Working in cybersecurity carries great responsibility. The same skills that make someone an excellent threat analyst or penetration tester also make them an excellent hacker; there is little that separates security professionals from criminals, apart from morale, and experience can be used for nefarious purposes. That’s why, explains Simon Hepburn, chief executive of the UK Cyber Security Council, the industry needs oversight.
“When you train people in ethical hacking and penetration testing, there is a strong focus on protecting, but [this knowledge] I might [be used for] quite the opposite,” he says. “We really want to build and maintain public trust in the industry.”
The council, which was launched last year, was born from the initiative of the UK government National Cybersecurity Strategy 2016 to 2021. He concluded that the industry needed a new independent body that could set professional standards and bring together different specialties.
Cybersecurity companies join as members on a voluntary basis. The main goals of the organization are to advance professional development and training by establishing qualifications and curricula, to improve the diversity and inclusion of the industry, and to regulate cyber companies through a new ethical code and “authorized status,” an official mark of approval.
The research suggests that there is a need for such a global body. less than a quarter of UK cyber roles are held by women, while there is a significant skills gap: recent reports from the Department for Digital, Culture, Media and Sport found there is a annual deficit than 10,000 people in the sector, while half of all businesses they say they lack basic cyber skills.
Hepburn, who has a background in social mobility, educational policy and career development rather than cyber, admits he is by no means a “technical expert” but was drawn to the organization because of its responsibility to “make a difference” by help create a more “open and inclusive” profession.
Content from our partners
The council is the first all-encompassing cyber industry body and is still in its infancy. A key challenge for Hepburn will be bringing together the diverse organizations, resources, and regulations that already exist. Cyber professionals are currently expected to comply with the Network and Information Systems (NIS) Security Regulations 2018 and GDPR, while there is a certification called Crest specifically for penetration testers (those who are trained to simulate cyber attacks). In addition, the Cyber Body of Knowledge (CyBok) is an online archive of learning materials, providing a foundation for an official cyber curriculum.
Hepburn says she “doesn’t want to reinvent the wheel” and is borrowing from these resources to develop qualifications and standards. She also drew inspiration from more established industries, such as medicine and law, to create a code of ethics and a professional “charter,” which would require cyber companies working on critical national infrastructure or large government projects to be accredited. These measures will help ensure that people are “accountable,” she says, with the risk of being removed from the chartered list if they don’t.
Hepburn believes the new statutory body will help instill public confidence in the industry, but some worry that the creation of the UK Cyber Security Council will cause further confusion in an already fragmented tech sector and risks creating a silo. between system design and system security. .
“My concern is that separating ‘cybersecurity’ as a discipline from informatics or ‘computing’ is not going to end well,” says Ian Batten, professor of computer security at the University of Birmingham. “It implies that we are okay with continuing to create insecure systems and then adding security.” He compares it to “adding seat belts to an old car” and says the existing chartered institute for IT, the British Computer Society (BCS), would be “much more appropriate” as a general regulator.
Hepburn, however, believes that the cybernetic needs to find its own voice. “We are such a new profession that we don’t want to miss out on computing or IT because cyber security is not just that,” she says.
“One of the myths in the industry is that you have to be a programmer, and it all has to do with computing and technology,” says Hepburn. “This is one of the reasons a lot of people don’t join. But the ‘logies’ (criminology, psychology, anthropology, sociology) are all really useful skills to have.
This confusion carries over to higher education, he says, with college students often taking incongruous courses for the jobs they want to do. “Someone will take a security architecture course when they want to do penetration testing,” says Hepburn. “We need to accelerate the knowledge of the profession.” The council recently hired a diversity and outreach program manager to help do this and is working on networking events with schools and businesses, where students can learn about different roles and even secure entry-level positions.
The need for regulation of the sector has never been greater. New rules are coming into force in the EU (the Digital Operational Resilience Act), which place greater liability on cyber companies that provide security solutions to financial services companies (such as banks), should a breach occur. This is of particular importance to global cyber companies, and regulation is likely to follow suit in the UK and for other critical sectors.
The council’s accreditation systems are currently a work in progress, and in the meantime, Hepburn’s top priority is raising public awareness and promoting the work of partners like the National Cyber Security Center (NCSC) to highlight the ever-evolving threat. of cybercrime and encourage the public to protect their systems.
“Cyber attacks have no geographical limits,” he says. “They are not prejudiced by race, religion, or class: criminals will attack absolutely anyone and organizations of any size.” But “it’s not about scaring everyone,” she adds; it is about consolidating “the basic things that we can all do to protect ourselves”.