and harder. When we lost Stephanie, we lost the drive.”

Maggie Jones, who joined after Daman’s passing as finance director and later served as general manager and CEO, shares her perspective: “I’m very sad about the Challenge’s closure, but I think it fulfilled its mission.”

Around the time of Daman’s passing, Jones notes, the industry was evolving. The Challenge had been a “market maker,” identifying early on that cybersecurity skills development was being overlooked. It sought to engage those who enjoyed problem-solving, tinkering, and breaking things to understand how they worked—many of whom were gamers.

“So, we used gamification to attract them,” she says.

This approach led to broader inclusion efforts, such as initiatives encouraging more women to join and supporting neurodiverse individuals and those from lower-income backgrounds.

“I think it was a natural evolution—filling a space that needed support,” Jones reflects.

However, the CSC’s nonprofit status meant it couldn’t always capitalise on its innovations. Jones believes that if the Challenge had been a for-profit organisation, it could have monetised its materials to fund further education efforts.

“If industry had been more charitable, they would have helped us continue,” she says, “but they’re not.”

Commenting, Robert Nowill, the final executive chairman of the CSC, says the non-profit element was a deliberate choice by the founders when registering the organisation at Companies House in March 2010.

“No doubt if it had been either a for-profit or a Charity, it could also have been a success in different ways – but different people would have been in the mix from the start so impossible to second guess such outcomes,” he says.

Jones highlights programs like CyberCenturion and Challenge in a Box, now being carried forward by The Cyber Trust. Yet, with the CSC website offline, she wonders, “Are they reaching enough people?”

A Gradual End

Funding and competition from other organisations ultimately led to the CSC’s decline. Jones describes the Challenge as “the R&D department of the cyber education sector,” but without continued investment, its sustainability became impossible.

“Our role was to elevate cybersecurity as a profession, attract talent, and showcase opportunities,” she says. “We did all of that. Now it’s up to industry to take over—but that pipeline remains problematic because no one is actively maintaining it.”

Nowill admits that there were some difficult periods, as the Challenge was forced to “forever re-invent ourselves as others occupied our space, including by some of our sponsors and others running to catch up in this space with bigger budgets.”

First getting involved as a sponsor, whilst working with BT Security around 2012/13, before becoming a board member and ultimately the chair, Nowill says other similar competitions drew government money and grants ahead of the CSC, and “quite proper governance rules meant things we pioneered were not always awarded back to us after procurement competitions.”

Other Activities

Stuart Coulson, one of the most recognisable faces of the CSC and its director of business engagement, acknowledges that too much focus was placed on creating competitions, rather than securing funding.

He points at the Cyphinx Tower concept, where competitors could tackle realistic network defence scenarios, saying it was “a good idea, but they had no idea what to do with this” and too many concepts were “ahead of their time.”

There was also the ‘Cyber Challenge in a Box’ contest, originally a face-to-face activity for school groups, and what Nowill calls “now one of our most popular components within Cyberland.” 

By late October 2018, the team were involved with Cyber Re:coded, which combined a recruitment fair with the European Cyber Security Challenge (ECSC), where 17 countries across Europe competed in a two-day hacking competition.

This ECSC is one of the legacies of the Challenge, as they have continued year after year, with only a break in 2020 due to COVID. Nowill says: “Going forwards, SANS are now running the UK Cyber Team Competition selection process in partnership with DSIT and Team UK will join in both ECSC and International Cyber Security Challenges through Team-Europe, and a women’s team, if any within Team UK qualify for those. The next ECSC is held in Poland this year.”

The Legacy

Despite the various setbacks, Coulson calls his time at the Challenge “the best job I’ve ever had by a country mile.”

“It changed people’s lives,” he says. “The players were always the priority. I made sure at the end of every competition to go into ‘dad mode’ and talk to them about the next steps. It was incredible.”

Abbott believes the Challenge “solved a problem” and its impact is visible today. “I look at LinkedIn and see former contestants now working as cybersecurity experts, subject matter specialists, and industry leaders. The Challenge defined their careers, and that’s success enough for me.

Jones also praises the networks the CSC fostered. “The connections people made, the collaborations—it was incredible,” she says.

While she’s saddened by the CSC’s closure, she isn’t surprised. “It was never meant to last forever. It wasn’t designed to make money; it was designed to serve. And it did that exceptionally well.”

Nowill admits that “many emergent groups and organisations rode on the wave that we pioneered” which he admits that in this very fast-moving sector of innovation, is “standing on the shoulders of others.” Looking at the legacy of the Challenge, he says those who were involved - “many wonderful people now in careers they may not have ever considered but for the Challenge, doing jobs and working in topics not even dreamt of when we first started.”

In the coming weeks we’ll talk to those who were involved and where their experience took them and aided their careers, and what the impact of the Challenge is upon other offerings. At this stage though, it’s important to reflect on what the Challenge was set to achieve, what it was able to do with the aid of so many volunteers and industry backing it, and how many people it was able to encourage into careers.

Dan Raywood

Dan Raywood is a B2B journalist with 25 years of experience, including covering cybersecurity for the past 17 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.

He has spoken at events including 44CON, Infosecurity Europe, RANT Forum, BSides Scotland, Steelcon and the National Cyber Security Show, and served as editor of SC Media UK, Infosecurity Magazine and IT Security Guru. He was also an analyst with 451 Research and a product marketing lead at Tenable.