Thursday 20th May 2021, 10:00 (BST)

Cyber career paths – a way out of our skills shortage?

  • How will a clear roadmap for cyber security entrants and current colleagues solve our skills crisis?
  • Diversity of people and of thought – how can InfoSec Leaders build the change in their organisations?
  • The top of the path – how do we develop and build the soft-skilled CISO of 2021 and beyond?

Full episode replay

Hello, good morning, and welcome to another teissTalk. It is Thursday, 10 o'clock in the morning, therefore, we are live for today's teissTalk. We're live every Thursday at 10:00 and every Tuesday afternoon at four when my co-host, Jenny Radcliffe takes the stage covering all the key topics in cyber security, diversity, ransomware, working from home, the lot. Welcome back to those of you who joined us before. Welcome to the new people. If you like the teissTalks, do please spread the word, invite your friends, invite your family. As I said, every Thursday morning at 10:00, every Tuesday afternoon at four. You can also watch it on catch up, but what be the point of that? You're here live. So welcome to all of you. My name is Geoff White and today. We are also going to be giving away excitingly, as we do every week, a teissTalk mug. We're going to be giving away a teissTalk mug.

Now, normally there's a news story that we talk about during the course of the programme at some stage. I'm going to flag that news story up today. Somebody's already spotted that I don't have a bow tie on. Again, the reason for that will become clear when I welcome my first guest. But I'm going to give the free mug away today to somebody who can come up with something. We've we've got a news story we're going to be discussing, which is about the Queen hiring of cyber security specialists. The royal household has put out an ad to hire a cyber security IT manager. So I'm going to give the mug away to whoever can come up with the best royal themed cyber security pun or gag or joke. I think it's myself and I can't give you an example. So put your thinking caps on whoever gets the best royal themed cyber security pun or gag gets the mug. So we're also going to be talking about cyber security recruitment in general. How to get into the industry, how to pull people into the industry, how to get the right people in. And then once they know how to keep them in and how to move up. So a key topic given we are told we have a cyber security skills gap. This will be interesting to discuss.

We have a great panel talk to us today about this. We have Jay Jay Davey, who is cyber security ethical hacker and blue team expert at Nox Cyber. We also have Amanda Finch, who's chief executive of the Chartered Institute of Information Security. A couple of great panellists to come. I want to welcome though first our first guest, who is a regular attendee at teissTalks and is now on the panel himself. Please welcome Danny Dresner, who is professor of cyber security at the University of Manchester and is going to be discussing the topic with us today. Danny, how are you doing?

Oh, I'm fine. It's one of those days where if the tie doesn't tie correctly the first time, you just give up and wear a cravat. So as you can see, today is a good day.

Fantastic. So you actually because I mean, I normally do wear a bow tie, but I figured if we're both wearing bow ties it would look like some kind of benefit gig and I thought that would be a bit odd. But you tie them, you actually tie them, because I can, I've mastered it a couple of times but it's one of those skills that unless you keep practising, it drops out your head pretty quickly.

Well, yeah, but I also kind of feel like it's a little bit of a fraud. It's like those ones that they used to give you at school, which I was never quite sure whether it was because they didn't think you could either tie a tie or they were too worried about you strangling somebody with it. Well, maybe that said something about the kind of school I went to.

We've been watching Line of Duty and I had to put it out to my wife that obviously all police officers now wear Clip-On ties so that you can't do exactly that, you know, grab the tie and suffocate the guys who's arresting you.

I thought most policemen, police officers, seem to wear these these T-shirt jobs now anyway.

Yes, and combat trousers and stuff. It's all dress down, isn't it? It's all gone downhill. That's the issue.

Everyone looks like a SWAT team.

Welcome, Danny. What's the situation at the University of Manchester at the moment? It's obvious it's summer term now, so presumably you wouldn't have many students in but how's covid and everything affected you? What's been your set up?

