When it comes to cyber security, the UK faces a drought of professional talent.
That’s great news for experienced IT managers and technicians, whose skills are in heavy – growing – demand. Pressing commercial and geopolitical realities mean something must be done to prepare the next generation of experts, however.
Step forward Qufaro: the team behind the National College of Cybersecurity, set to open its doors at Bletchley Park in 2020.
We spoke to Budgie Dhanda, Head of Qufaro – the team behind the college – to find out about more about the project, their Extended Project Qualification, and why interpersonal skills are essential in even the most technical roles.
identifi global: How did Qufaro come to exist?
Budgie Dhanda, Qufaro: One of Qufaro’s founding directors runs an organisation called Bletchley Park Capital Partners. They own a couple of the buildings on the Bletchley Park site here, including a Science and Innovation Centre. He got together with people like Stephanie Daman (former CEO of the Cyber Security Challenge, who sadly passed away last summer). They thought it would be great to do something worthwhile with the buildings – something both vocational and educational at the same time – and so they came up with the idea of Qufaro.
IG: And what about the name, Qufaro?
Budgie: A great guy named Tony Sale, who was the guy that rebuilt Colossus – the first-generation computer – was trying to set up a company of his own and every time he went to Companies House to set up a business, the name was already taken. He used Colossus to come up with a code name for him, and that was Qufaro.
Unfortunately, Tony then passed away; but when looking through his books, Margaret – one of the directors of Qufaro – found the paperwork and thought, ‘Why don’t we call this Qufaro?’
IG: When did you join the project?
Budgie: I got involved probably about eighteen months ago when Stephanie asked me if I could give them support. Qufaro originally asked if I could do a little bit of stakeholder engagement, helping them navigate their way through various government departments; the DfE, the DCMS, the Cabinet Office and the agencies that are involved in this space.
That’s where I got involved originally and then, after poor Stephanie passed away, the organisation needed to do things on a more formal footing and asked me to become the CEO last October.
IG: What’s the project seeking to achieve?
Budgie: The idea was to do something educational and bring more people into the cyber-security community. There are three real pillars for what we’re trying to do at Bletchley Park.
There’s the establishment of a National College of Cyber Security. There’s reusing the facilities to run summer schools and online qualifications and continued professional development for teachers teaching cyber and computer science. Finally, we’ll set up an investment fund to invest in cyber security companies, startups and scale-ups.
These projects will all happen in due course. The college is the flagship and the one which has captured most imaginations, though. The original idea was to launch in September 2018, but because of the General Election and then subsequent changes in DfE, we’re still waiting on a decision from them on when the next wave of free schools are going to launch. We’ve had to delay opening until September 2020.
In the meantime, we’ve continued to launch our virtual qualifications. This includes our EPQ – Extended Project Qualification – which is the equivalent of half an A level, which we ran as a 60-student pilot a couple of years ago. It worked very well; we got a lot of good feedback on that and we’ve run it again this year with a larger set of 160 students.
This was done as a free pilot. This year we’re charging students, but will repay them thanks to Deloitte, which have kindly sponsored the programme – enabling all the students that complete it to have their fees refunded at the end of the process.
“Our syllabus has to be about wider skills as well.”
Part of the challenge for us as a college is that we teach technical skills like maths, physics and computer science. We also teach the Cyber EPQ in the first year and we’re developing what’s called a Level 4 qualification for the second year of the college, which will offer foundation to degree-level learning. We’re also introducing other disciplines. We’re going to have lawyers coming in to talk about the legal aspects of cyber security, and HR people and entrepreneurs. Our syllabus has to be about wider skills as well.
IG: What’s the next step for the EPQ?
Budgie: We’ve got plans to grow it quite significantly next year. This year has been about proving ourselves and building the qualifications to attract people into the industry. Interestingly, we thought the program would be aimed at school children and sixth form students. We found that around a third of the people taking it are independent learners – those looking for a career change, or with an interest in cyber security. That’s been an interesting development for us.
IG: On this subject of independent learning: why do you think the UK is in a position where there’s such a shortfall of skilled professionals in the IT industry?
Budgie: The shortfall is global, and is behind the two reasons I got involved in Qufaro. One is personal, the other professional.
The personal reason was that my middle son has got a real interest in cyber security, and there was no career path for him, which got me interested in setting up the college.
The professional reason was that I’ve worked for some of the largest companies in this space – at Raytheon, QinetiQ and IBM – and, particularly during my more cyber-focused later years, it was obvious that we couldn’t meet the demand of our customers. There just weren’t enough professionals for us – not just in the UK, but internationally as well. We had international programmes where people were coming to us saying, “We haven’t got enough people. Can you supply some?” and we didn’t have any either.
