Response to: Developing the UK cyber security profession

I filled out this consultation; it swallowed my response without asking for my name, address, or other details; and it provided no opportunity to go back after submission and copy-out my responses; fortunately I had drafted prettymuch everything in a flat text file…

https://www.gov.uk/government/consultations/developing-the-uk-cyber-security-profession

… I believe that the scope of the stated “understanding” is overblown and has been shaped by the interests of “industry” (both as customers & providers) rather than of practitioners.

Briefly, the word “cyber” is an oversimplification of several topics; security of:

  • datacentres
  • networks
  • systems & integration
  • platforms
  • applications
  • embedded systems
  • …all of the above matrixed with “software/implementation security”
  • data (control, storage, destruction)
  • privacy
  • compliance
  • availability
  • penetration testing
  • spam prevention
  • national security strategy

To name but 14 of many more; these are all distinct disciplines and some are wholly disjoint from others.

There is no “common technical framework”; the landscape is too broad.

There is no singular “front door to the profession” because there are so many houses and an entire street-full of distinct professions.

There are no “cyber security professionals”; instead we have people who chose that label for a business card but who are actually experienced in only some (often: small) subset of the above disciplines.

There should be no “routing” of people to “correct” specialisms, because such has brought us to the current situation of too many “ethical hackers” but not enough people qualified to write software that works and is secure.

The Government does a disservice (and confuses industry) by cataloguing and treating all of the above as “cyber”; the notion that a single “profession” will encompass them all is as misconceived as hiring a tree-surgeon on the presumption that she is qualified to farm 6000 acres of wheat, on the basis that both are somehow related to “vegetation”.

Information security certification and qualification must neither be necessary nor mandatory for employment, because “security” is a quality which (to be effective) should and must be delivered (or mitigated) by everyone — at every level — in the IT industry. The skills should be taught at all levels, and qualifications should remain laissez-faire.

The proper approach is to regulate the fitness to practice of certain different kinds of internet service, for instance as we have recently done with requiring minimum standards of data security via GDPR; at the moment these standards are reviewed in the breach. The government should consider whether other inspections would be appropriate.

The unaddressed challenge for Government is to reform its own understanding to reflect not only the (currently all-consuming) “James Bond” mythos of cyber, but extending it to embrace an Internet that is much more complex and shot through with challenges that are “sui generis”.

Why do you think it is or is not a good idea to have a commonly agreed and adopted code of ethics for cyber security professionals of all specialisms?

Because that is already a matter for compliance with regulation; similarly we do not have a code of ethics for driving a car.

Are there any other policy or professional development issues where you think the profession should lead on the development of an agreed position?

Per my comments above, there is no singular “profession” so it can have neither singular leadership nor singular voice; what we currently lack most pressingly is education in schools and universities, to increase the “pipeline” of capable people who may choose one or other career.

Why do you think that it is or is not viable for a new UK Cyber Security Council to become self-sustaining financially be the end of 2021?

Because, for the reasons outlined above, a UK Cyber Security Council would not address the actual requirements of industry; as an approach to solving the lack of information security capability for the UK, it would be a case of “too many chiefs” where money and focus could instead be distributed towards education and training opportunities.

Are there any other attributes you think would be key for a new UK Cyber Security Council to include?

A more constructive, less expensive, and more effective approach would involve the same actors focusing to work in partnership with education, to share skills and learning that will positively impact school and university curricula; creating yet another talking-shop and raising barriers to entry for the profession of secure IT, Software & Networking — by effectively ringfencing the security aspects of those professions — is absolutely contrary to the health of the country/industry.