War Games: The Fight For Top Cyber Security Talent Goes Global

Dan Gunderman

As the cyber security skills gap widens, methods of recruiting have shifted. It is an attempt by both sovereign nations and private enterprises to raise cyber awareness and ameliorate the ever-growing number of vacancies in the field.

Estimates vary about the exact size of the skills gap, although computer security firm Symantec projects it could hover around 1.5 million jobs by 2019. A report from earlier this year compiled by Cybersecurity Ventures and Herjavec Group suggested that number could snowball to 3.5 million jobs come 2021.

So, just what is being done to address the issue? If anything, is it a stopgap measure or something that will solidify the “supply” of cyber security professionals in the coming years?

With a touch of innovation, the U.K. is having potential cyber security candidates navigate their way through the gaming world to garner recognition. Last week, the U.K. held its annual Cyber Security Challenge in London.

In it, budding cyber security professionals complete a war game to measure problem solving, presentation and business skills. Here’s the situation: gamers were pitted against a corrupt executive and a hacking syndicate called Scorpius, which have infiltrated the network of Fast Freight, Ltd. The company controls vessels and portside machinery.

Forty-two quick-thinking cyber security consultants – those participating in the event – were tasked with uncovering the breach and eliminating the problem, according to Bloomberg. Companies like BT Group, Airbus SE, Cisco Systems, Inc., and firms like Darktrace and Check Point Software sponsored this year’s evaluation. The Challenge also drew support from the U.K.’s National Crime Agency, the Bank of England and the law firm 4 Pump Court.

See Related: CISOs: Is Cyber Insurance On Your Radar?

The Cyber Security Challenge U.K. is a nonprofit organized by the British government that receives support from corporations and universities. In it, like-minded white hats are tasked with both putting their skills to the test and presenting the findings in a professional manner. Those who score well online are invited to in-person, regional competitions. Those who succeed then attend a three-day masterclass and team competition.

Nigel Harrison, the co-founder and acting chief executive of the Challenge, said that about 70% of the finalists are hired into cyber security jobs within 12 months. The event began in 2010 amid growing concerns about heightened capabilities of nations like China and Russia. The U.K. version loosely follows events orchestrated by the U.S. Department of Energy’s National Laboratories and the U.S. Department of Homeland Security.

Last week’s gaming event took place at the Trinity House, which is the home to a government charity that, in part, oversees lighthouse maintenance. The destination lent itself to a shipping-type theme, especially after maritime titan A.P. Moller-Maersk was left financially damaged after a ransomware attack this year dubbed NotPetya.

In addition to solving the problem, contestants also had to brief the fictional shipping company’s board and present forensic evidence to trial lawyers.

The Big Picture

As outreach attempts grow more creative, the question is raised: What are the types of credentials that enterprise professionals seek when they’re hiring new talent? The issue is particularly crucial in a space that is largely devoid of the manpower it requires.

While some enterprises – both private and public – seek scholarly, certified candidates, others may seek a more practical, hands-on candidate who’s had experience hacking networks, testing for vulnerabilities, etc.

On the matter, IPsoft Chief Security Officer, John Alford, told CSHub that a top priority is “wisdom.”

“Security requires knowledge. Knowledge itself in the form of experience, education, certifications and mad skills are good but great InfoSec-ers have all of these, plus wisdom that blends technical expertise, insight, law, governance, persuasion and pragmatism,” he said.

“We often have to make split-second decisions impacting our little chunk of the world, and sometimes far beyond, based on incomplete information at 3:37 in the morning without pausing to Google, check with vendors, call developers or hold a scrum,” he added.

See Related: U.K. ISP Chief Says Team Confronts 4K Cyber Attacks Per Day

For Randall Frietzsche, chief information security and privacy officer at Denver Health, desired traits depend on the position.

He told CSHub, “(It) depends on the level and type of position. Entry-level expect to see little to no experience, so certifications/education would be primary. Upper-levels looking for mainly experience probably (seek) a BS degree or MS. In our industry, CISSP and CISA/CISM (are desirable). For highly technical roles, definitely experience and probably certifications…”

David Stender, chief security officer for M&T Bank, told CSHub that he searches for "a wide range of experience at all leadership levels first."

"That usually helps the cultural transition if you are moving to a new area or an even bigger job," Stender said. "Certs and education are great for understanding what base level of knowledge a person has, but it is hard to beat successful experience at all levels."

Supervisory Special Agent with the FBI, Nick Savage, also told CSHub, “All of us have been struggling with this question for a long time now. I think it varies. You want somebody with a certain pedigree, but at the same time…we set up these minimum standards we’re looking for.”

Savage called the hiring process a challenging one. “The struggle with most is that everyone is fighting for the same person. The private sector wants them, the government wants them. The thing is, where do you draw the line on certain behavior now? Have someone with mad skills? There’s a risk, because if something happens, all the red flags were there but ignored because you were looking for a skillset.”

“What is going to be acceptable behavior? What are you willing to tolerate as an organization?” Savage said. “It’s more about aptitude and ability. Everything is so diverse now. I think the day of hiring the jack of all trades is over. Things are so specialized.”

Savage said the emerging specializations – say in mobile security, cloud computing, etc. – creates a more segmented type of landscape.

David Sheidlower, chief information security officer at Turner Construction Company, summed it up by saying, in part, “It’s all in the interview, isn’t it? As authors have been pointing out for centuries, common sense is anything but common.”