Cyber security: Do the experts need letters after their name?
All roads lead to a job
Despite its reticence over everything Snowden, GCHQ has been awfully proud of its work with academia over the last year.
Though it has always worked closely with universities, the Cheltenham-based spy agency has given its backing to various government initiatives designed to give a fillip to British cyber-security wannabes and graduates.
In August Francis Maude, minister for the Cabinet Office and one of the mandarins leading the drive to improve the UK’s digital defences, announced the certification of six Master’s degrees while on a visit to GCHQ’s famous donut-shaped building.
Universities were asked to prove that their courses met the agency’s “stringent criteria”. Though this changed little of what was on offer for students, the attraction of gaining a degree which has the stamp of approval from one of the world’s most technically and technologically adept spy agencies is likely to draw more into the industry.
The recognised universities may soon qualify as Academic Centres of Excellence in Cyber Security Education. Alongside this, GCHQ and the Engineering and Physical Sciences Research Council continue to add names to the Academic Centres of Excellence in Cyber Security Research, set up in 2012. Eleven have so far been added to the list.
A host of other decent courses which have not been sanctioned by Whitehall or GCHQ also offer youngsters and mature students alike plenty of choice when it comes to getting a degree, if that’s the path they wish to take.
They could, of course, go down other routes: getting a graduate job having already acquired a suitable degree, or shifting from a non-security IT role.
Businesses might also consider those who took a darker path before turning legit: convicted cyber criminals can be rather adept at finding vulnerabilities after all. There are many roads to a job in the industry.
Security leaders have a lot of choice too. For those who are keen on university approval, graduates who have come from institutions with the GCHQ stamp should prove attractive.
“What GCHQ has done is to try to show students which courses have both the depth and breadth that will be needed for when they come to work in the field,” says Professor Alan Woodward from the University of Surrey, which runs a GCHQ-accredited Master’s.
“That matters as there is a danger of choosing any degree that happens to label itself appropriately, but finding when you are doing the course – or worse after you have completed it – that it isn’t really the right match for employers.”
Graduates from non-technical courses should also be considered. Woodward adds that the Surrey Centre for Cyber Security welcomes people not just from computing but from psychology, law and other faculties.
Not everyone is taken with the plethora of courses now on the market. Undergraduate courses are deemed by many as unsuited to the complex, wide-ranging world of information security.
Professor Keith Martin, director of the information security group at Royal Holloway, University of London, is not convinced by undergraduate degrees devoted entirely to cyber security.
“Cyber security needs to be understood within the context of a wider perspective. A computer science or information engineering programme with a cyber security specialist track makes sense to me,” he says.
“A BSc in Cyber Security does not make sense, and BSc programmes devoted to further specialism, such as ethical hacking or penetration testing, make even less sense.”
But generalist Master’s degrees that “paint the big cyber security picture” are proving successful, Martin claims. “Our Master’s graduates are finding jobs fairly quickly at the moment,” he says.
Been there, done it
Many still believe that security remains a craft rather than a qualification. “The people who have learned on the job, taught themselves and have experience are probably the best qualified of all,” says Woodward.
“In some ways the degrees are a way of trying to condense these years of experience and knowledge and pass it on.”
That experience will prove vital for anyone hoping to get a job in security.
“There is plenty of evidence that employers place very high value on cyber-security experience, so inexperienced graduates will always have to work hard to get their jobs. Those who have learned on the job will remain in a strong position,” says Martin.
Quentyn Taylor, head of information security at Canon, says he never looks for specific security degrees but for certain character traits in the applicant and for that vital experience.
“I am looking for someone to have a degree in something – not computer science, security, just something. I’m typically hiring people who have five to eight years experience,” he says.
Taylor likes those who have not spent their entire career doing solely security and who often don’t appreciate user experience. Transferable skills have proved increasingly important, with employees being asked to prove their worth to the business rather than simply to extinguish digital fires.
Taylor does not see a great core skills crisis, but believes there is a dearth of business-minded security people.
“If I want someone who is very good pen tester and who can stand up in front of a room of biz people, that person is rare. When you have a smaller team you want someone to bring value from day one,” he says.
Raj Samani, CTO for EMEA at McAfee, part of Intel Security, believes the most vital personal attribute in a candidate is a love of the craft.
“It is about identifying those with a genuine passion for cyber security. The nature of the environment means that you have to love what you do to put in the hours necessary for protecting your environment,” says Samani.
