By David Hartley
We are all familiar with the message that there is a skills shortage/crisis in the cyber security field. It is constantly perpetuated in the media, from our peers and from industry spokespersons. I've certainly felt it myself when meeting and interviewing many candidates looking for roles in this industry. It's really hard to find good people. At MWR we have been experimenting with innovative ways to attract the talent our industry needs to identify to be able to support our clients.
However, the point of this blog post is not to talk about those efforts. The simple point of this post is to share with you something very positive that I experienced that changed my bleak outlook on the whole situation.
I've been in this industry for a while. I don't have an academic background and didn't go to university. I've interviewed many candidates looking for a start in this industry over the years. Like a lot of others, I have become somewhat jaded with the quality of applicants that exit the numerous 'cyber security' education tracks on offer today. I'm not naming individual institutions. I also have no interest in blaming the education system and moaning like an old fart about how back in my day, yada yada yada.
Unfortunately, I've actually allowed myself to become quite pessimistic about the future of the industry and come to believe that we are going to be facing a worsening talent shortage for many years. So when an opportunity presented itself to speak to some young people about a career in cyber security, I seized it.
I volunteered to speak to some year 6 children (10/11 year old kids) at my daughter’s school as part of their "Dare To Dream" week. The school welcomed many parents and visitors to speak to the children about their careers. Many interesting and exciting occupations were represented; police and fire service, musicians, engineers from different fields, a vet, carpenter, health workers, and a local professional footballer etc. The list goes on and on. I was representing cyber security and billed as an "Ethical Hacker". This was my choice, and I thought this sounded a little more interesting to the potential audience than the usual "Cyber Security Consultant" billing. With such a list of impressive professions being represented I had to do something to stand out!
I prepared a slide show and had my own 5 year old daughter perform a QA. That was interesting! On the day I spoke to two different classes of boys and girls in two 40 minute sessions. I was blown away by them. Truly I was impressed. Smart cookies and one or two real smart alecs too - which I must admit I found brilliant. Certainly put me in my place a couple of times. Inside I was roaring with laughter at some of their quips.
The sessions were quite interactive, not too much by my design - but a welcomed interjection by their teachers. They discussed and debated the profession as well as the pros and cons of complex interconnected systems. They sat in groups and discussed the “Internet of Things” - the interconnected modern world from smart devices to smart trains etc. They talked about how useful it all was, but also pretty accurately talked about the possible attacks from hackers and the things you'd have to ‘protect’. They got it more than some engineers I have had meetings with who are building such things!
I asked if they had any experience coding - all of them did. They have started playing at school, “scratch” and the like. That’s cool, but what was cooler was in each class some of them were also doing this for fun at home. Some had parents teaching them and some were just self-learning. Scratch was not what they used outside of school - they were building websites, playing with Python and some looking at developing apps on mobile platforms too. Pretty impressive for kids that are 10 years old!
Every one of the questions they asked was a good one, without exception - including a girl who challenged me on why there aren’t many girls in the industry. I did feel like she looked at me like it was personally my decision and that I should be ashamed. I probably read too much into that, however it felt poignant.
I talked with them about the skills needed - such as creative thinking and problem solving and we went through some puzzles - one girl got one straight away without blinking (I've seen many adults, even those in this industry struggle for a while with the same puzzle). We discussed multiple ways to ‘solve’ various problems - and they gave me many 'out of the box' approaches. I was also impressed when talking about cheating systems, e.g. if anyone could think how you could get a max score in a video game. Another switched on kid suggested intercepting and changing values of variables as they are posted to a back end system.
The experience really left me feeling positive about the next generation of cyber security professionals - at least the potential that is likely to be out there. But then I started to wonder, what sort of impact did I have on them? Would they actually be interested in this field or the industry? Or were the long list of other professions being represented going to be far more appealing to these young and bright minds.
Around a week later I received several letters from the kids I'd spoken too. I've lifted some quotes from the letters below. See what you think.
"Thank you for coming to speak to my class about your amazing job as an ethical hacker. You really inspired me to take it up as a career.""I'd love to become a hacker because you get to learn how they (computers) work. You can then make them stronger to stop people hacking into them.""It would be amazing to see how they created whatever you are hacking during the process.""I only thought you were allowed to strengthen security, rather than try to break it. That made it seem better than I thought it was!""I'm good at programming, and can program my own games. You inspired me to become an ethical hacker."
Now I also admit that some of my messaging may have been too emphasized on some of the more glorious parts of the field that I personally operate in, but I promise I did speak a lot about being 'ethical'. More quotes are below.
"It sounded amazing because you are allowed to lie, cheat and steal without getting into trouble, even though that is not legal!""I never knew that you got to pretend to be someone else, to steal, as part of your job! Very cool.""Sneaking into buildings sounds very interesting!"
Although some did pay attention to the emphasis I placed on the ethical part and of course the legality of our profession.
"I'm extremely grateful to you for helping me to think about the good and bad side of hacking. You taught me it is important to stay out of trouble with the police if you want a job in ethical hacking.""Hacking through security with permission sounds exciting!""You taught me it's important to be ethical if you want to have an amazing career in hacking.""You have inspired me in many different ways, for instance doing bad things for good."
I really do think the essence of this profession resonated though.
"You taught me that it's important to always be resilient, perseverant and determined. Some things may take you a while to achieve.""I'm really grateful to you for helping me to think about how things work.""You have made me think of things in a different way. I'm making my own method to solving a 'rubiks' cube.""I am really grateful to you for helping me to think about my future job."
While the letters written were quite obviously done so as part of a class activity and a templated structure was suggested, the children had actually recorded their own thoughts and feelings about the profession. As well as explored the ideas we discussed further. When looking to describe what they thought about the field, they used the following words.
Magnificent, amazing, interesting, awesome, technical, terrific, inspirational, fun, exciting, fantastic, shady and sneaky.
The letters I received were from girls and boys. Why I feel the need to highlight that says a lot about the industry to me. But I digress and don't want to detract from my motivation for writing this. The kids I met and spoke with are obviously a credit to the school they attend, their teachers and parents - however I refuse to believe that there aren't millions of kids at thousands of schools across the country that aren't as bright, engaged or as enthusiastic about this profession as the ones I met with.
My faith in the next generation is restored. As long as they are nurtured and supported as they progress - the kid’s just might be alright!
In our opening article we discuss how we see the problem space and what some of the challenges are so given all of that, what are we looking to achieve with this website.
As we said previously we don’t claim to know all the solutions but we are certainly trying things that will enable us to find them. Along the way we’ll learn lots of lessons, we’ll no doubt have a few false starts but we’ll also get some stuff right. It’s that journey that we’re going to share on this site, including all the initiatives and events that we’re planning to run to support it all.
We don’t know yet exactly what will be on this site but the one thing we’re certain of is that it will be thought provoking, philosophical, challenging and most importantly it will be fun and engaging. We’ll get techie at times, something we make no apology for, as well as extracting the concepts and key points that we encounter along the way.
We also want your help on our journey. We want you to tell us your thoughts and experiences of what we’re doing and hopefully some stories about how you’ve taken our ideas and turned them into your own projects, events and general awesomeness. We want to know the good, the bad and the ugly and to get involved please get in contact via Twitter and then keep coming back to this hub for more insight and information.
So hold on tight, this will be a wild ride for all of us.