Cyber security roles tend to emphasize cyber-specific specializations and technical skills to the exclusion of all else, and the sector could benefit from broadening its scope to build pathways to cyber for a broader group of people, including anthropologists, politics and international relations. analysts, psychologists and other social scientists.
As a social anthropology student in the early 2000s who fell into tech writing more by accident than by design, I’ve long thought the tech industry as a whole could use more artists, humanists, and social scientists. I think we bring a much-needed sense of perspective to the often very dry and complex subject of technology, which sometimes runs the risk of leaving behind, or even harming, the people it is meant to help.
More recently, as my career has taken me into the world of cyber security, I have been fascinated by the psychology behind how and why people act the way they do in a cyber context, and how and why threat actors operate as they do.
This belief was consolidated after listening to a talk by National Cyber Security Center (NCSC) deputy director of cyber growth, Chris Ensor, in (ISC²) Secure London event on April 7: the first in-person session held by the cyber certification association since the pandemic began.
In a wide-ranging keynote address, Ensor compared the cybersecurity profession to the medical profession, even though they are at very different stages in their life cycles. What did he mean by this?
In a nutshell, that the medical profession has defined roles, specialties, and paths that have been established over the last two centuries, since the days of Florence Nightingale and Mary Seacole. But cybersecurity has been around in its established form for 10 or 15 years, 20 at the most, and in that time it has arguably become as important to the overall health of British society as the NHS.
Part of the problem, which the medical profession has successfully solved, is that many jobs have several defined specialties: a gynecologist specializes in women’s reproductive health, an otolaryngologist specializes in ear, nose and throat, a podiatrist in foot , but due to their comparative newness, cyber lags in defining what it takes to be a security analyst, consultant, or engineer, and different organizations will define these roles differently.
Can you imagine the chaos that would ensue if different NHS Trusts were free to define clinical roles differently?
On top of that, it’s hard to get common ground and agreement on what the cybersecurity specialties are; the US National Initiative for Cyber Security Education (Nice) defines more than 30 specialties, but the NCSC, according to Ensor, defines only eight. These are risk management, security architecture, secure design, incident response, penetration testing, network monitoring, digital forensics, and vulnerability management.
If the cyber community can agree on these specialties and better understand them, then we can see how to effectively unlock those talents in people. Which is, perhaps, where we social scientists come in. Retraining and upskilling the existing workforce is a difficult and time-consuming process, but if we can extract the aspects of the existing non-technical skill sets that speak to those specialties in some way, we’re sure to find would-be security professionals lurking in the most unlikely corners.
Take my own experience. A bookish kid who excelled in English and history and hated maths and science, I happily dropped out of STEM subjects after my GCSEs and was drawn to social anthropology because I enjoy people and knowing why people do what they do. he does and thinks what he thinks.
Over the course of my studies, some of the most enjoyable times I had were with a group of volunteers from my university who had come to the UK from Chile to study, exploring their experiences in Britain while recreating their food culture with the resources available. . them in the world food aisle at Asda, and discover how they understood themselves and their social group as expats in a foreign country through food.
If I look at the world of cyber security, I start to see parallels of experience. In 2020, I wrote about the then-emerging DarkSide ransomware operation, which made its name when it “donated” some of the money it extorted to charity (needless to say, but don’t accept donations from ransomware gangs, folks). ). What, I wondered, motivated the criminals behind DarkSide to do this? Good public relations? I dug deeper and began to learn more about how cybercriminal gangs conceptualize and understand themselves in the context of the underground communities they form.
Six months later, in the spring of 2021, my colleague Valery Reiß-Marchive, from the French sister title of Computer Weekly LeMagIT, shared with me leaked chat logs between the Conti ransomware gang and clothing retailer FatFace. I was struck by the degree of professionalism displayed by the cybercriminals. It was clear to me that Conti was running its operation as a tech support business and that its members saw themselves as legitimate penetration testers to some degree. Although not scheduled.
As Ensor said, a role is a job: to do the job you need skills, and to acquire those skills you need to know something. I don’t presume for a second to say that my interests make me a suitable candidate for a job in threat research and analysis, but my work as a writer has given me a foundation of understanding and if I were to make a career change, the idea of working internally in a security company has crossed my mind.
a large church
There is no doubt that the cybersecurity industry is in the midst of a skills shortage, and tech education clearly plays a key role in addressing this, but there are also many potential roles and opportunities for people outside of the tech community, and the security industry is not doing enough to find people like me.
I think this is partly because the security industry doesn’t really know what it wants, and partly because it’s obsessed with technology and coding. And I think these flaws will undermine your efforts to solve the security skills crisis.
Cyber security is a society-wide issue and requires a society-wide workforce, so the profession must look beyond certifications and technology skills. The best security practitioner you’ll ever meet might be hiding in plain sight, but none of you know it yet.
Yes, your next security analyst could, in fact, be a ballet dancer.