Well, as you can imagine, it's been quite a kind of a mixture. Everybody's been on the starting blocks because you keep expecting this to be kind of quite short term. But what's actually happened is that essentially I mean, I haven't been in my office since, oh, since March of last year. The forensic analysis would prove this because we went in there, you'd see that the calendar's still on John Pertwee. I've been very lucky because if you need a wet lab, as they're politely called, it's a completely different situation but with computer science, it's fine as long as you've got a good connection. What we've learnt or certainly what I've learnt, I think this is a personal journey is finding out, you know, you make so many assumptions. You think that a student of computer science is going to have their own laptop or whatever and a good connection. None of this can be assumed. Sometimes they have to share their equipment with siblings. Sometimes they don't have the decent connections. Then, of course, you've got the challenges of the different time zones for different students as well, but I'm really pleased the way that people have kind of knuckled down and actually actually connected and engaged to a certain extent. I've found that where as sometimes kind of, you know, traditional lectures, difficult to get people to attend and the like, of course, you might be uncharitable and think that, you know, they're switching on their browsers and turning off their cameras and they've gone off to do something else. But I personally have certainly found attendance better. I found engagement to be very, very similar. And now the work I do, I try to simulate as much as possible kind of real world collaborative opportunities. The students usually start by hating me and then most of them like it at the end and they see the point of having to negotiate and work and understand the problems with a diverse bunch of people who they've been thrown in with different cultures and different ideas and that can actually be very beneficial. And that actually has worked very much online. I mean, statistically speaking, I had 13 groups, which was interesting in itself. Last year on my main module, which looks at system security from a governance point of view. I had about 50 students. This year and I had over 90. And so we had then had the challenge of organising that number of groups. And out of the 13 groups we had only one group kind of, I suppose, misinterpreted some of the instructions.

So how is it going to work, how do you think it's going to work next year? I mean, let's fast forward to September. You know, potentially you can hang onto those numbers by offering sort of more virtual courses. But is the idea of let's try and go back to a system where everybody turns up in person. What do you think is going to happen?

Well, ideally, it would be nice to see everybody in person, but there are going to be some people who will not want to. I think, unfortunately, with the world, the way it is at the moment, I mean, maybe something fantastic will happen and things will hugely improve by then. But I think there are going to be some students who will not want to or actually can't make the make the journey to Manchester. So we are challenged now to create an environment which will suit both and to a certain extent. Like I said, I like to try and simulate kind of the, this is terrible term to use in academia, the real world. And I try to engage people in kind of group work and collaborative working and the like. And we are not going to go from a perfect classroom learning situation out into business or industry or charity or whatever it might be where you have got kind of a nice sort of what's the word, sterilised, computerised working environment. You're going to have that mixed, that blended environment. So I think it's the sort of thing that we shouldn't see as a problem, but we should actually embrace it as an opportunity. So like Douglas Adams always used to say about the twenty stone person running towards you. You make that twenty stone their problem, not yours, when you actually when you actually throw them. So I think the idea of blended learning, some students being in the class, some students being at home in Manchester, some people being home at a different time zones, I think that becomes the opportunity that as well as learning the, I don't know, the three laws of cyber security or whatever and the five cyber essentials that actually the humanity and the collaboration across those different media become the great chance that we've actually got.

It's interesting. So the teaching environment sort of mirrors the environment you'd be out in the real world where, you know, in the outside world, sorry. You know, the world of commercial work where you're working at home a bit and you work in the office a bit. We had some entries come in for our royal themed cyber pun. Georgia, Her Majesty's securing a world domain. I like that. Jay Jay has gone On Her Majesty's Secret Server. Oh, that's great. I don't know whether you are allowed to win, though because you aree a panellist, and Darren's gone for one security ring to rule them. Love it. The cloud jewels, Georgia has gone for. On fire, Georgia, this morning with the puns. Danny, forgive me. I don't know the situation in Manchester. So do you have a pure cyber security course or is cyber security taught as part of computer science?

It's taught as part of computer science. When I started and well, I came to this well, it was sort of the the early noughties. And when I was working for the National Computing Centre and I used to come along and say to an industrial liaison panel and say, you're not teaching enough about security. Wasn't cyber in those days, it was computer security. And then it became computer network security and now it's cyber security. But I used to say you're not teaching enough and then eventually said, OK, well, you come and do it then, and it's grown like that but we've always taken this opportunity to try and embedded within other courses.

What do you think of pure cyber security courses then? Obviously they are offered, GCHQ, NCSC probably approved cyber security courses. For somebody going into the industry, do you think that's a good bet or do you think there's advantages to doing it as part of a general computer science degree?

Both. I mean, I think this is the important thing. You know, we will always need and will always want specialists. We all want generalists. And had a discussion with a colleague of mine. I mean, I saying, you know, having a 50, 60 I mean, it's lovely having loads of students until it's marking time, of course. And then that really become really becomes part of the challenge. And one of my colleagues said that, you know, we really ought to up the entry requirements for the course so we have only what might be termed as the best students, you know, whether entry requirements as a way of finding who your best students are. That's another discussion, one we might end up having in our group. I said no. I mean, obviously, I don't want anybody to fail. I don't want anybody to do badly. But the more people who are exposed generally to, you know, to issues in cyber security and what to do about them, both from a preparatory and a protective point of view and a recovery and a coping point of view, they may not go into what we would label a cyber security career, but they could be in a place in their organisation or just in their family in 10 years time and that decision will make an enormous difference to many lives.

