Blog post

What kinds of people do we need doing cyber security?

Created:  01 Dec 2016
Updated:  01 Dec 2016
Author:  Emma W
Part of:  New talent
Team huddle

On Monday we ran the first-ever NCSC Twitter Q&A. As a brand-new thing, we were all somewhat out of our comfort zone - but we really enjoyed the challenge of producing quick, accurate answers to the impressively wide range of questions that were fired at us. I also enjoyed sneaking in the odd silly answer (I seriously thought our credibility would be at stake if we tried to run an internet-based event without ever once mentioning cats).

Towards the end of the day, we were asked what is the most under-used resource in cyber security. Dr Ian Levy, our Chief Technical Officer, had no hesitation in saying “people”.  

I couldn't agree more.

I don't have a deep technical background.

I never planned a career in cyber security.

But I’m here, working at the NCSC, I’m good at it, and I’m sticking around until they kick me out. Which might happen sooner rather than later, if I continue to give cat-based answers to serious security-related questions.

So if I'm not technical, how did I get into cyber security? Well, until a few years ago, I wasn’t interested in technology at all. It was great that there were people around who understood tech, but equally great that I didn’t need to be one of them. My interest in cyber security stems from my deep and overriding interest in people.

For example, how do we make security work for everyone? Is it OK for us to say that a product is perfectly secure, but only if it’s used in the right way? Is it fair to bombard ordinary people with endless instructions on cyber-related things that we assume they care about, when naturally, they don’t? How do we help businesses and private citizens to stay safe online, knowing that they’re already fully occupied just doing their day jobs?

Now THAT, my friends, is a set of problems that interests me.

In the NCSC environment, the fact that I can't reverse-engineer malware to find out what it's doing means I’m closer to many of our customers than I am to some of my colleagues. But that's not a bad thing. In fact it helps. We need to understand customers' perspectives to deliver cyber security that works for everyone. Dr Levy said to me today "You and yours have taught me a load of stuff over the last couple of years. I wouldn’t have pushed for some of the stuff in the NCSC if it wasn’t for you lot".

So maybe my real issue here is being described as technical. It’s usually meant as a compliment (in the 'you know what you’re doing' sense), but I worry that this attitude implicitly devalues non-technical skills. At the very least, it slides focus away from the things I do that really matter - and which are generally under-represented in cyber security. I'm happy to be called a specialist in my field, but that particular field is always going to be more about people than anything else - and that's fine. By bringing together this diversity of people and perspectives in the NCSC, we create a much stronger overall approach.

I don’t think we understand nearly enough about people in security. I don’t think we do enough to make security work for everyone, no matter what their technical prowess. Some security professionals still wonder why you can't make people invulnerable to phishing attacks just by training them. Many organisations remain firmly wedded to regular password expiry, despite the objective evidence that it harms security overall. These problems, and many more, require attention from people who understand that making security work for all people is the only way that security ever works at all.

We certainly need technical experts. I work with dozens of them, brilliantly talented men and women from all walks of life. But we also need more people in this business who are like me - and too much focus on bits and bytes risks turning those kind of people off from the start. If you’re interested in working at the NCSC, keep an eye on the GCHQ recruitment websiteCivil Service Careers or drop us a line using the Contact us form

 

Emma W

People-Centred Security Lead, Sociotechnical Security Group, NCSC

 

Topics

14 comments

Chris Elliott - 02 Dec 2016
> Is it OK for us to say that a product is perfectly secure, but only if it’s used in the right way?

Given no product is perfectly secure, I would hope the NCSC would never make such a statement anyway.
Andy Lawson - 02 Dec 2016
Dr Levy's geeks should only ever be wheeled out to an audience that will be receptive. The greater numbers you need to connect with - the general public, need to hear key NCSC messages from people like yourself to lessen the fear factor and demonstrate that everyone can understand the basics of cyber security and take simple practical steps to protect themselves.
Jo S - 12 Dec 2016
People-centred security is a critical evolution and application of the principles of customer-centric product design. Seeing "security awareness" as a product that needs to be "sold" (even if it is for free) to consumers is necessary to protect our economy.

People are our greatest asset but also our weakest link in fighting Cyber Crime.

