Blog post

Origin stories

Created:  07 Aug 2017
Updated:  07 Aug 2017
Author:  Kate R
Origin stories

As part of Cyber UK, members of the Sociotechnical Security Group were looking to collect research data from delegates in our Live Labs. These were really well attended and I just want to say a huge thank you to everyone who came along.

One of these labs was the 'Origin Stories' workshop. The point of this workshop was to look behind the stereotype of the cyber security professional. We wanted to find out what our frontline people are really like, how they got here and what makes them tick. We gave the participants six questions:

  • How did you get here? Draw your career up to this point.
  • What makes you stay in cyber security?
  • What skills do you use and value?
  • What do you think the profession will need in the future?
  • What do you think you would look like in 20 years?
  • 'About you'

Rather than just getting CVs, we really wanted to get people to tell their stories of what lead them towards a career in cyber security and their feelings about the profession. Some of our RISCS partners, creative security researchers who are part of the Information Security Group at RHUL, had been developing an elicitation toolkit (with stickers) and we took it for a test drive. The response (particularly to the stickers) was great, people really got into the topic and feedback on the day suggested that people would have liked to spend longer on it. If you want to try the elicitation toolkit for yourself, you can request packs from the researchers.

Having recovered from Cyber UK and armed with cake and advanced Pictionary skills, we have now gone through the responses to try and find out more about the practitioners who came along to the workshop.

 

Backgrounds

We quickly realised that they had very little in common - at least as far as their backgrounds were concerned. Those who said they had done a degree had usually done a broadly STEM(ish) subject, but the number who did a computing related degree was only a small part of the group. The others had done a wide variety of subjects including geology, biotech and chemical engineering.

At first glance there were a huge number of routes into cyber security and most seemed pretty accidental, which was the observation from many participants on the day. But we did start to see some patterns. One of these was that the practitioner had drifted into security from a previous IT/computing related area. This could be because security became an increasingly important part of an existing role or because their career path had led them down the security focused route. Others had drifted in via the military or policy focused roles.

However, there were some in the group who had made the conscious decision to adopt it as a career. This would either be during or shortly after university, or at a point in their career where they needed to make a change (having children or being made redundant were mentioned as reasons). They had often chosen cyber security because it fitted with their interdisciplinary skills and interests; one mentioned how they had thought they needed to choose between psychology and electronics at university but had discovered that cyber security was both.

 

Why do they enjoy their jobs?

The good news is that almost all were enthusiastic about their jobs, and the reasons why were very consistent. The majority said that they found the field interesting and that they enjoyed the challenges, problem solving and opportunity to learn. Others said they found it fun or exciting, with one person saying it was also their hobby. But, even more important to people, was the purpose it gave them; allowing them to have a career that 'made a difference', had a 'valuable goal' or to have a role with a 'meaningful purpose'. This picture, of an interesting career that was having a positive impact on people, was repeated time and time again, across the vast majority of our participants and was given as an answer to various different questions, including 'About You'.

Participants also mentioned that they found the field to be inclusive and welcoming, citing that they liked their teams and the ability to work flexibly. Several people also mentioned feeling valued and respected. Despite the good atmosphere, many noted that diversity in the field needs to be improved, and that it would benefit from different backgrounds and skills. Speaking of which…

 

What skills do they value?

Overwhelmingly the participants told us that they value the ability to communicate with wide variety of people, both technical and non-technical, at all levels of an organisation. They described how it was important to be good at listening and empathising; to allow them to understand both an individual's perspective and the business need. They also needed to be able to sell security messages to others; giving presentations, networking and influencing board decisions. Many thought that an essential skill was being able to translate between 'tech' speak and 'management' speak and using this to bridge the gap in their organisation*.

Aside from communication, tech skills were also mentioned (unsurprisingly). But people were reserved about this, with one saying that it wasn't about the tech, but rather about looking things in a different way. Another pointed out that while they did need good foundational knowledge, the deep technical skills came from supporting network of specialists. But we also saw evidence of the effect of the stereotype; one person who was trying to enter the profession gave a long list of the technical skills they had been teaching themselves, none of which were mentioned by people already in the role.

 

What did we learn about the profession and how will it help?

Clearly many of those who are in the profession do not consider their job to be just about technology (which is how many see cyber security roles). The skills, motivations and values the participants bring to their jobs, and shared with us, really stood out and leads us to ask how can we challenge the view that security is only about technology problems?  How can we show appreciation for the things that drive our practitioners, such as purpose, creativity, passion and curiosity, as well as the other points mentioned above? And how can we make sure we are equipping future practitioners with the wide range of skills used in the cyber security profession?

This work is a starting point, helping us recognise the diverse set of individuals that we don't always see beyond the stereotype. Investigating the skills and motivations we have in the profession already can help us change the way we communicate about security and the implications that might have on how we recruit people. Technical skill is important, but it doesn’t tell the full story of those who are already enjoying the challenges that come with being part of the profession.

*It's not just our Cyber UK participants that think this is important; research to support this challenge will be the topic of our next RISCS funding call.

2 comments

Chris Elliott - 07 Aug 2017
This is a fascinating write-up of what was a really interesting workshop at CyberUK. However I am interested as to whether your findings are being used to guide the wider professionalisation work at the NCSC -- recent briefings on this from the NCSC have focussed on specific certified degree courses and professional qualifications such as being the route to cyber professional status.
Kate R - 21 Aug 2017
Our skills team recognise that there are a lot of different people in cyber security. From the frontline people that need to understand the big picture, to the 'supporting network of specialists' that one delegate mentioned. Our focus has tended to be at the specialist end of the scale, partly because the profession is desperately short of people in these areas and partly because we do already have a good understanding of many of the skills and knowledge required at the specialist end of the spectrum – which makes the job a bit easier. As we move away from that very specialist end, the more complex things can get. At the other end, defining what a lawyer, or procurement professional or business manager needs to know about cyber security in their professional sphere is significantly more contentious/difficult/ vague/complicated… But we are evolving.

Leave a comment

Was this blog post helpful?

We need your feedback to improve this content.

Yes No