You talked about, we talked about this in preparation for this panel that you talked about that you have a handful of students who you described just get it. What do they get? What what is it about them that's different?

They do not expect just to walk in and be spoon fed, you know, to you to be told the 133 controls and 20 ISO 27001 and this is how you build a security management system. That handful of students are the ones who, you know, every convention, every conference that you go to, all of a sudden you'll actually see them there in the audience. Better still, you'll go and see them actually talking to people. They'll actually make contacts. I'll hear from my network. Oh, yeah, I'll be one of your students last week. And then realising that this is a very dynamic. It's a dynamic. It's talking and understanding. I mean, I know we're we'll have Amanda from the Chartered Institute. One of the best things that the Chartered Institute have is this model of cyber security where it kind of breaks people, it breaks things down, not just in the subject matter, because we'll always be remodelling the lists and what you need to know. But it recognises that there's kind of like you'll get kind of your expert level. There's some people who will need supervision. And then sometimes it's just like you're aware of a thing. And being that aware of a thing means that, oh, yes, I need to talk to and work with other people because I know there are a few kind of genius out there and I don't know how they do it. And I feel extremely envious of their ability not only to take in the knowledge, but also to apply it. But, you know, one of the many, you know, amongst things like you want to protect your crown jewels is also that, you know, cyber security is a team sport. You know, and this is how I work. And it's seeing those students who, you know, who feel that they want to dabble and talk and ask questions and not just sitting there, not just sit in the class, get the exercises and score the points.

Interesting. As you say, though, they'll do well when they go out into the world of work and and have to collaborate in terms of those team. We're getting some great royal puns, by the way. Abigail's royally owned. Martin Hopkins gone for Red Team. Blue Team. It's in your blood. Alan's gone Latin on us regnum defende servers and Abigail again has gone, the white hat. The Black hat, the queen's hat. Fantastic. And you mentioned crown jewels there Danny as well. So I don't know whether you possibly get the mug as well. I always try to look at stats on this. I'm going to put a link in the chart. This is the government's research on cyber security skills and the skills gap and further higher education. There was a stat, a quote in there. And again, I'll paste this one in because it says that around two thirds of graduates from cyber security degree courses progressed to an entry level role in cyber security, which I thought was interesting or IT so that was interesting. Some of the graduates who are graduating from this don't end up doing cyber security. They go off and do sort of other other careers as well. In your experience, Danny, how many of your sort of cyber security pods end up doing cyber security? Do you know that?

I don't know. I imagine it's fewer than that particular stat. I mean, we do get the full spectrum. Like I say, there's that handful of students who, as I've kind of used the phrase, totally get it. But it's also remember, what we're teaching, we have kind of, you know, very kind of hard core cyber security modules of risk and pen testing and all of that kind of stuff. But we're embedding it amongst all the other topics, because if everybody did all our computer science and our IT right to kind of generalise it a lot, we all know that generalisations are always false. We wouldn't have a cyber security challenge in the first place. So it's perhaps not necessarily a good thing if we're looking for everybody to kind of leave and go into cyber security. I started off in quality management and I remember somebody saying, oh, this is good. We'll follow all the processes and procedures work on quality. Oh. And we might need to actually think about what it is that we're doing in the first place. Cyber security is like good writing. It should be invisible. Which is why it's so difficult to measure. And while we only kind of notice it when it's when it's sort of causing a bit of heartache.

But we have I mean, you know, everybody tells me you've got the cyber security skills gap. You know, I would have thought cyber security courses would be would be, you know, full to the gills with people, you know, wanting to do. This is almost, it's not a guaranteed job, but it's a pretty good bet. You're going to be required. Have you seen that? Is there is a constant demand, a lot of demand for cyber security.

I think the problem, of course, we keep calling it a skills gap, and that's because we keep making lists and more lists of all the things that you actually need to know, as opposed to really valuing kind of people's attitude and their approach and their keenness for the subject and preparing them for something. And this is me, a university person, saying this. You know, firstly, degrees aren't for everybody. Formal qualifications aren't for everybody. So I think the important thing is understanding how to nurture the talents. The actual learning and the the other stuff can actually follow. We can actually bring things up. We've got to recognise that we know people have had other jobs. I mean, the advert for the position with the Queen. Just for a moment to go back to Punland, if they're looking for a qualification, presumably they'll have to be corgi registered, but there we go. But the problem there they're saying, you know, degree or equivalent and five years experience, et cetera, et cetera, which is very hard core HR talk, which is going to channel a lot of people down a particular route and exclude an awful lot of people. I mean, I'm thinking about people coming out of the forces who won't have those qualifications, won't have the audit trail of their skills and evidence, but are going to be absolutely perfect for a role like that. And aptitude is so valuable and I think we need to find ways of embracing those aptitudes and embracing those attitudes and running with them, because let's face it, our adversaries don't sit there and say, well, I'm sorry, but you can only come on this heist with five years experience and a degree.

