Learning from success: the Plymouth Cybersecurity Skills Partnership

On September 12th the Digital Policy Alliance will review progress (including lessons learned) with its pilot local Cybersecurity Skills Partnership. The meeting will also include contributions on the current state of the UK’s national security skills programmes and discussion on how to join these up locally.

The pilot, led by Michael Dieroff of Bluescreen IT, engages with national (e.g. BCS and IAAC) and international (e.g. CISCO, Comptia and ISC2) players who want to explore practical co-operation away from the pressures of corporate and regulatory politics as well as with the City Council, both Local Universities, FE Colleges, Schools, the Chamber of Commerce and local employers (large and small, public and private). The strategy is akin to that which led to the NCFTA being established in Pittsburgh, not Washington. The distance from Plymouth to London is about the same. The train service may be better but the journey still takes long enough to deter timewasters.

Please contact the Digital Policy Alliance Cybersecurity Skills Sub Group if you want an invitation to work with your peers to identify and “grow” those who will help you meet your own security, investigation and “asset recovery” needs (and those of your customers) over the months, not just years ahead.  And I do mean months, not years.

The Security Skills Incubator at the heart of the Plymouth Partnership was operational within four months of the decision to go ahead.

By then the first batch of supervised work experience trainees had already produced practical results, using leading edge tools to address current risks and live incidents within a fortnight of starting their own “learning by doing” programmes. The incubator brings together students from a variety of programmes, from schools work experience, through FE and HE level apprentices and undergraduate and post graduate students and mature cross trainees. The employer participants are expected to share supervision and mentoring in return for having their problems and those of their clients addressed.

Given that the provision of supervised work experience is the biggest problem in organizing apprenticeships of all kinds, not just cyber, whatever the size of the organisation, this approach is inspired. It also cracks the problem of helping SMEs who have only one or two apprentices and little or no resource to manage in-house work-experience other than for non-technical tasks.

That is, of course, not the whole story.

It took over a year to find a UK location that was suitable and serious: i.e. local government and police authority serious about working with FE/HE/Schools, local employers (large and small, public and private) and locally based security consultants and training providers to address local skills, awareness and response needs.

The first attempt failed when we discovered that the lead University gave absolute priority to bidding for research funding and Government “challenges”. Co-operation with local business (large or small) to meet skills needed was well down in its priorities. We now know that is the rule, not the exception.

The second attempt failed when the lead law enforcement partner was unable to talk seriously with industry and education partners because it was seriously overcommitted with high profile investigations. We now know that is, again, the rule not the exception.

The third attempt failed when the lead training provider won sufficient business to keep its existing training operations fully occupied for the rest of the year. Its success in cutting the time from identifying talent to enabling customers to bill the newly trained “consultants” to HMG to around six months has, however, concentrated the minds of its competitors. More-over it could have could have cut the elapsed time in half, but for the time for the security clearances needed by HMG to come through.

With Plymouth we went from discussions in the margins of the launch of STEM Plymouth to live running at a rate of knots – as befits a 400 year old global centre for Maritime Security (now including including Computer Assisted Piracy and Fraud and the IOT devices that “infest” the world of shipping and international supply chains). We found that Plymouth was well accustomed to local and global co-operation. Its local networks for co-operation on skills development go back over five years – beginning with programmes to reduce dependence on imported construction skills (at all levels from bricklayers and carpenters to civil engineering project managers). Its global networks embrace every nation with a long coastline (it is home to the worlds main marine, hydography and oceanography research institutes).

In parallel with digital apprenticeships of all kinds, the Peninsula Medical School is looking to clinical assistant and medical apprenticeship programmes to reduce dependence on imported doctors and nurses.  We expect medical security (including for telecare and telemedicine devices) to be as big a work stream as Maritime Security. But neither will be as immediately important as the protection of vulnerable on-line consumers.

This is one of the top priorities of the Devon and Cornwell Police Commissioner. Over half the over 65s nationally have been targeted by on-line predators. The problem is particularly acute in the West Country where banks and retailers are seeking to herd their customers on-line.

The overall aim of STEM Plymouth is to demonstrate by world-leadership by 2020 and the celebrations around the fourth centenary of the departure of a group of idealists who set off to invent their own future on the far side of the world. By then I anticipate that the cybersecurity partnership will be well on the way to emulating an even older Plymouth tradition: providing a global support base for those who help police cyberspace in the way the forbears policed the oceans – Elizabeth 1st was Francis Drake’s largest shareholder and took half his “prize money”.

One of the more imaginative exercises is to intercept teenage “explorers” before they acquire criminal records, so that we can enlist their talents and motivations (e.g. for recognition by those they respect) in hunting down those defrauding their grandparents. This approach is expected to be more productive than that of those who would convict them as hackers first, thus making them unemployable other than by GCHQ. Either way, we will make little or no progress in bringing law and order to cyberspace until fraudsters and other predators live in fear of being identified and having their assets seized.

Other exercises being piloted are more conventional, such as how to produce attractive careers material that is both accurate and intelligible to the target audiences – and get it in front of them. Here the aims include taking existing material (e.g. that of CREST) and helping implement and test a variety front ends to different audiences.

On and after the 12th we plan to start the next phase of the pilot, including engaging large employers who need to better protect vulnerable customers before they face massive fines under GDPR. We particularly wish to those engage banks, on-line retailers, insurance companies and asset recovery operations who would like to test processes for practical co-operation in a controlled environment.

Please contact the DPA Digital Security Skills Group with a note on what you would expect to bring to a partnership and, equally importantly, what you would expect in return. Those without objectives are unlikely to help us drive for realistic results. We are already looking at working with partnerships to serve other parts of the UK – but only where a critical mass of employers are already moving down the path of creating good working relationships with local authorities, law enforcement, Universities, Colleges and commercial training providers. Otherwise life is to short.