Why aren’t there enough people? I think partly it’s down to the same reason there aren’t enough people doing STEM topics, and engineering in general. It isn’t perceived as sexy enough in some spaces or is more difficult to get into. These subjects tend to be more difficult than others. They carry the same UCAS points when you’re applying for university, but mathematics and the like are seen as much more difficult subjects. The lack of girls going through those subjects is a particular concern – although that’s not unique to cyber security, but one that affects STEM and engineering more widely.
IG: What has caused today’s focus on cyber security training?
Budgie: I suspect it’s probably over the last three, four, five years in which people have become more aware of the risks of cyber security. There have been more attacks going on, so it’s in the public domain.
The PlayStation hack in 2007 was when it really hit home in my family. My middle son was distraught when he lost his PlayStation account and couldn’t play online with his mates.
In the industry – in government circles in particular – people have always been aware of cyber security. People took information insurance – the old term – very seriously, especially if you were working in any sort of major government department.
My background is in MOD, where systems were harder and people were more aware. Then cyber security entered the public domain; the banks started becoming aware and that’s really driven the uptake of cyber professionals into the industry. Demand has followed as more companies become aware of the risks and the fact that they’ve got to do something about it.
More legislation, including data protection and GDPR, means there are now compliance issues for an awful lot of companies, which means they’ve got to take things more seriously because the fines can be substantial. With GDPR, that means up to 4% of global turnover for a company. This means that, while some professionals have been there for a long time, the demand is now to bring in new products, services and ways of thinking. Now people are coming in with things like artificial intelligence solutions to try and manage and fight the threat. This requires new skills.
IG: What are the consequences for cyber security professionals?
Budgie: The demand for cyber security skills has grown so quickly that we haven’t been able to keep up with demand, and the only people we’ve got are the people that were already there – professionals who have had to change tack and develop their skills as they go along.
“Intelligent organisations now recognise that people are probably already inside their network.”
The people that were around in the old days – like CLAS consultants focussed on assessment – have gone and people are now looking more at business risk as opposed to just locking down systems and trying to keep people outside. There’s been a paradigm shift in how people approach cyber security. Previously, the idea was to put barriers in the way to keep people out. Intelligent organisations now recognise that people are probably already inside their network. How do you detect them? How do you limit what they can do there? How do you fight them? This type of thinking requires new skills, new products, new services.
The former workforce still has relevance but they’ve had to change what they’re doing. While there is more demand today, it takes time to build people up to work in the industry. At the same time, there’s always been the challenge of trying to get people into STEM subjects. There’s always been a shortage of engineers, so now in that small pool, cyber is fighting for the same talent as all the other companies that were fighting for software engineers, electronic engineers and the rest. It’s not surprising that there’s a shortfall.
IG: What excites you about the cyber security industry, and what are the challenges facing IT professionals?
Budgie: I like variety and there is constant change in this industry. New ideas; new ways of tackling the problems. I think it’s exciting for anybody that’s going into the industry, because not only is there lots of variety, but it’s actually a long-term career. The threat’s not going to go away. The requirement for cyber security professionals is going to be here for the next twenty or thirty years.
The challenge is still that people are overstretched. There are just not enough people to do the work and it was constantly frustrating in the corporate world. I found that in bidding for work, the problem was not winning work. It was finding people to actually deliver the work. I talk to a lot of companies that are trying to build their cyber businesses, and they face the same issue.
Actually, what is good is that a lot of companies are now starting to build their own eco-systems. They’re working with other suppliers, particularly SMEs. The industry is dominated by SMEs at the moment, so they’re all starting to work together. They’re collaborating together to fill gaps that other companies have and that’s an exciting place to be at the moment.
IG: With technology moving so quickly, what do you learn today to ensure your career is ready for problems that might arise in ten years?
Budgie: I think the educational sector has changed a little bit on this front. If you look at many of the top schools now, they don’t teach subjects anymore, if you’re very clever. Instead, they teach students how to learn. Those that are going to be successful in this industry have to learn how to learn.
Millennials are seeing constant change and churn in technology, and they’re constantly adapting – so I think part of that will always be there now. It’s beneficial to have a steady plan for what you’re going to do next, but actually the world doesn’t work like that. There are less and less people like that now.
IG: So your message for Gen X-ers and baby boomers is to learn how to learn?
Budgie: Cyber security is going to need more people that are constantly evolving and, actually, if you look at millennials these days, that’s the way the world is.
There aren’t that many people that spend 30 years in one company doing one job. Even if they’re in a single company for 30 years, they will move around. Instead, what you tend to find now is people move from company to company to company picking up new skills as they go along. I think this is a generational change. People are becoming more aware that they’ve got to adapt constantly as they go.