That's really interesting. So interesting point, and I'll bring the panellists in a second, the other panellists to talk about that. But, yeah, it's interesting that we have a skills gap because what we're measuring is skills and we've got a gap in them. We maybe don't have an aptitude gap, but we're not measuring aptitude. So we don't acknowledge it. Really interesting stuff. I want to bring in our other two panellists on this. They both come at this from different, but equally important and equally interesting aspects of this. We've got Jay Jay Davey, who is cyber security ethical hacker and blue team expert at Nox Cyber. I'm also going to be welcoming Amanda Finch as chief executive of the Chartered Institute of Information Security. Welcome to you both. Amanda, can I come to you first? Because I was looking at one of the talks you did and you said you started out with, was it Marks and Spencers you started out with?

Yes. That was a long, long time ago. My journey started when it was called computer security as well. I fell into it because I didn't duck quickly enough. I was bored and I spoke to the exec and I said, I don't like what I'm doing at the moment, so we got this thing called computer security. And I went, what's that? He said, I don't know. We've been told by the board we're going to have a function and you like doing new stuff, get on with it. And that was it. I started off doing sweep sector viruses in those days and it's come to where it is now.

You said, I think you said you went to the pub with the IT team and they were good fun.

That's how I ended up in IT. My career journeys never planned. I didn't intend to do this job either. I came to a crossroads with my work and so looking for something new to do. And they sent me over to the IT group because we've recently taken in from being a bureau so that shows you how long ago it was. And they wanted to get some M&Sy type people over there. And I had no idea what I was doing but we went to the pub at lunchtime and I thought, this is fun. I don't know what we do, but this could be fun and the rest is history.

The Chartered Institute, it was, I forget the acronym but it's now changed the Chartered Institute. What's the big difference there? What difference does chartering make, I should say?

Well, I think it makes us grown up basically. The institute was set up back in about 2006 because at that stage it was a smallish club, mainly sadly to say of men. There weren't many women in it and people tended to know each other certainly in the early 2000s and suddenly there were more qualifications that were coming in and people were saying that they were security experts, but they didn't necessarily have the experience. So that was one of the reasons that IISP was set up to act as a focal point for the profession, be able to accredit people for their skills as well as their knowledge. And that is always been something really important to us, is that you should be able to demonstrate that you can actually apply the knowledge to the work place and hence the levels of our skills framework, which explains whether you're the junior practitioner or senior practitioner in that particular skills area. And really we felt that it was time we had a professional body. So the chartering of that is actually taking us to be a proper professional institute and a proper professional, well, a proper profession. And people recognising that it is up there with medicine, law, other professions.

We'll come back, some really interesting stuff to unpack on that as well, but I want to come over to Jay just talk about, because, again, I'm a bit like Amanda, you sort of kind of stumbled into the industry as ex-military background.

Yeah, that's right. I always had quite a technical mind. And when I left the military, I went into just a general service desk role. Then I left that role because I just wanted to seek out new challenge. And a recruiter called me saying, I've got this role for a SOC analyst. And I went, what the hell is a SOC analyst? So he explained to me what a SOC analyst was, I done my own research and I thought, that sounds interesting. He went, well, it's a graduate position. I don't know if you'll be able to do it because you haven't really got a degree or anything like that. I'll put your name forward anyway and see what happens. And now I'm here. So I got offered the kind of position and I just realised it was trial by fire and so much to learn. And that's how I kind of fell into cyber security, was just that general talk with that recruiter saying actually I'm interested, I think I can do it. I experienced a tiny bit of gatekeeping there when it came to trying to get into that role but overall, it wasn't that much of a bumpy road than I thought it was going to be so it was quite interesting.

How did you manage that? Because, I mean, Abigail's made a comment that, Abigail, my heart goes out to you. I'm so sorry to hear about what's happened with your interviews, and we all wish you the best of luck and we do hope you keep trying but I know it's demoralising. I mean, Jay, how did you given that you didn't have the degree and the qualifications and so on, how did you get that first SOC role? What do you think made them go for you?

