Infosec: Battle To Find A Future Security Chief Begins
The second Cyber Security Challenge is booting up for all-comers who want to become the 2012 cyber champion
The search to find the Cyber Security Champion 2012 is beginning. Last year, the winner of the competition was Wakefield postman Dan Summers, despite competition from security professionals.
The idea behind the Cyber Security Challenge is to promote IT security as a career and to find individuals who show promise. The prizes offered to those who prove they have the innate abilties to succeed are training courses and internships to set them on their way, or to redirect them, into leading roles in security.
Thinking Is More Important Than Doing
Judy Baker (pictured), director of the Cyber Security Challenge, told eWEEK Europe that last year’s inaugural competition was seen to be a massive success in revealing the hidden talent around the country. It also showed that it is important for security chiefs of the future to have the right mental processes rather than raw technical prowess.
“You’ve got to have good people. You have to have the means to recognise them – but that’s just the beginning of the journey. It’s really expensive if you get the wrong people but, if we’re going to get enough people to chose from, we need to attract them from all areas, not just IT, and showing the right kind of qualities.”
The competition is a mix of challenge streams. Some are devised to test thought processes and others are more technical. The competitions bring forward twelve finalists who then battle through individual and group tasks, based on actual attack scenarios, to find the overall winner.
Baker, a former board member of the Cabinet Office’s Centre for the Protection of National Infrastructure, was delighted that last year’s winner came from a non-IT background and that the runners up were both IT undergraduates. In her eyes, this proved that it is the ability to “think outside the box” rather than a thorough understanding of technology that singles out a potentially successful cyber security professional.
Real World Challenges
Jay Abbott, head of the threat and vulnerability management practice at PricewaterhouseCoopers (PwC), has the responsibility for managing this year’s range of challenges. These are devised by the competition’s Platinum Sponsors. Last year, these comprised PwC, Sophos, SANS Institute, HP Labs, Cassidian and QinetiQ. They have all increased their sponsorship this year and have been joined by SAIC. The government’s Office of Cyber Security and Information Assurance has also provided £180,000 to help with the running costs.
Abbott said he was pleased to see this continued support and promised that the new year-long competition will offer bigger and better rewards – and greater challenges for the competitors.
“This time we are feeding back the views of the competitors. We asked them what they liked and what they wanted from the competition. What we tried to do then was to devise a series of competitions that not only reflect their desires but also map into career paths within the industry. So we have three primary strands: defending networks, forensic investigations, and how to apply the principles of attack to formulate a defence strategy.”
The streams are so-called because one challenge often contributes to the next. Abbott explained that, for example, the competitors will be placed in the role of a hacker to try to penetrate the defences of a fictitious company but the next game turns that on its head. To win through, the players have to take on the mantle of the company’s security chief and, using what they learnt in attacking the system, try to defend against a determined attack.
He added that there will be ad hoc mini-challenges that will be sprung at various points during the year to test the mental agility of the competitors.
“We have all sorts of surprises up our sleeves that will be on all sorts of topics and disciplienes – either current to the media, what’s going on in the news; or relative to topics that aren’t well-known. We’re still in discussion with a number of companies to do something about SCADA and PLC programming – the Stuxnet type of scenario.”
Introducing SCAD (Supervisory Control And Data Acquisition) and PLC (Programmable Logic Controllers) into the equation will bring an element of the new genre of threats which target manufacturing systems rather than business networks.
Tough But Rewarding
Abbott and Baker agree that this year will be tougher than last year but emphasise that it is a competition and will be enjoyable to play. Many players, 25,000 last year, aim to win but some may just enter some of the challenges for fun. Abbott said that last year’s cryptography tests proved very popular and that many security professionals joined in just to see how they fared.
“The core talents we are looking for are: the ability to read between the lines and the ability to challenge anything that’s been said to you and dig out the real truth. These are the key traits, whether you’re going into the ‘bits and bytes’ or into governance and strategy, that make you good at that job,” he concluded.
Registrations begin in May and further details can be found at the Cyber Security Challenge Website. There is no age limit but those under 18 will have to have parental permission to enter.