I remember in Tony Blair’s early days, he developed the idea that we should be a knowledge economy. We can’t compete with low-cost economies dependent on a very cheap labour force doing manual work. Instead, as a country we’ve got to be focused more on value-building, knowledge-centric services and products. That’s the only way we can survive in our current world.
IG: Which age group are you taking into the cyber security college, and which skills are you looking for from candidates?
Budgie: As a sixth form college, students will be aged sixteen to nineteen years. What we’re looking for is people that are going to have an interest in cyber security, but they don’t necessarily have to have been trained in it.
There will be minimum GCSE grades to set the bar, but what we’ll be looking for is people that are self starters and good at problem-solving, with a keen mind. We’ll have online games, for example, to test people’s aptitude for problem-solving. We’re not necessarily looking for coders or hackers. If you’ve got the aptitude, we’ll provide you with the skills to actually become a cyber security professional.
“There are plenty of opportunities to develop interest in this space.”
Really, it’s about interest. There are plenty of opportunities to develop interest in this space. There is the new DCMS programme, which is provided by SANS and BT, which will roll out cyber skills across secondary schools. There are things like Codecademy. My own son became interested in this and started looking for free resources online – which provides insight as to how the cyber security profession is developing, the skills you need to have, different career paths, pen testing and the like.
There are many different ways into cyber security. It’s not just about somebody sitting with a hoodie in front of a laptop. You could be a security architect, auditor, pen tester, architect. There are an awful lot of different disciplines within cyber security and then there are an awful lot of disciplines which touch on cyber security, or cyber security touches them.
For example, law. You have to understand the legal aspects of cyber security. You also have to understand the HR aspect. If you’re an HR professional, what happens if someone is constantly exposing a business to phishing attacks? What policies do you have around what you can and what you can’t do as a pen tester? The issues extend to the supply chain. In procurement, how do you address cyber risks through your supply chain in a large organisation or government department?
IG: You said you were surprised at the number of independent learners enrolled onto the EPQ (Extended Project Qualification) programme. Did anything else surprise you about your first graduate intake?
Budgie: Surprised? Possibly not. I met a few of them when they came down to Bletchley Park for their graduation ceremony and more than anything else, it was exciting just how passionate they were and actually just how bright they were, how well they understood the subject and how keen they were to progress into a career in cyber security.
I think we’ve found a very valuable niche where people are looking for a qualification but weren’t given that kickstart into a cyber security career. The fact that that actually fits with the learning pathways for the IISP (Institute of Information Security Professionals) works well.
IG: Setting a culture that makes cyber security a priority and communicating this across a business is a challenge. What skills do IT professionals need to make this happen?
Budgie: In the past we’ve had cyber professionals who love doing cyber work, but they tend to be very technical and speak very technically. Most suppliers talk to providers at a very technical level. They might engage with a CISO, who might be on a board, but they more often talk to IT security managers or IT managers. The challenge – particularly for those at the top, like the CISOs – is to talk the language of business, because CEOs don’t usually understand technical jargon.
What they understand is reputation. They’ll understand impact on bottom line, impact on share price, but if you go in talking about details of cyber security, it doesn’t mean anything to them. We need to have people that understand more about the impact of cyber security threats to businesses more widely.
You must understand cyber security in context to be a successful professional. Yes, there will be people doing the deep-dive technical skills. That’s great. We need them, but they’ve got to understand the business context within which they’re working in order to make themselves relevant. What we can’t have is cyber security as a stovepipe inside any particular business, because it touches across everything, and if the other departments don’t understand the cyber risks then they can’t address them. In turn, cyber professionals won’t get the budgets they need to protect those companies in the first place.
IG: Should all IT professionals be concerned about this?
Budgie: The challenge is greatest for graduates. Unemployment rates for computer science graduates are at about 8%. On the one hand, you have a lot of organisations saying they need cyber professionals. On the other, you’ve got computer scientists that are coming out of university and not finding a job. Why is that? It goes back to soft skills. It’s not just about being very good at your subject, which is important; you’ve got to be able to work in context. You’ve got to have presentation skills, business skills, financial skills. You need to be a rounded personality.
That’s what people are looking for, so I think wrapping cyber security with other disciplines is quite important. If you look at the universities that are teaching cyber security well, more and more of them are starting to take a multidisciplinary approach to this. They’re looking at psychology and economics, as well as the pure technical skills.
It’s often been said that the biggest gap in cyber security is the person in the middle – whether through negligence or intentional breaches, and understanding the human dimension of cyber security is very, very important.
