Prospective security pros are being invited to take part in a cyber security challenge as part of a national effort to ramp up digital security. Recruiters who have lamented the lack of security awareness among the IT workforce are also encouraged to join the 23 ICT sponsors of the competition. By Helen Beckett [Published 28/07/2010]
A virtual treasure hunt will entail participants looking for flaws on a dummy website and answering questions about what they discovered. A further challenge will task teams with defending a network against a series of attacks carried out by security professionals. The challenge will run on several dates between September and December and prizes include bursaries to universities.
Take the challenge
A key objective of the challenge is to increase the numbers of skilled computer security workers in the UK. "Defending all of our interests in cyberspace is a relatively small cadre of talented and highly skilled public sector and private sector cyber security professionals," said Baroness Neville-Jones, Minister of Security.
Forensic adviser with management consultants, PriceWaterhouseCoopers, Kris McConkey, stresses that penetration testing is the preserve of the hobbyist who may tread a fine line legally. However the ‘commercialisation’ of hacking by criminal gangs means that there is a growing demand for the kind of independent thinker who wouldn’t normally be associated with corporate life.
Push the boundaries
“The best people for this sort of work have a strong sense of curiosity and like to push boundaries,” says McConkey. Unfortunately, such practitioners do not tend to teach and nor are these skills the type that can be learned in an academic environment.
Forensic cyber geniuses and penetration testers typically perform poorly in psychometric tests, confirms McConkey. Cyber challenges therefore remain one of the best ways of flushing out budding talent. QuoStar, managed solutions provider to small and medium businesses, confirms that it is also difficult to recruit IT staff who understand business risk, a core part of security.
“The technical piece is the easy part and it is relatively straightforward to identify a security solution,” said Robert Rutherford, managing director of the firm. Instead, he says, it is developing an awareness of risk management that takes time.
Stick to process
QuoStar describes two typical scenarios involving security lapses: the first is the small finance company that thinks it is doing the right thing in backing up data each day, but stores the disk off-site - often unencrypted in a car boot.
“Unless there’s a real driver, businesses and staff do not take the necessary steps to secure networks and equipment,” says Rutherford. Another scenario is the company that relies on an ADSL line, which has never gone down, and consequently fails to put a contingency plan in place. “Until that line fails, they will not feel or anticipate the pain to the business and therefore do not take preventative steps”, warns Rutherford.
There is a widespread failure to encrypt, both by businesses and IT professionals, says Rutherford. “It never fails to surprise me the number of businesses that do not encrypt laptops. It is not a difficult thing to do, but simply gets put on a back burner.”
Search for IT security jobs