I think it was just the kind of demonstrating the passion and the interest and also being seen by the right people. So I soon as I discovered what company it was, I reached out to the hiring manager just to explain to my situation to say, hey, look, I've come from the military, this is my background, and this is what I'm currently studying. So I study in network plus and I'm learning all the content. And we just had a phone call. Just a general phone call. And he said, OK, let's go forward. And the recruiter called me up saying that they want to go forward with the interview. Now, the interview wasn't, they had a different interview process for me because I didn't have that graduate level qualification. So they gave me a technical test that gave me a 50 questions. And they said, we want to try and benchmark you and measure what you can do. So they gave me 50 questions and then at the end, they gave me a challenge to write an email to a customer that has a particular problem. So they're trying to see if I have a professional skill element as well. So I think the biggest challenge is being seen by the right people and not just being seen as another CV coming through a machine, is making sure that you're seen by the hiring manager and the people making that decision.

Interesting stuff. Thanks for that, Jay. And Amanda has commented, I think she's right, Abigail. If the interview goes that badly, that horrible, you wouldn't want to work for that company. That would be my advice as well. Danny, this is interesting. So Jay's story kind of taps into what you were talking about in terms of what he's demonstrated is an aptitude and actually aptitude plus communication skills rather than, you know, can you programme in these languages? Have you use this particular kind of piece of software that seems to reflect what you're saying about aptitude, not skills necessarily?

Sorry, I lost the end of you there, but I was thinking of particularly looking at Abigail's poor experience as well. There is a lot I mean, perhaps part of the gap is perpetuated by this awful gatekeeping or certainly perceived gatekeeping by people. I mean, one of the things I show terrible probably copyright issues, there's a Monty Python sketch where they bring the pregnant woman into the operating theatre, or the delivery room, and she says to the doctor, what do I do? And he says, nothing, you're not qualified. I think there's an awful lot of this about preventing people from from being encouraged to learn, encouraged to actually take things up. You know, we've got the we've got the new UK Cyber Security Council. And that is going to be very challenged to make sure that the path to whatever kind of is labelled a professional is as welcoming as possible. Because, you know, as we codify what you need to know, it's very difficult to also say, well, this is everything in the body of knowledge, but these are the areas that you can focus on just to be aware of some of these other ones. And actually, you don't need to be an expert in everything. And it's that collaboration and cooperation. And I was actually, I'll be very honest and very candid in a public forum and all that, I was extremely worried about how the UK Cyber Security Forum would go, but I am extremely buoyed by the fact that it's actually being chaired by the person who, as the saying goes, because S.J, Mike said, has got me to where I am today, because many years ago I went to a thing and there was a woman called Claudia Nadenson was giving a talk and to quote another friend of mine, I looked at her and said, that's who I want to be when I grow up. And now she is chairing the council. And I think that they will embrace now the real challenge of bringing all kinds of diversity, thought, thinking, culture, gender. Real diversity, not just kind of pigeonholed boxes to tick and the like. Not just in the types of people who will be able to get involved, but also that they will be able to and encouraged to travel along the pathways. They will be valued while they're making the journey, which is so important as well. And it will be more of a collaborative nature. I mean, I didn't mention neurodiversity as well. You know, we just must remember that this is a complex problem. I'm not saying that accountancy and I'm certainly not saying that medicine are simple but they're fairly focussed. We haven't even defined what security, what cyber security is yet. We haven't even defined how to solve the problem or even what the kind of what the kind of person is. If you look at the National Institute for Standards and Technology in the States, they've identified fifty two roles and I mean showing my age now but I think that it should be like Woolworths. You pick and mix part the roles for yourself and actually maybe roles as well for you or for your organisation or groups of organisations, because no one organisation is going to be safe by itself.

Just it's interesting that. Amanda, I want to pick up with you on some of the stuff that Danny's talked about there. I mean, I can see the logic in the way you're going in terms of, look, let's put this on a proper footing. Let's actually learn some lessons from areas like law and accountancy and medicine and so on. But what about Danny's point that the fact that we're still sort of feeling our way in this, how secure can you be in terms of these are the skills you need and this is the accreditation will do at the point where cyber security is still so new and we're still learning our way?

I think the thing is it is a very, very young profession and it's also a very, very fast moving area. And if you look at what's happened in the last 10, 15 years, for example, that we were talking about passionately about ten years ago, and now it's just what we do. I think another problem is that we've also got an incredibly diverse landscape because we've got so many different, well, every company needs to be involved in it. Every individual needs to be involved in it, in terms of protecting their own environment. So it's actually quite hard to categorise things as rules. What may be a specialism in one big organisation, you might go to a much smaller organisation and you've got somebody that's having to spin about 10, 15 plates and having a completely different profile. So a lot of it is adapting, which is one of the reasons that we look at skills because skills can make up roles rather than actually sort of saying this is a standard CISO role because the CISO in one company can be something completely different in another company. So it's a hard thing to actually quantify in that way. The one thing that you can quantify is levels of skill, which is what we do at the institute. So we have a whole raft of skills that go from everything from security management to and testing to secure operations and everything around, you know, everything basically. And what we do is that we say you may know a little bit about it, which is the level one you may know to be some practitioner level, which is a level three. You may be an absolute expert at a level six. And I think it's understanding the abilities from their of what you need in particular roles. But for people coming into the profession, that's really hard because we don't signpost things particularly well. And, sorry, I think that you would like to ask a supplementary question.

