There is a temptation to concentrate on the winner of a competition like the UK Cyber Security Challenge (CSC) but the hidden message is that there is no lack of interest in jobs in security despite an apparent lack of suitable candidates. In its second year, the competition saw 30 finalists battling for the crown – and a there were 56 candidates eliminated in the previous round.
The 85 who did not win the glittering prize were not necessarily bad – quite the opposite as many of them won stage prizes throughout the competition – they were just either not the very best or just unlucky in that the trials were maybe not suited to their skills.
Stepping back, the initial intake of people signing up for the online knockout stage ran into “thousands”, according to Judy Baker, chair of the UK CSC board, who led the development and launch of the first Challenge in 2010. This shows the level of interest. It may not compete with X-Factor in numbers but it does show an incredible amount of curiosity.
Courses that do exist tend to teach reactive defence systems and how to batten down the hatches rather than the psychological aspects of the hacking process – apart from a trio of courses at the University of Abertay, Dundee, which actually teaches a module on ethical hacking.
Another interesting view, which also casts a shadow on university courses, was expressed by Alexander Dicketts, a final year student in computing. The first test of the two-stage final was run by HP to give the candidates an experience of the real world problems faced by a company’s security team every day. Simply put, this shows the balance that has to be sought between the daily running of a business and the effect that an IT security decision can have – or how to find a compromise.
Dicketts said that this was an angle he had not considered before. The course he is following looks at the practical aspects of computing rather than the issues that arise when running a service within an actual business environment.
It is hardly surprising that students turn into systems managers and gravitate towards security – if the opportunity even arises. Battling to keep data safe and to ensure the integrity of a computer system that is threaded through complex and critical business processes is a challenge that appears to fire imaginations.
The competition is open to all-comers and the only exception is anyone already employed in the security business. As this year’s tests proceeded, one or two competitors were immediately offered jobs and had to face their own challenge of whether to refuse a gilt-edged offer of employment or see the CSC through to the end – a bit of a no-brainer and probably why there is a leaning towards students in the final stages.
Despite this year’s competition being won by Jonathan Millican (pictured) from NorthYorkshire, currently studying computer science at Jesus College, Cambridge University, the outgoing 2011 champion, Dan Summers, was a postman from Wakefield. Following his success, Summers was appointed to the Royal Mail as an infosec specialist. He told me: “I had to take a day’s holiday from delivering the mail to compete in the final but it was the best decision I have ever made. The training and course certificates I received as part of my prize have completely changed my life.”
The aim of CSC is not to find the best cyber-security expert but to find someone with the right mindset to out-think the attackers. When I congratulated Millican on his success, he said: “I’m surprised and amazed. I can’t quite believe it. Unlike some of the other competitors, I’m not anything like a cyber-security expert so it’s an honour to win this today.”
This only goes to show that a job in IT security is truly a vocation. Where systems developers are more concerned with how to make things work, the infosec specialist looks at the system and thinks how to make it “unwork”. A good cyber security chief is like a good detective. Rather than getting angry they appreciate, even admire, the mechanism of a well-planned exploit.
When convicted hacker Kevin Mitnik had served his time, he reappeared as a security consultant at the 2003 RSA Security Conference in the US. There followed a heated exchange on stage between Mitnik and Hewlett-Packard’s chief security strategist Ira Winkler who opposed the idea that a former criminal could be trusted to be allowed to poke around a corporate network looking for vulnerabilities. However, the saying about setting a thief to catch a thief does have some bearing on choosing security staff. The trick is to find them before they turn to the dark side – and that’s one of the roles of CSC.
The 2013 Cyber Security Challenge is now open for registrations and the online elimination tests will begin, probably, in April. There then follows three months or so of quizzes, puzzles and tasks to find the skilled few who will enter the face to face challenges that culminate in the Masterclass Final. Once again thousands of potential recruits will be quietly picking through facts, figures and scratching their brains to find the loophole that leads to the solution.
Anticipating weak spots in a security strategy requires an attitude of constructive malevolence – the kind of thought process that some children have at Christmas when, by Boxing Day, they have pulled their gifts apart to see how they work and,sometimes, how they could be improved. Some succeed in the challenge others just end up with broken toys.
Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…
Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…
Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…
Welcome to Silicon In Focus Podcast: Tech in 2025! Join Steven Webb, UK Chief Technology…
European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…
San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…
View Comments
Your comment about detectives reminds me of G K Chesterton's The Innocence of Father Brown [spoiler].
How did you solve those mysteries, a journalist asks, and the priest-detective answers: “You see, it was I who killed all those people.”
Father Brown solves mysteries by getting inside the criminal. “You may think a crime horrible because you could never commit it. I think it horrible because I could commit it.”
Nice article. Just a slight correction - Abertay University runs an entire degree in Ethical Hacking.