One of the biggest challenges facing businesses, political institutions and individuals is cyber security. From the leaking of the Podesta emails in the build up to the 2016 US election, to 20,000 Tesco Bank customers having money stolen from their accounts due to a data breach, there is now a huge focus on the protection of data and how hacks can be addressed and prevented. The major issue that is mentioned in the same breath is the much publicised skills gap in the industry. A recent report from cyber security professionals association (ISC)2 identified that by 2021 the shortage of skilled workers in the cyber security sector will reach 1.8 million globally. This ever-expanding hole in the workforce has the potential to leave many organisations exposed to hacker attacks as systems remain insecure and without the staff to keep them safe.
Companies and Government alike are developing comprehensive training programmes, designed to ensure the next generation of cyber security defenders are skilled in the appropriate areas. However, University staff have a role to fulfil in ensuring candidates are receptive to training, by providing an adequate framework of knowledge to them, instilling a solid foundation of principles and theories behind where these problems come from.
Training is, by definition, teaching skills and knowledge related to specific useful competences. However, it is often focused solely on teaching a particular skill rather than the ability to learn new skills. The University’s role is not to train somebody to be productive on day one, rather teaching them how to learn for longer term gain.
It is natural to think that the training focus for firms must be to ensure workers are proficient in very specific areas; to keep certain networks and technologies secure and how to address any issues that may arise. In theory, this makes sense, however the technology industry is ever changing and the world is bigger than any cryptography exercise. Devices and applications are constantly evolving as new products are developed to improve services, while at the same time attackers are changing how they operate in order to find new ways to access vital information. As such, simply training people to keep one specific tool or network secure can quickly become redundant as that technology evolves or is replaced.
Universities should be looking to ingrain this approach in their syllabus, ensuring students are developing the ability to constantly learn new skills and adapt to changing surroundings.
However, while this school of thought is an important element in addressing the wider cyber security skills gap, it is not enough in isolation. Universities need to combine theory with the development of practical skills in a real-world environment, thus allowing students to test what they’ve learnt and teaching them how to apply this in a realistic environment.
One way to enable students with the vision to do this is through face to face competitions. Bringing together different individuals to apply their cyber security abilities in a collaborative and competitive setting allows students to implement the skills they have been taught, while learning new ones in the process, all in a fun and inclusive environment.
Competitions also have the ability to encourage people to consider cyber security as a career option. The cyber security industry requires a range of skills that are not purely technically focussed. Roles may require business expertise, an understanding of behavioural science, communications insight and team leadership; opening the doors for a wide range of individuals to an industry they may not realise they could be a part of. If students who may have not thought about a cyber security career have the opportunity to experience the industry first-hand, while at the same times enjoying themselves in a competitive atmosphere, it could impact them enough to make them consider studying the sector further or even moving into a position in the industry, increasing the talent pool in the process.
There are universities that are realising the benefits that such competitions can have and are taking action. For example, through working with a team at the University of Cambridge and colleagues at the Massachusetts Institute of Technology (MIT), last year we launched the “Cambridge 2 Cambridge” (C2C) competition. The event brought together top students from both universities in a 24-hour challenge, providing them with the opportunity to explore creative ways to combat simulated cyber-attacks, while at the same time meeting like-minded individuals and developing new skills. The teams from each university came together to form their own network and the relationships built across these few days could go on to serve them well in their professional lives.
Seeing the success of the C2C competition, the team at the University of Cambridge launched a new event in 2016. The Inter-ACE competition brings together top universities from across the UK: it is it is open to students from universities with Academic Centres of Excellence in Cyber Security Research. The competition takes place in front of several key sponsors from government and industry – such as the Cabinet Office, the National Cyber Security Centre, Leidos and NCC Group – who are there to look for new recruits and to help educate students about potential careers.
Cyber threats are not going to go away any time soon and neither is the skills gap the industry faces. As such, universities have an important role to play in the future of the cyber workforce. Academic institutions need to make sure students are leaving education with the skills that can help them develop solutions in an ever-changing industry and how to implement these skills in a working environment, while at the same time ensuring as many people are aware as possible of the options available to them in the industry. Through competitions, we can build platforms for students to receive all of this, while at the same time having fun and developing connections that will serve them well in the future.
Frank Stajano is Inter-ACE and C2C competition Co-Founder and Head of the Cambridge Academic Centre of Excellence in Cyber Security Research