Ahead of the announcement about those who had progressed in the UK Cyber Security Challenge, I was invited along to a media event marking it at the end of last week.
From the presentations made, it was clear that there is one key factor in the purpose of the Cyber Security Challenge: to get more people into security. A consistent message was that there are not enough people getting into information security and that needs to change at all levels of entry.
Alasdair Rodgers, managing director of security at QinetiQ, said that all of the momentum of the challenge is to get people into the industry, as it is not being done through university and this was ‘a method of bringing people to the fore'.
“A lot of what we are doing is mentoring. We have to communicate with people who can operate socially as we are not dealing with a technology problem, it is with policies and products that deal with a protected environment,” he said.
Judy Baker, a director of the challenge, claimed that the skills shortage is not just at the present time but also looking ahead to the future and is a reason that the challenge will be continuing annually. She said: “The problem is getting worse and we need to excite and inspire them and put them through careers.”
Fellow director Stewart Room, also a partner at law firm Field Fisher Waterhouse, highlighted how the public and private sector sponsors are also aware of this problem and there is a need to beef up the economy and get the message to schools and universities.
“The Cyber Security Challenge will mean something in years to come, the ability to deliver and facilitate a marketing message,” he said.
Room said that he was disappointed with a lack of interest from the information security private sector, who he said should be ‘ashamed' by their lack of interest.
Among the current sponsors is Sophos, whose UK country manager Ciaran Rafferty told me last year that it was backing the Cyber Security Challenge, as it was ‘a great way to find and attract new talent at the same time as offering tests and games to identify areas of improvement to security'.
Speaking at the event, Sophos senior technologist, James Lyne, said that 90 per cent of businesses are now trying to fill the security positions and the deficit of skills is making that difficult, particularly as more and more people are using technology in their daily lives.
Later I got the chance to meet some of the contestants who are taking part in the challenge, who interestingly came from a range of backgrounds some with no information security experience and others with plenty. The group of four I was introduced to ranged in age from 17 up to 28, with the youngest only having six to eight months experience.
One of the contenders, Tony Shannon, told me that he had dropped out of university in 2000 and had managed small networks and wanted to work with applications and secure his own systems.
I pointed the group towards research by Tufin from last year, which found that a third of university students had said that they thought that hacking was ‘cool', while 28 per cent considered hacking to be easy.
One of the contenders, Tim Dobson, told me about a support group called ‘DFEY', digital freedom, education and youth, that helped young people who were interested in technology to come together with other ‘technically minded people'.
Talking about the Tufin report, Dobson said: “I cringed at the report as the way that they spun it is that this is a serious issue and these are cyber criminals, which I didn't think was particularly helpful but I think it would be better to look at how many people were successful in their missions. Secondly there is a real interest in exploring IT and these people can lack a nurturing environment to give them some output for their instabilities for their direction and it would be good if there is an enthusiastic systems administrator or head of IT, it can spur you on.”
Paul Laverack, who won the US-based DC3 digital forensics challenge, said that there is a fair amount of interest in cyber security but no one is aware of how to get into the industry.
If there is a gap between those who can and those who want to hire, it seems that there is little in the way of a simple solution. What the Cyber Security Challenge is doing is very positive and will go some way to preparing young enthusiasts for real world situations.
From there though the challenge could be greater, after all how do they match the expert with the right job? Yes it could be argued that those who are sponsoring the Cyber Security Challenge could get first dibs of the talent in an NFL-style draft, but most will likely want a job in real life information security and with stories of shrinking teams and budgets, opportunities may be hard to come by for some.