Poacher turned gamekeeper
Determining whether personal attributes will be sustained after an applicant is given the job is close to impossible. That’s why many remain wary of hiring convicted hackers, though they bring with them valuable skills.
“This is entirely subjective and depends on the business,” Samani says.
Taylor does not believe in this route. “It is not something I would entertain,” he says, although he has welcomed convicted hackers from consultancies to help Canon.
But even the government is considering whether it would welcome former criminals into its cyber divisions. In October last year, Lt Col Michael White, head of the MoD’s new Joint Cyber Reserve Unit, told BBC Newsnight candidates would be assessed on their skills rather than their personal history.
Asked directly about employing convicts, White said: “If they could get through the security process, if they had the capability that we would like, and if the vetting authority was happy, then why not?”
Among many examples of poacher-turned-gamekeeper success stories is Kevin Mitnick, who infiltrated networks of some of the biggest tech firms on the planet, including IBM and Nokia.
"A firm developing anti-malware products, might well benefit from turning a clever hacker"
After serving jail time in the 1990s, he has become one of the best-known white-hat hackers. Mitnick has set up a controversial zero-day exploit sales business, which is likely to make him millions, annoying all those who supported him when the government kept him in solitary confinement for years before his trial.
“Anyone operating at the nuts-and-bolts end of cyber security, for example a firm developing anti-malware products, might well benefit from turning a clever hacker,” says Martin.
“I am sure this has been done in the past. However most of cyber security is not about the technicalities – it is about providing a broad security culture, designing sensible policies and practices and understanding the risks. If organisations implemented best practice then they would be in a very good shape, and they don’t need to hire a hacker to do this.
“Most businesses would probably do well to steer clear of people with question marks over their ethical practices. Do banks hire bank robbers?”
Well, some have done. Cal Leeming, who was convicted of stealing credit-card data to purchase items that he later sold on eBay, was brought in as a consultant in 2006 to help Barclaycard address some social engineering issues. No doubt others have followed similar paths.
Jobs for the boys
However many avenues there are into the field, and for all the wonderful things the security industry is capable of, it remains a sector with comparatively few working females. Research from October 2013 by certification organisation (ISC)² revealed that women make up just 11 per cent of the information security workforce.
This is part of the wider problem of women in IT, but CISOs could certainly benefit from a more diverse workforce. There are some staggeringly talented females in the industry, from ex-Apple security chief Kristin Paget, who is now at Tesla, to Katie Moussouris, chief policy officer at bug bounty platform HackerOne.
“Many find it difficult to put themselves forward because of the perceived maleness of the industry,” says Neira Jones, an independent advisor in payments, risk, cybercrime and digital innovation.
“Look at the speaker line-up of any info sec conference – women are few and far between. But it’s a two-way thing. Conference organisers should encourage women to participate and women should not be reluctant to put themselves forward.
“We see the same phenomenon when looking at paper submissions. Very few women do this.”
Jones believes CISOs need to broaden their recruiting practices and not get too obsessed with certifications. She suggests creating a government-funded scheme that enables more individuals to enter the profession according to specific skills and experience.
“We keep talking about the lack of cyber-security awareness, which itself is the source of many highly publicised data breaches, but how many CISOs employ behavioural scientists, communications experts or change-management professionals?” she asks.
One way of getting both sexes interested in security might be to focus on catching them young. Projects to get kids interested in security are already underway, including the e-Skills Secure Futures campaign, which offers schools free teaching resources for Key Stages 3 and 4. Children as young as 11 are introduced to the concept of cyber crime and what can be done to stop it.
Taylor believes such programmes should be aimed at even younger kids and be broadened to accommodate other areas of security. “Teach privacy as soon as they hit the creche,” he says.
“Maybe they should start doing modules for GCHQ courses. Why are we not testing kids about security and privacy at that point?”
Any kind of broadening of the entrance points into security should be a good thing. The global security skills crisis is real, with a shortage of one million security professionals worldwide, according to Cisco’s 2014 Annual Security Report.
Enterprise Strategy Group found 83 per cent of businesses lack the human resources they need to protect their IT assets.
Despite efforts to get women and children interested and the government’s work to boost graduate courses, much more needs to be done.
“There is a crisis in the entire population,” says Martin. “The specialists are still trying to understand cyber security, and the general public lack the skills to operate safely in cyberspace.” ®