On Monday we ran the first-ever NCSC Twitter Q&A. As a brand-new thing, we were all somewhat out of our comfort zone - but we really enjoyed the challenge of producing quick, accurate answers to the impressively wide range of questions that were fired at us. I also enjoyed sneaking in the odd silly answer (I seriously thought our credibility would be at stake if we tried to run an internet-based event without ever once mentioning cats).
Towards the end of the day, we were asked what is the most under-used resource in cyber security. Dr Ian Levy, our Chief Technical Officer, had no hesitation in saying “people”.
I couldn't agree more.
I don't have a deep technical background.
I never planned a career in cyber security.
But I’m here, working at the NCSC, I’m good at it, and I’m sticking around until they kick me out. Which might happen sooner rather than later, if I continue to give cat-based answers to serious security-related questions.
So if I'm not technical, how did I get into cyber security? Well, until a few years ago, I wasn’t interested in technology at all. It was great that there were people around who understood tech, but equally great that I didn’t need to be one of them. My interest in cyber security stems from my deep and overriding interest in people.
For example, how do we make security work for everyone? Is it OK for us to say that a product is perfectly secure, but only if it’s used in the right way? Is it fair to bombard ordinary people with endless instructions on cyber-related things that we assume they care about, when naturally, they don’t? How do we help businesses and private citizens to stay safe online, knowing that they’re already fully occupied just doing their day jobs?
Now THAT, my friends, is a set of problems that interests me.
In the NCSC environment, the fact that I can't reverse-engineer malware to find out what it's doing means I’m closer to many of our customers than I am to some of my colleagues. But that's not a bad thing. In fact it helps. We need to understand customers' perspectives to deliver cyber security that works for everyone. Dr Levy said to me today "You and yours have taught me a load of stuff over the last couple of years. I wouldn’t have pushed for some of the stuff in the NCSC if it wasn’t for you lot".
So maybe my real issue here is being described as technical. It’s usually meant as a compliment (in the 'you know what you’re doing' sense), but I worry that this attitude implicitly devalues non-technical skills. At the very least, it slides focus away from the things I do that really matter - and which are generally under-represented in cyber security. I'm happy to be called a specialist in my field, but that particular field is always going to be more about people than anything else - and that's fine. By bringing together this diversity of people and perspectives in the NCSC, we create a much stronger overall approach.
I don’t think we understand nearly enough about people in security. I don’t think we do enough to make security work for everyone, no matter what their technical prowess. Some security professionals still wonder why you can't make people invulnerable to phishing attacks just by training them. Many organisations remain firmly wedded to regular password expiry, despite the objective evidence that it harms security overall. These problems, and many more, require attention from people who understand that making security work for all people is the only way that security ever works at all.
We certainly need technical experts. I work with dozens of them, brilliantly talented men and women from all walks of life. But we also need more people in this business who are like me - and too much focus on bits and bytes risks turning those kind of people off from the start. If you’re interested in working at the NCSC, keep an eye on the GCHQ recruitment website, Civil Service Careers or drop us a line using the Contact us form.
People-Centred Security Lead, Sociotechnical Security Group, NCSC