Finding tomorrow's security elite

Behind the scenes: the security experts of the future

Cyber Security Challenge

It's cold. And we're standing outside an unassuming but high security facility in Farnbrough.

In the reception a camera swings round ominously to take our picture for a security pass that makes us look like a ghost.

This building belongs to aerospace, defence and security firm QinetiQ. But we're here to see ordinary people at work.

We move through an airy atrium towards a conference centre wing belonging to Boeing, called The Portal. This is where the Cyber Security Challenge is taking place.

The portal

BIG SCREEN: Boeing's Portal unit at QinetiQ's facility

The Cyber Security Challenge is a series of online games and competitions designed to test the security skills and brainpower of everyday people.

But why does the Challenge exist in the first place? "The UK has a skills shortage in cyber security," explains Judy Baker, the co-director of the Cyber Security Challenge. "And employers are telling us they're going to have more jobs [available] in that space."

"[The number of] people going into cyber security, they've halved. So if we're going to get the right level of talent… we need to tell people what these jobs are and excite and inspire them."

Anyone can apply, and last weekend saw the teams get together to take part in the QinetiQ Network Defence Competition. During this, four semi-final teams went up against QinetiQ's own cyber security professionals and secured test networks against a series of 'real life' live challenges posed by the company's team of penetration testers, network and security specialists.

This competition was the second of three rounds – the final competition takes place next weekend at Sophos' Labs in Abingdon. 25 competitors will go head to head there.

Hidden challenge

The organisers had 4,000 registrations for the competition, which opened last July with an online cipher task. This task cleverly involved a 'hidden' second phase to catch out those who didn't question their results enough. The first phase revealed a bitmap of a cartoon, but a closer look revealed a hidden binary code in the cartoon's border.

"One of the most essential skills is not to accept something at face value," says Jay Abbott, director of UK Threat & Vulnerability Management Practice at PWC. "You either question, or you don't question. Those that question found the second challenge."

"People range from a self-taught 16-year-old kid at school to a 27-year-old unemployed web designer from Birmingham. They're just people that have applied logical thinking to a problem which has taxed their brains."

The entrants were overwhelmingly male but Judy Baker said she couldn't answer why that was. Of the 4,000 entrants only 282 were already employed in the industry. 2,402 were employed elsewhere, with 1,282 students and 603 unemployed.

"A lot of people wanted to test their skills, while others just wanted to have fun, but that's good for us. [Many are] very interested in introductions to employers. There are a lot of people out there with talent but they're not necessarily meeting the employers [they] need. We're helping to tell people about the jobs and help them get on that first rung of the ladder."

The Cyber Security Challenge has received Government funding – all in all, the Government has pledged some £650m to heighten the UK's resilience against cybercrime.

Bringing out latent talent

"We've been mindful that the threat environment is starting to lift off," adds Alisdair Rogers, MD of QinetiQ's Security Business in the UK. "We all recognise that the more formal method of getting people into this space [into cyber security employment] just isn't meeting demand. You'll see an awful lot of what we're doing is mentoring… bringing out latent capability."

"We've got some extremely good people who understand technology, but they struggle to explain it to business people. [This is for people] moving up from the gaming environment to solving problems and meeting deadlines on a business level."

Rogers also talked about the need for people to come to security facilities and carry out face-to-face work as well as performing tasks remotely. "One of the reasons why we have to have this dynamic competition is that we need to [have people] that can interact socially, it's [not just] about the technology."

Although Sophos is involved and there is plenty of support from various other organisations, other big security names are conspicuous by their absence.

"What has disappointed me is how many security vendors have [got involved]. I'd have thought security companies would have been rushing to break the door down?" questioned Challenge founding director Stuart Room.


TEAM GLITCH: Winners of last weekend's competition

"When I look at this I'm surprised by some of the absences. We need more of the cyber security providers here. They should be delivering money [into this] so they can [benefit]. 12 months from now I can see all the major security vendors wanting to be a part of this."

The current sponsors are the "enlightened few", says Room. "They know for sure that we are facing really difficult challenges in this environment. The UK needs to beef up its resilience and we also know that to [do that] we've got to upskill the economy massively.

"I'm a 42-year-old bloke and I'm one of the youngest people in the cyber environment. We're not educating… and that means really hard work is required getting into the schools, colleges and universities. It's about someone getting the kids interested in cyber security professions."

Last weekend's leg of the challenge was won by Team Glitch – a team of upper sixth school pupils featuring Stuart Rennie, Lucy Robson and Yung-Yu Lau won Saturday's category for small networks. Team PEBKAC, a group of post graduates featuring Richard Hodgson, Alistair Senior and Tony Shannon won the medium networks category on Sunday.

Both teams will receive a prize pack of further training including potential internships with security vendor Sophos.

Article continues below