Sergey Nivens - Fotolia
Industry must do more to raise awareness of the cyber security profession, identify youngsters with the right talent and establish clear career pathways, according to James Lyne, global head of security research at Sophos, certified instructor for the SANS Institute and cyber security entrepreneur.
“I fell into security more through interest than design, and a great deal of luck in the sense that I hit that time on the internet when forums were building up around concerns about secure programming practices. There was a cool hacker culture in which people were sharing challenges about doing various things,” he told Infosecurity Europe 2018 in London, where he was inducted into the Hall of Fame.
“I was lucky that I had lots of influential mentors. But one in particular in the early stages was responsible for ensuring that I ended up on the legitimate security industry side of hacking, rather than the other side, by telling me there was a lot that I could do with my skills and warning me that becoming a criminal hacker would mean having to look over my shoulder for the rest of my life,” said Lyne.
However, he said it should not be down to luck that talented youngsters “are caught at the right time” and then choose a career in information security where they can do work that makes a difference, rather than pursuing a career in cyber crime.
“It is scary that for many young people, without the right words at the right moment. It is all too easy to end up going down the wrong path, not because they are bad people, but just because they are looking for opportunities to apply the skills they have. I had no interest in stealing credit cards, but I did want to hack stuff,” Lyne added.
According to Lyne, there are two important issues that industry in general, and the cyber security industry in particular, needs to focus on.
“First, we need to ensure that young people know that information security offers a whole range of legitimate and interesting jobs,” he said.
“I have spoken to many amazingly talented people coming out of competitions aimed at finding cyber security talent who are shocked that their skills can actually be used as a career. So there is an advertising problem of making sure that people with these skills know there is a career pathway for them to follow.
“Second, we need to ensure that employers are not overlooking talented people by having unrealistic recruitment criteria. We are seeing people who have proven that they have the right skills, and they struggling to find a job because employers are insisting on things like five years’ experience or formal certifications. As a result, they are struggling to get into the industry to prove their worth to get on to the career ladder,” said Lyne.
Describing both these issues as “ridiculous problems” considering the cyber security skills shortage that the world is facing, Lyne said it is “ludicrous” that either of them still exists, especially in the light of all the new stuff that organisations are doing with the internet of things [IoT], which will require a whole new set of skills.
CyberStart helps find talent
To address these issues, Lyne was instrumental in setting up the SANS CyberStart programme, which was subsequently adopted by the UK government under the Cyber Discovery banner as part of their cyber skills programme for schools.
The brief was to set up a programme designed to find talented youngsters between the ages of 11 and 18 who would not necessarily know they would be good at cyber security, to show them how interesting and how much fun the industry is, to develop their skills and give them an opportunity to use those skills.
Lyne said that he and the “amazing team” he worked with for the past four-and-a-half years decided to tackle this by creating an engaging game that covered all the major domains of cyber security but at a level that it would be fun for youngsters to do.
Several versions of the game later, he said the UK government laudably launched a huge programme in 2017 with massive funding to provide these games free of charge to every school in England, which involved more than 30,000 14 to 18 year olds in the first year.
Lyne said he was “very proud” of CyberStart, which continues to be expanded and improved by a team of developers at the Helical Levity security research firm he founded.
An open-minded approach
There are many good definitions of what makes a good security practitioner, said Lyne, “but part of the problem is we often try to collapse those definitions down to a single type of role or person, but in reality, security practitioner roles differ wildly from one to the other”.
“Very different skills are required to be a forensics investigator, penetration tester and application security technician or a cyber defender, for example. While formal education and certifications may be important for some, they are irrelevant to others, whereas how creative people are or simply how they are wired matters more,” he added.
The skills shortage and the lack of career entry opportunities can both be addressed, said Lyne, if employers stop limiting their view of what ‘good’ looks like.
“As we drive the professionalisation of our industry and the definition of various roles, we need to be open-minded to where these people are going to come from. We need to focus on whether they can do the job and whether they have the right skills, rather than how much experience they have or how many certifications they have,” said Lyne.
Lyne also had some advice for people who are starting careers in information security. “Don’t forget that this industry is built on the shoulders of giants. Don’t be arrogant. Stick to a code. Be respectful of your peers. Don’t lambaste people for good work and be supportive when things go wrong. Recognise that there are so many amazing people in the industry who you can learn from,” he said.
Asked who he would like to see inducted into the Infosecurity Hall of Fame, Lyne said he would like nominees to be drawn from the huge ranks of unsung heroes in cyber security who do “incredibly impactful work” in the private and public sector, but are not as well-known as previous Hall of Fame alumni, many of whom have helped built big security brands.
Asked about what he plans to do next, Lyne said he would remain focused on the next generation of information security professionals, fixing the skills gap and weathering the next step of technology.
“I have seen really scary indicators of changing [criminal hacker] intent in industrial control systems. There is much more focus on attacking environments that are 50 years behind the mainstream computing environment where we needs lots of skilled people, not to mention the whole IoT space, which is on fire in a dumpster, representing massive opportunity for attack.”
Read more about cyber security skills shortage
- Skills shortage a major cyber security risk.
- Demand for cyber security skills outstrips internal supply, research finds.
- An anti-millennial recruitment stance will widen cyber security skills gap, experts warn.
- Companies struggling to fill infosec roles should focus on finding people who can do what they need, not qualifications, says security industry panel.
- Information security professionals need to grow their skills, engage with the business, increase security awareness and set business goals and tailor their messages, say experts.