I was going to ask Jay about that, actually, because somebody who is a relatively new entrant into this. Obviously, you started from position of not knowing what a SOC was. How easy was it then? How easy has it been since then to go? OK, these are the skills I need these the accreditations and qualifications, because I see all these different qualifications, all these different bodies. How have you navigated this and worked out that's the one that's worth going for? That's the one I'll pay for?

So for me, it was a mixture of my own research and talking to people already in the industry and getting that kind of advice, put it into a bag and just picking out what the most common theme is between the people. You're going to get really bad advice. So you're going to get somebody is going to say to you, oh, you just you just want to get into Cyber Security? Well do this. But doesn't realise it has a five year requirement, which you don't currently have, obviously, because you're trying to get into the field. Then, you have people with a bit more real realistic advice who would tell you to go for a CCNA or for a net plus just to build that kind of networking foundation if you're going for a technical role. So a lot of it is about doing your own research. And I think that's part of the reason why I've done quite a lot of the stuff that I've done so far with the mentoring and building the careers pages is just trying to help people see that wood through the trees and understand what is the next step for them and give them that kind of toolset that they require to be able to do their own research.

Yeah, I wondered if we have our teiss elves, by the way, for those who don't know, who beavers away in the background and is putting in links and stuff, LinkedIn profiles and so on. Thank you for that. I wonder if our teiss elves could do a poll on this. I'm just interested in this idea of skills versus aptitude. So I guess the poll question would be what's more important in cyber security, careers? Skills or aptitude? Let's put that out there and see what people say that will be in the polls section on the right hand side. So stick in your votes and we'll see where we go from that. Jay, I want to come back to you just on what you talked about there. The money is important as well because there's different costs for these things. How do you weigh up what one's worth the money?

So the surefire way of doing that is just searching for job descriptions, picking out, which comes up the most common. So what are the most common certifications that looked for across the region that you're applying for? So for the UK, what is the most common certification comes up for the job that you desire? So if you want to be a SOC analyst, let's look through about 20, 30 job descriptions and understand which one is the most common. So you probably see security plus or network plus really common at the junior levels, but towards the mid-level senior levels, you're going to see stuff like CIS and CCNA and CCNP come up. So it is all about kind of weighing up the pros and cons. So desertification someone may say it hasn't really got a good body of knowledge, but it's very well recognised in the UK cyber security industry. So it may be worth going for just purely because it gives you that kind of visibility that you require to get through any ATS systems or to pick the interest of a hiring manager because the hiring manager is only going to based on your skills, based on the certifications that you have, unless they have a technical testing element to it. So if you apply for a role, you don't have a network certification, they're probably not going to find out that you have that networking ability. And they're probably going to disregard your application for that role because somebody else has that certification that benchmarks their current skill level in that domain.

Amanda, this is the problem, isn't it? That you can have two companies who are basically looking for the same type of person, but this company over here wants this accreditation or this exam or this particular skill, and this company over here want a different one. And as a job applicant, if you've got one and not the other, you can't apply for both those companies. It's tricky at the moment.

I think it's really hard because often the hiring managers don't really understand what they're actually hiring for, especially when you look at the senior levels and you see the ridiculous job adverts where they looking for what I call uniform people that got everything. And actually you don't really want to hire somebody who is overqualified for that particular job because they're just going to move on in a couple of years. So there's a lot that we need to do as a profession about really signposting better and those things. And it's a bit of a lottery.

In an ideal world, Amanda, is that what you want to do for the Chartered Institute is to basically be the sort of central gold standard, you know, to lay this out for you to be the kind of help?

This is why we put a lot by people being able to demonstrate experience. So we're completely agnostic with our membership levels of what background is, whether it's degree background or whether it's four pluses, three commercial courses or if it's learnt experience on the job. The important thing is to be able to apply that skill and be able to apply it professionally. So what we're trying to do at the moment is that we're trying to define pathways for people coming into the profession. So we're very happy to support people in the early stages. We have some people associate development programme, which takes people that are completely new, and we expose them to all areas of our skills framework so they can actually understand how their skills were applied in the workplace. But also they get a chance to actually see whether they like that sort of skill, because we all start somewhere and we all end up in completely different places. And the thing is to really support people so they can go to the next step. And yes, that will be recognised training courses. We recognise university degrees. We recognise particular qualifications.

