Cyber security roles have a tendency to emphasise cyber-specific specialisms and technical skills to the exclusion of all else, and the sector could benefit from widening its scope to build pathways into cyber for a broader group of people, including anthropologists, political and international relations analysts, psychologists, and other social scientists. Discuss.
As a student of social anthropology in the early 2000s who fell into technology writing more by accident than design, I have longed thought the technology industry as a whole could use more artists, humanists and social scientists. I believe we bring a much needed sense of perspective to the often very dry and complex subject of technology, which at times risks leaving the people it is meant to help behind, or even damaging them.
More recently, as my career has taken me into the world of cyber security, I have become fascinated by the psychology behind how and why people act the way they do in a cyber context, and how and why threat actors operate as they do.
This belief was solidified after hearing a talk by the National Cyber Security Centre’s (NCSC’s) deputy director for cyber growth, Chris Ensor, at (ISC²)’s Secure London event on 7 April – the first in-person session held by the cyber certification association since the pandemic began.
In a wide-ranging keynote address, Ensor compared the cyber security profession with the medical profession, albeit they are at very different stages in their lifecycles. What did he mean by this?
Simply put, that the medical profession has defined roles, specialisms and pathways that have been established over the past two centuries, all the way back to the days of Florence Nightingale and Mary Seacole. But cyber security has been around in its established form for 10 or 15 years, 20 tops, and in that time has arguably become as important to the overall health of British society as the NHS.
Part of the issue, that the medical profession has successfully worked out, is that various jobs have various defined specialisms – a gynaecologist specialises in women’s reproductive health, an otolaryngologist the ear, nose and throat, a podiatrist the foot – but due to its comparative novelty, cyber lags on defining what is needed to be a security analyst, consultant or engineer, and different organisations will define these roles differently.
Can you imagine the chaos that would ensue if different NHS Trusts were free to define clinical roles differently?
Added to that, it’s hard to get commonality and agreement on what cyber security specialisms even are; the US National Initiative for Cybersecurity Education (Nice) defines more than 30 specialisms, but the NCSC, according to Ensor, defines just eight. These are risk management, security architecture, secure design, incident response, penetration testing, network monitoring, digital forensics and vulnerability management.
If the cyber community can both agree on these specialisms, and better understand them, we can then look at how to effectively unlock those talents in people. Which is, perhaps, where us social scientists come in. Reskilling and upskilling the existing workforce is a time-consuming and difficult process, but if we can draw out the aspects of existing, non-technical skills sets that speak to those specialisms in some way, we will surely find potential security practitioners lurking around the unlikeliest of corners.
Take my own experience. A bookish child who excelled at English and history, and hated maths and science, I happily ditched the STEM subjects after my GCSEs and was drawn to social anthropology because I enjoy people and knowing why people do what they do and think what they think.
In the course of my studies, some of the most enjoyable times I had were with a group of volunteers at my university who had come to the UK from Chile to study, exploring their experiences in Britain as they recreated their food culture with the resources available to them in the world foods aisle at Asda, and finding out how they understood themselves and their social group as expats in a foreign country through food.
If I consider the world of cyber security, I begin to see parallels of experience. In 2020, I wrote about the, at the time, emergent DarkSide ransomware operation, which made a name for itself when it “donated” some of the money it extorted to charity (it should go without saying but please don’t accept donations from ransomware gangs, folks). What, I asked myself, motivated the criminals behind DarkSide to do this? Good PR? I dug deeper, and started to learn more about how cyber criminal gangs conceptualise and understand themselves in the context of the underground communities they form.
Six months later, in the spring of 2021, my colleague Valery Reiß-Marchive, of Computer Weekly’s French sister title LeMagIT, shared with me leaked chat logs between the Conti ransomware gang and clothes retailer FatFace. I was struck by the degree of professionalism the cyber criminals displayed. It was clear to me Conti was running its operation like a technical support business and that its members saw themselves as legitimate penetration testers to some degree. Albeit unscheduled ones.
As Ensor put it, a role is a job: to do the job you need skills, and to gain those skills you need to know something. I don’t presume for a second to say my interests make me an appropriate candidate for a job in threat research and analysis, but my writing work has given me a baseline of understanding, and if I was to make a career change, the thought of going in-house at a security company has crossed my mind.
A broad church
There is no doubt the cyber security industry is in the midst of a skills shortage, and technological education clearly plays the keystone role in addressing this, but there are a great many potential roles and opportunities for people outside of the technology community as well, and the security industry is not doing enough to find people like me.
I think this is in part because the security industry does not actually know what it wants, and in part because it’s fixated on technology and coding. And I believe these failings will doom its efforts to solve the security skills crisis.
Cyber security is a whole-of-society problem, and it requires a whole-of-society workforce, so the profession must look beyond certifications and technology skills. The best security practitioner you will ever meet could be hiding in plain sight, but neither of you know it yet.
Yes, your next security analyst could, in fact, be a ballet dancer.