It is well accepted that the UK, and indeed the world, is short of cyber security skills. This shortage applies to everyone, ranging from the everyday understanding and practice of cyber security by the general public through to the more sophisticated degree of cyber security awareness necessary for policymakers and business leaders. I hope the pandemic has reminded us that society cannot function without experts, and also that we are short of them.
This was recognised early by the UK government, which included among the many initiatives it launched off the back of the 2011 National Cyber Security Strategy, funding for two Centres for Doctoral Training (CDTs) in cyber security, one of which we have been hosting at Royal Holloway, University of London, since 2013. So what are CDTs, and how do they help to train new cyber security experts for the UK?
CDTs are four-year PhD programmes. Our CDT funds an annual cohort of around ten new starters. Royal Holloway’s CDT has thus far recruited seven cohorts, two of which have now graduated. That’s 20 new experts, 50 on the way, and we currently have funds to train another 40 over the next four years. Each cohort engages in a year of multidisciplinary training before each researcher selects an individual project topic, which they pursue in depth for the remaining three years. Each researcher is also expected to undertake an internship with one of our CDT partner organisations. There are four defining keywords worth expanding on.
There are three significant benefits of the CDTs’ cohort-based approach. Firstly, a PhD can be a long and lonely journey if studied in isolation. Pursuing a PhD within a cohort can be much more nurturing, with lifelong friendships likely to emerge. Secondly, developing a distinctive training programme for a cohort is more effective, and scalable, than bespoke individual training. And thirdly, and perhaps most importantly, a cohort brings together individuals with diverse backgrounds and life experience. We firmly believe that cohorts establish collectives of researchers who are much more creative than the sum of their parts. As an example, one team of four CDT researchers won the inaugural Cyber 9/12 UK security policy competition in 2018.
Our CDT training programme is inherently multidisciplinary. This recognises that cyber security is not solely an issue of technology. It also requires an understanding of how individuals, groups and society more broadly engage with digital technology. Our CDT recruits not just computer scientists, engineers and mathematicians, but also sociologists, psychologists, economists and geographers. The training programme exposes them to the likes of firewalls and encryption, but also to securitisation theory, geopolitics, and human and social factors. They attend taught courses on Royal Holloway’s pioneering Information Security masters programme, but also undertake group exercises such as critiquing national cyber security strategies, designing campus cyber security awareness campaigns and conducting boardroom simulation exercises. We want every cyber security expert we train, regardless of specialism, to appreciate the bigger cyber security picture, and how their expertise contributes to this picture.
Of course, a PhD is ultimately about research. Our CDT’s official title is the Engineering and Physical Sciences Research Council’s CDT in Cyber Security for the Everyday. That “everyday” is multifaceted. Firstly, the research addresses challenges concerning the technologies deployed in digital systems that people use, sometimes inadvertently, daily. Researchers in the CDT have been investigating security of software, data protection in cloud environments, existing security technologies and those that will become mainstream in the future, such as post-quantum cryptography. However, the research also addresses the everyday societal experience and practice of security. Our researchers have been investigating cyber security in the workplace, the privacy and security implications of health and transport apps, maritime cyber security, and the establishment of national data embassies.
Finally, the CDT is all about partnerships. One goal of our CDT is to embed all our CDT researchers within the wider cyber security community. This begins during the first-year training, especially through a series of events that we call Cyber Security in the Wild. Each of these involves an engagement with cyber security practitioners to explore both what their day job looks like, but also their own professional journeys. We do this through field trips to different types of cyber security organisation, as well as by welcoming visitors to our own campus. Our CDT partners also act as hosts for internships.
These have taken students all around the world to experience different cyber security cultures, including Amazon Web Services, HP Labs, Cabinet Office and Nato’s Shape (supreme headquarters allied powers Europe). We are always seeking new CDT partners, so please do get in touch if you would like to consider becoming involved in our training programme or hosting CDT researchers on internships.
Our first CDT cohorts are now fully fledged. CDT graduates have found employment as cyber security experts in a range of established security technology companies, government roles and start-ups, while a couple of others have continued in academia. Providing all the cyber security skills for the UK’s future needs will require many different interventions, at different levels. By training tomorrow’s cyber security leaders, we are confident that the Royal Holloway CDT is playing a very important part of delivering this
Professor Keith Martin is director of the EPSRC Centre for Doctoral Training in Cyber Security for the Everyday at Royal Holloway, University of London.