Looking forward to you recruiting!
Guy Sansom - 14 Dec 2016
Cyber security is the world's largest counter-insurgency campaign. Discuss. One of the big issues in a counter-insurgency is persuading the uninvolved greater mass of the populous to move to a position where they are pro your position and anti the insurgents. So can you imagine how successful the good guys are going to be in persuading the foreign land population (who come from NonTeknicLand rather than CompSciLand and who therefore speak a different language) of the righteousness of their point of view unless they have made a point of taking translators with them. And not just people who speak both tongues but who actually understand both cultures. I recommend Learning To Eat Soup With A Knife as a good book to read to see what happens in such cases. And we are repeating the issue in the cyber world - we've just about figured we need more troops but we still haven't got a handle on the need for translators.
John Stewart - 03 Jan 2017
I would like to become a member of the NCSC where would I start?
NCSC Enquiries - 04 Jan 2017
John - If you are interested in joining the NCSC as a member of staff there are a couple of places to keep your eye on. The careers sections of the NCSC or GCHQ websites at https://www.ncsc.gov.uk/articles/careers-national-cyber-security-centre and https://www.gchq-careers.co.uk/index.html or the Civil Service Careers site (https://www.civilservicejobs.service.gov.uk/csr/index.cgi).
If you don't want to join as a member of staff then you can get your professional skills recognised (https://www.ncsc.gov.uk/articles/about-certified-professional-scheme).
Or if you are at the stage where you are looking to start your working life the CyberFirst schemes may be of interest (https://www.ncsc.gov.uk/articles/cyberfirst).
Joshua Hughes - 15 Feb 2017
Hi I would like to apply for the Cyberfirst scheme, I'm currently doing my first year with in university studying computer science, unfortunately I'm 26 years old and the age limit is 25! Will I still be able to apply? If not is there anything else I could do to start my career within cyber security?
Emma W - 15 Feb 2017
Joshua, I've checked with the CyberFirst Lead and there is no age limit as far as we are concerned. It would be really useful to know where you found that information. As a first year student studying computer science you are eligible to apply.
Joshua hughes - 15 Feb 2017
Excellent! Thanks you. I found the information at the GCHQ website.
www.gchq.gov.uk/sites/default/files/CyberFirst-Scheme-flyer_0.pdf
Boikago - 10 Sep 2017
May I ask what interests should a cyber security have ?
Emma W - 14 Sep 2017
Hi, and thanks for your comment. Cyber security professionals have very different backgrounds and career paths, but they do tend to have a few traits in common. Have a look at my colleague Kate’s blog post https://www.ncsc.gov.uk/blog-post/origin-stories for more details on what we found on this, when we went looking earlier this year.

From my own point of view: you should be interested in technology (but not necessarily hold any qualifications, or be able to set up your own email server or anything) and its applications in everyday life. You should recognise that security is a set of complex problems, it’s really about helping people, and that the aim isn’t to make everything ‘perfectly secure’ - because that’s not really possible, or even desirable.

Finally, if you hope to join the NCSC, you need a solid appreciation of the importance of cake in the workplace!
Helen A - 20 Feb 2017
I found this very interesting as I am also a non IT techie working in cyber security. When I was recruited to this post my first response was 'I'm not qualified' but actually I find not knowing all the technical details can be an advantage as I don't get drawn in to the detail and can focus on what we are trying to achieve. I apply a systems engineering approach and at the heart of it I always think 'how will this work for the business'. I find that keeping the end users in mind ensures solutions that enable the users to use the IT services as intended as most often when they do things that weren't intended it's because they are just trying to get their job done.
Rob Walker - 25 Apr 2017
I've been working in Cyber Security for 17 years - working across the military, not-for-profit, government and education sectors. I've never been a deep techie specialist - but that's been an advantage. I don't get stuck in the weeds and I can't get lost in the details. If you can listen to people, empathise with them and help them make informed decisions then you'll make a great contribution.
Gareth Richardson - 15 Aug 2017
Whilst fully agreeing that focusing on making security more applicable to more people is a good thing, I'd like to point out that there are (admittedly not many) some people who are both technical *and* people/business focused.

Some will have come from a technical background and developed the necessary soft-skills to complement the technical ones, others will have come from a more general background and then developed their technical skills.

We should recognize that these people are the 'interpreters' that we seek, and also that there aren't enough of them.

I can see that someone coming from either background has opportunities to develop their skills in the area they are not currently proficient in, but that requires the individual to see the need and have the necessary passion to follow that up. What I don't see is any encouragement on a wider scale to encourage people to develop skills that are not part of their chosen career.

Perhaps this is why there aren't very many of them.

Leave a comment

Was this blog post helpful?

We need your feedback to improve this content.

Yes No