The cyber-security industry recognises that it needs a broader range of skills than purely technologists, but where do they come from, and how does a lawyer, policy maker, accountant, project manager, English or international relations graduate, MBA business person or psychologist demonstrate the tech understanding to make a contribution?
One place that’s being done is the Cyber 9/12 Strategy Challenge, a national cyber policy and strategy competition, which this year is held at the BT Tower, London, on Monday 11th and Tuesday 12th of February 2019. #cyber912_UK
Cyber 9/12 is named as day after 9/11 - asking the question, how do you recover after such an enormous event? hence the emphasis on policy and strategy to give focus and direction to the tech deployed.
SC Media UK asked Pete Cooper, Cyber 9/12 UK competition director and Atlantic Council Fellow, to give a bit more detail about the competition, and how would the contestants demonstrate their skills?
Cooper explained: "This is the second year of the competition, with 17 teams of four plus a mentor from their University. That’s up from 13 universities last year (plus military and law enforcement teams). Its about a 50/50 gender split and given there are no restrictions it’s great that we are coming up with this pool of talent to tap into."
Without giving too much away to the competitors, Cooper described how they would be tackling a scenario based on how we protect critical national infrastructure, with a focus on fuel and energy. It will encompass various challenges, exploring coordinated exposure of vulnerability, the relationship and interdependability of private and government sectors, the role of independent researchers, as well as bringing in financial and insurance sectors.
Issues will include how we deal with vulnerabilities in the supply chain, hardware and software, embedded nationally and internationally, what are the ramifications if a vulnerability is found in software used everywhere, and how do we respond and react? How do we work together quickly to find and fix those vulnerabilities?
The students have already submitted their 500 word briefing on what they think are the key elements of what is going on, and on 11 Feb they turn up at BT tower when scoring gets underway.
Cooper adds that the value of combining technical, policy and strategy skills is to build bridges with technology to form strong multi-disciplinary teams, and that attracts those who do not see themselves as technical but have skills to bring to the industry.
"When we reach out to people, we say it’s not a technology, capture the flag competition. It’s about policy and strategy but you need technical understanding - its a completely multi-faceted scenario. It opens up cyber-security to humanities, law, business degrees and other technologists. Its pulling from a wider demographic hence the higher female participation. The industry is still trying to solve he cyber-security skills gap, struggling to fill technical roles, but there are also other roles that that need understanding of cyber-security - lawyers, HR and others - and we need to create pathways and make it easier for them to get in to the industry. Currently there is a view that without a degree in computer science you can’t get in the industry and we need to get over that."
Sponsors/partners of the competition are BT (Strategic Partner); SecureAuth (VIP Dinner Sponsors); Her Majesty’s Government, NATO, Dell EMC, Standard Chartered, Kekst CNC, ReSolve, YardPartners, Cyber Defence Alliance, Global Cyber Alliance, RUSI, Information Assurance Advisory Council, Rapid7, and TechUK.
Cooper adds: "They see the value of the competition. One university lecturer said they had been researching cyber-security policy and strategy though they had not been teaching it but they will now. A competitor said that the competioni made them feel like their skills were being valued. Not everyone in tech wants to move into leadership and management. And a board member won’t spend days in a SOC, but between the SOC and the board, there’s a lot of roles and that’s what the competition is about."
SC also spoke to Rob Partridge, head of commercial development, BT, a judge on the competition, who explained to SC: "We are still creating a cyber-security industry and need to broaden our horizons. It had been trying to create linear career pathway, like a vet where you know what exams and experience is needed, what university to go to. But the cyber-security pathway is more like a tube map, with many ways to get on and travel, because there are at least 96 different roles.
"[We need to develop] Skill sets and understanding. Pure business skills, not in terms of profit, but understanding the repercussions of a large cyber-attack on business and how organisations can set policy to remediate.
"They need to analyse quickly, make decisions, and advise - so its advisory roles. Not technologists, but people with an appreciation of what tech can bring you. If they had the best policy skills etc but they don’t understand tech, it won’t be the best solution for security. So it’s an appreciation of security, but the talent and skill to understand the ramifications across business, politics and government."
"One of biggest growth areas is BT security (see Kevin Brown interview) - we need people who can understand, set strategy, policy and underpin our success."
Paul Chichester, National Cyber Security Centre director for operations, added: "It’s vital that future cyber-security professionals are given every opportunity to develop their skills, and roleplays like this offer a unique insight into what happens during an attack.
"By taking part in this competition, the students will gain a deep understanding of the complex challenges we at the National Cyber Security Centre face when dealing with incidents in real life.
"The UK Government’s National Cyber Security Strategy is clear that more must be done for the UK to meet the future national demand. Much like the NCSC’s CyberFirst courses, Cyber 9/12 is an effective way to nurture the next generation of cyber security experts"
"The competitors must work together in their interdisciplinary teams to understand the cyber-attack, develop policy and strategy options, and then verbally present their suggested solution to judging panels, which consist of experienced industry, academic and HMG cyber-security experts. Semi-finalist teams will be whittled from the original seventeen; for the teams that didn’t get through to the semi-final, they will be given a separate expert coaching session before everybody joins together on the afternoon of Day Two to listen to the final round, as three finalist teams vie to be crowned champions.
Les Anderson, chief security officer, BT, added: "The private and public sector have a duty to encourage the supply of future cyber-security professionals. These experts will be crucial to securing our people, organisations and infrastructure from cyber-attacks, and providing the security required for our businesses to thrive in a digital world. And this doesn’t just mean technical experts – we need cyber-professionals for many areas to be fully prepared for the future."