From GCHQ to Google: the battle to outpace hackers in the cyber race

Ensor, who has worked for GCHQ for nearly three decades, is heading the secretive agency’s efforts to train young people. He has a broad Welsh accent, a shaved head with long silver side burns and wears a gold chain around his neck. During his time at GCHQ he has developed secure email networks for the British government and Nato, as well as helping secure its internet use.

For him, the reason the industry is short of people is that it’s still in its infancy. “Cybersecurity is a new subject, a new profession. We’re where medicine was a few hundred years ago,” he says. He believes that getting professionals in government and business to work with educational institutions is the best way to bridge the gap. “No one place can do everything. Academia can’t fix it, industry can’t fix it, government can’t fix it. But working together we have a really good chance,” he says. Although he admits, “There’s not necessarily a quick fix for the kind of numbers we’re after.”

Not everyone agrees that formal education is up to the task, particularly given the pace of technological change and the speed curriculums can adapt. Mikko Hypponen, the chief research officer at cybersecurity and privacy company F-Secure, says, “The niches in cybersecurity are so specific that universities don’t have the expertise themselves to run programmes for them all, or it’s not justifiable. So many of the courses are generic or very broad.”

There are just three universities in the world that offer courses relevant to F-Secure’s work, according to Hypponen. That means the best option for the company is to train staff itself and pick up talent from less traditional routes.

One of the ways Hypponen, who has been hunting cyber attackers for 25 years, thinks companies can connect with international experts is through bug bounty programmes, which allow ethical hackers who find holes in companies’ computer systems to report them and earn a reward.

The idea is that the rewards of disclosing flaws responsibly outweigh those for selling them to criminals online or using them maliciously. “When skillful people find vulnerabilities in your system you want them to tell you, you don’t want them to tell someone else,” says Hypponen.

“Every company should be running bounty programmes. And I don’t mean software companies, I mean every company. Because today every company is a software company.” He cites the example of Volkswagen, whose emissions scandal last year was the result of faulty software in its diesel cars. Looking around the hotel lobby we’re in, he says:“This hotel is a software company, a big part of their orders are coming in from the web.” Then he points at me and says, “You’re a software company”.