So if somebody's been through CIS, you would recognise that, for example, that would be something that would?

Absolutely, absolutely. So the if somebody has got a manage CIS, they've done the five years experience. They can claim associate membership with us straight away. So that's fine. And we do that with all the qualifications on a knowledge basis. We're trying to recognise where we would like people to recognise the post nominals, because everybody that's going through that system has been reviewed by professionals. So it's all done through peer review and Danny is one of our esteemed tellers and has reviewed other people as well. Hence I've got the scarf on, so I'm not letting you down.

Can I stay with you, Amanda, for a second, because you made a good point about the sort of unicorn, I love that idea of the unicorn job ad where it's like we want somebody who does this, this, this and this and can do it on a unicycle.

Absolutely backwards. In heels.

Yeah, talking about in heels. You made a good point about how men and women approach job adverts when we're talking about this. Run me through that again, how does it work?

Oh gosh. It's well, basically men will go for a job advert if they see about 40 percent of it is a fit. Women are far more cautious and that they will only go for something if they think there's a pretty good fit, an 80 percent fit is the number that gets thrown out. I don't know how some of these statistics come together, but that is a problem. A lot of the recruitment is putting off large portions of the population and we need to count job adverts in the far more inclusive way.

I think that's interesting. I think certainly for me as a journalist, I do get the feeling that when I approach people for interview, if I approach male IT security people, even though they don't know, say, I'm doing a piece about on ransomware, you know, can you do an interview? Yeah, I'll do an interview. Generally, if I approach female IT security people, I think sometimes the reaction, I'm second guessing this, but I think sometimes the reaction has been, well, I'm not an expert on ransomware. And I'm thinking, well, neither was this guy over here, but he doesn't mind. He'll bone up on the knowledge and his way into the studio. By the way, our polling has been interesting. So what's more important for cyber careers? Aptitude? Skills? Both? Obviously, 56% people went for both aptitude and skills, but forced to make a decision. Interestingly, twenty eight percent of people said aptitude is more important and only 11 percent said skills are more important. So, Danny, that does seem to answer your question. Actually talking of questions, John has come up with a question, which we are going to put on the screen now, which I think is an interesting one. This comes up a lot of conversations. CISOs don't need the networking programming skills. They need soft skills, communication, et cetera. How do we help wannabe CISOs develop these skills? Danny, can you give some tips on that?

Yes, well, yeah, OK, well, I'm definitely a stuck record on this one. First of all, we must not call them soft skills. They are not soft skills. They are core skills. We encourage everybody to work to have them, whether they're management or technical. But also we shouldn't try and shower them on somebody whose skill is just sitting by a box, taking it apart, putting it back together, setting it up for other people because that is that's their aptitude. That's their niche. That's their contribution. So cyber, going back to the original Greek is about steering. We need to steer the profession towards the people and the people towards the profession. We need to stop trying to nail things down into pigeonholes because we are totally failing to navigate. And it's because we're doing that that, of course, our adversaries are able to jump in between the cracks with arguing over what is cyber security and the sexy acronym for our project. The criminals aren't thinking, OK, well, we need a really good code name before we can we can go on this particular attack.

Interesting, interesting stuff. James has come in saying the rise into cyber management can often support the Peter Principle, which if you're not familiar with the Peter Principle, I think it's the idea that you get promoted in an organisation on the basis of time served, not competence. So ultimately, incompetent people tend to rise to the top. Not that says anything about our current government, or anything. But Jay, I just want to come back to you, we're slightly shorter time but this idea of communication skills. The interview process you talked about was really interesting because one of the things they were testing was, can you explain this stuff to a customer, to a client, as you've worked in the industry has that still been the case? Are those explanatory skills and communication skills constantly coming up or was that just something that happened in the interview and actually, day to day, you don't really need it?

So when I felt when I was a soft level one, I was non-existent talking to customers, it was a couple of emails here and there. But then when I started to become more advanced, my career progressed more. I've been talking to clients a lot more, face to face, interview, face to face, discussions with them, explaining technical things to non-technical people. So you need to be able to explain those technical concepts to different levels of technical abilities without being condescending and insulting. You need to be able to explain it in a way that they understand. So you get that ability to translate tech to business, because that's at the end of day. That's what it is. It's a business. You're talking to a business. So being able to talk to stakeholders comes in time. You will start to learn harsh lessons when you say the wrong thing, you're going to get the wrong reaction. You're going to get a reaction that you weren't looking for. And that's possibly the best way to learn. I've had it plenty of times where I've said something and it's come across as insulting. And I think that's the way that you really kind of dial in the way you talk to people is just going out and trying it. Try to explain technical subjects to your parents and learn how do you talk to different stakeholders?

