The Real Cyber Challenge: Getting The Right People Into IT Security

The Cyber Security Challenge is more than a competition. It is a revelation of why there are so few IT security job applicants, says Eric Doyle

There is a temptation to concentrate on the winner of a competition like the UK Cyber Security Challenge (CSC) but the hidden message is that there is no lack of interest in jobs in security despite an apparent lack of suitable candidates. In its second year, the competition saw 30 finalists battling for the crown – and a there were 56 candidates eliminated in the previous round.

The 85 who did not win the glittering prize were not necessarily bad – quite the opposite as many of them won stage prizes throughout the competition – they were just either not the very best or just unlucky in that the trials were maybe not suited to their skills.

Thousands of candidates

Stepping back, the initial intake of people signing up for the online knockout stage ran into “thousands”, according to Judy Baker, chair of the UK CSC board, who led the development and launch of the first Challenge in 2010. This shows the level of interest. It may not compete with X-Factor in numbers but it does show an incredible amount of curiosity.

I asked some of the finalists at the awards about their reasons for joining the competition and the overall feeling, voiced by Lee Nichols from Newcastle, was that this is probably the only way they could study hacking in a practical environment without breaking the law. The answer was interesting because several members of the group were students studying IT subjects at university. The inference is that there is a lack of places on security courses, or a lack of courses, for students to specialise in systems security.

Courses that do exist tend to teach reactive defence systems and how to batten down the hatches rather than the psychological aspects of the hacking process – apart from a trio of courses at the University of Abertay, Dundee, which actually teaches a module on ethical hacking.

Another interesting view, which also casts a shadow on university courses, was expressed by Alexander Dicketts, a final year student in computing. The first test of the two-stage final was run by HP to give the candidates an experience of the real world problems faced by a company’s security team every day. Simply put, this shows the balance that has to be sought between the daily running of a business and the effect that an IT security decision can have – or how to find a compromise.

Dicketts said that this was an angle he had not considered before. The course he is following looks at the practical aspects of computing rather than the issues that arise when running a service within an actual business environment.

It is hardly surprising that students turn into systems managers and gravitate towards security – if the opportunity even arises. Battling to keep data safe and to ensure the integrity of a computer system that is threaded through complex and critical business processes is a challenge that appears to fire imaginations.

The competition is open to all-comers and the only exception is anyone already employed in the security business. As this year’s tests proceeded, one or two competitors were immediately offered jobs and had to face their own challenge of whether to refuse a gilt-edged offer of employment or see the CSC through to the end – a bit of a no-brainer and probably why there is a leaning towards students in the final stages.

Cyber-opportunities

Despite this year’s competition being won by Jonathan Millican (pictured) from NorthYorkshire, currently studying computer science at Jesus College, Cambridge University, the outgoing 2011 champion, Dan Summers, was a postman from Wakefield. Following his success, Summers was appointed to the Royal Mail as an infosec specialist. He told me: “I had to take a day’s holiday from delivering the mail to compete in the final but it was the best decision I have ever made. The training and course certificates I received as part of my prize have completely changed my life.”

Handing over the crown to the new champion did not bother Summers: “I may no longer be the champion but I will always be the first winner of CSC – they can’t take that away from me,” he said.

The aim of CSC is not to find the best cyber-security expert but to find someone with the right mindset to out-think the attackers. When I congratulated Millican on his success, he said: “I’m surprised and amazed. I can’t quite believe it. Unlike some of the other competitors, I’m not anything like a cyber-security expert so it’s an honour to win this today.”

This only goes to show that a job in IT security is truly a vocation. Where systems developers are more concerned with how to make things work, the infosec specialist looks at the system and thinks how to make it “unwork”. A good cyber security chief is like a good detective. Rather than getting angry they appreciate, even admire, the mechanism of a well-planned exploit.

When convicted hacker Kevin Mitnik had served his time, he reappeared as a security consultant at the 2003 RSA Security Conference in the US. There followed a heated exchange on stage between Mitnik and Hewlett-Packard’s chief security strategist Ira Winkler who opposed the idea that a former criminal could be trusted to be allowed to poke around a corporate network looking for vulnerabilities. However, the saying about setting a thief to catch a thief does have some bearing on choosing security staff. The trick is to find them before they turn to the dark side – and that’s one of the roles of CSC.

The 2013 Cyber Security Challenge is now open for registrations and the online elimination tests will begin, probably, in April. There then follows three months or so of quizzes, puzzles and tasks to find the skilled few who will enter the face to face challenges that culminate in the Masterclass Final. Once again thousands of potential recruits will be quietly picking through facts, figures and scratching their brains to find the loophole that leads to the solution.

Anticipating weak spots in a security strategy requires an attitude of constructive malevolence – the kind of thought process that some children have at Christmas when, by Boxing Day, they have pulled their gifts apart to see how they work and,sometimes, how they could be improved. Some succeed in the challenge others just end up with broken toys.