Working in cyber security comes with great responsibility. The same skills that lead someone to be an excellent threat analyst or penetration tester also enable them to be an excellent hacker; there is little separating security professionals from criminals apart from morals, and expertise can be used for nefarious purposes. This is why, explains Simon Hepburn, CEO of the UK Cyber Security Council, the industry needs oversight.
“When you train people in ethical hacking and penetration testing, there is a firm focus on protecting, but [this knowledge] could [be used for] the opposite,” he says. “We really want to build in and maintain public confidence in the industry.”
The council, which launched last year, was born out of the UK government’s National Cyber Security Strategy 2016 to 2021. This concluded that the industry needed a new independent body that could set professional standards and bring together different specialisms.
Cyber security companies join as members on a voluntary basis. The organisation’s core aims are to bolster professional development and training through establishing qualifications and curriculums, improve the industry’s diversity and inclusion, and regulate cyber firms through a new code of ethics and “chartered status” – an official mark of approval.
Research suggests there is a need for such an overarching body. Less than a quarter of UK cyber roles are filled by women, while there is a significant skills gap – recent reports from the Department for Digital, Culture, Media and Sport found that there is an annual shortfall of 10,000 people in the sector, while half of all businesses say they lack basic cyber skills.
Hepburn, who has a background in social mobility, education policy and career development rather than cyber, admits he is in no way a “technical expert” but was drawn to the organisation due to its onus on “making a difference” through helping to create a more “open and inclusive” profession.
The council is the first all-encompassing cyber industry body and is still in its infancy. A key challenge for Hepburn will be joining up the various organisations, resources and regulations that already exist. Cyber professionals are currently expected to abide by the Security of Network and Information Systems (NIS) Regulations 2018 and GDPR, while a certification called Crest exists for penetration testers specifically (those who are trained to simulate cyber attacks). Additionally, the Cyber Body of Knowledge (CyBok) is an online archive of learning materials, providing a basis for an official cyber curriculum.
Hepburn says that he “doesn’t want to reinvent the wheel” and is borrowing from these resources to develop qualifications and standards. He has also been inspired by more established industries, such as medicine and law, to create a code of ethics and a professional “chartership”, which would require cyber businesses working on critical national infrastructure or big government projects to be accredited. These measures will help to ensure individuals are “held to account”, he says, with the risk of being struck off the chartered list if not.
Hepburn believes the new official body will help to instil public confidence in the industry, but some worry that the creation of the UK Cyber Security Council causes yet more confusion in an already fragmented technology sector, and risks creating a silo between system design and system security.
“My concern is that separating ‘cyber security’ as a discipline from computer science or ‘computing’ is not going to end well,” says Ian Batten, a lecturer in computer security at the University of Birmingham. “It implies that we are OK with continuing to make insecure systems, then adding the security afterwards.” He likens it to “adding seatbelts to an old car” and says that the existing chartered institute for IT – the British Computer Society (BCS) – would be “far more appropriate” as an overarching regulator.
Hepburn, however, believes that cyber needs to find its own voice. “We’re such a new profession – we don’t want to get lost in computer science or IT because cyber security is not just that,” he says.
“One of the myths of the sector is that you have to be a programmer, and it’s all to do with computers and technology,” says Hepburn. “This is one of the reasons a lot of people don’t join. But the ‘ologies’ – criminology, psychology, anthropology, sociology – are all really helpful skills to have.”
This confusion carries through to higher education, he says, with university students often studying incongruent courses for the jobs they want to do. “Someone will do a course in security architecture when they want to do penetration testing,” says Hepburn. “We need to accelerate awareness of the profession.” The council has recently employed an outreach and diversity programme manager to help do this and is working on networking events with schools and businesses, where students can learn about different roles and even secure entry-level positions.
The need for sector regulation has never been greater. New rules are coming into force in the EU (the Digital Operational Resilience Act), which place more liability on cyber companies that provide security solutions to financial services firms (such as banks), should a breach happen. This is of particular importance to global cyber companies, and regulation is likely to follow suit in the UK and for other critical sectors.
The council’s accreditation systems are currently a work in progress, and in the meantime Hepburn’s main priority is in public awareness and promoting the work of partners such as the National Cyber Security Centre (NCSC) to highlight the ever-evolving threat of cybercrime and encourage the public to secure their systems.
“Cyber attacks don’t have any geographic boundaries,” he says. “They’re not biased to race, religion or class – criminals will attack absolutely anybody and organisations of any size.” But “this is not about scaring everybody”, he adds; it’s about consolidating “the basic things we can all do to protect ourselves”.