It's interesting. There is no textbook for communication, and I say that as a journalist. So, listen, we're coming to the end of our session here. We've had Mirah or Myrah, my apologies, if I got the pronunciation wrong has sent us, I think this wins the mark. This is a God Save the Queen cyber security twist. Before I read that, I will thank our panellists. Thank you so much, Danny Dresner, professor of cyber security, University of Manchester. Jay Jay Davey Cyber Security, ethical hacker and blue team expert at Nox Cyber. Their LinkedIn profiles are in the chat, along with that of Amanda Finch, who's chief executive of the Chartered Institute of Information Security. Thank you to all of you. Mirah, I will try and sing this now. From every blade and foe, from the assassin's APC blow. CISO save the Queen. Over her vine, disarm, extend for Britain. Protect, operate, defend our insider threats. No friend CISO save the Queen. Thank you. I would have stood, I would have stood. But like most of our attendees, I'm not wearing trousers. So thank you so much to all of our attendees. Thank you to our panellists. Thank you to you folks for getting involved in the chat. Abigail, stick with it. There are lovely people in cyber. We shall see you again.

Your host:

Geoff White

Investigative journalist Geoff White has covered technology for BBC News, Channel 4 News, Audible, Forbes online and many others.

An experienced public speaker, he has given keynote talks at some of the UK’s largest tech events, in addition to hosting conferences and chairing panels at venues ranging from London’s Chatham House think-tank to the Latitude music festival.

Guests:

Danny Dresner, Professor of Cyber Security, University of Manchester

I find the threads that bind information together and mend them when they break. I’m Academic Cyber Security Lead at University of Manchester, director/co-founder of IASME-the SME benchmark of cyber security governance-that helped to pioneer the Cyber Essentials. An evangelist for useful standards and good practice, I nurse organisations through ISO/IEC 27001. I received a PhD for work in information systems risk. A Fellow of the Institute of Information Security Professionals. I was at The National Computing Centre for 22 years, architect of DTI’s Towards Software Excellence programme, created the core of SANS’ training for BS 7799, edited national security breaches surveys (from 1994), and wrote the first standards for source code escrow. My contribution to NCSC risk management guidance is noted, I’m an active member of IAAC’s North West cohort (creating a Northern Academic Liaison Panel). I’m active in Yorkshire’s Cyber Security Cluster, revived The Ratio Club, and a director of a neurodiverse community SOC. I’m part of GMCA’s Cyber Foundry realising aspirations for a resilient, cyber secure, digital community and economy.

My work spans public, private, and third sectors. It varies from identifying vulnerabilities (and how to fix them) of a small firm responsible for 7 million personal records, to writing a definitive guide to cyber resilience for local government (for SOCITM). I’ve contributed to books, conferences, and appear on the BBC to explain risks and opportunities of information systems to the wider community. I was voted the UK’s second top influencer in cyber security in 2017, and eighth and eleventh internationally in 2018 and 2019 respectively.

When not securing information, I work for the security of my children and my parents’ honour. Personal interests range from Jewish tradition to science fiction. My knowledge of Doctor Who lore is tiring; I was graphic artist for the Blake’s 7 Appreciation Society which just goes to show…

Jay Jay Davey, Cyber Security | Ethical Hacker & Blue Team expert, Nox Cyber

SOC Tier II at CyberClan

Founder of NoxCyber career & study guidance
(www.noxcyber.co.uk)

I am a firm believer that security should be a proactive business activity and ensure that business risk is mitigated early to reduce the impact that cyber threats may have on the business.

I live by the words “Don’t address the symptoms, Identify and Address the root cause”

Amanda Finch, CEO, Chartered Institute of Information Security

Amanda Finch is the CEO of the Chartered Institute of Information Security (CIISec) and has specialised in Information Security management since 1991. She has always been an active contributor to the industry and for many years she has been dedicated to gaining recognition for the discipline to be recognised as a profession.

Over her career she has been engaged in all aspects of Information Security Management and takes a pragmatic approach to the application of security controls to meet business objectives. Through her work she has developed an extensive understanding of the commercial sector and its particular security needs. In her current role she works with Industry, Government and Academia, assisting all sectors in raising levels of competency and education.

Amanda has a Masters degree in Information Security, Full Membership CIISec and is a Fellow of the BCS. In 2007 she was awarded European Chief Information Security Officer of the year by Secure Computing magazine and frequently listed as one of the most influential women within the industry.

[s2Member-Login login_redirect=”https://www.teiss.co.uk” /]