On 16 November 2022 I participated an online Cyber Security Education and Employability Forum, which was hosted by CISSE, the UK chapter of the Colloquium for Information Systems Security, and facilitated in collaboration with colleagues from the University of Roehampton School of Arts and Digital Industries and the OU School of Computing and Communications.
The forum was described as “an opportunity to share your knowledge and experience with the cyber education community, and to informally network with colleagues in other institutions who are involved with cyber security learning, teaching and employability.”
Since the event was not recorded, this blog aims to present a summary of what was discussed within the event. It is broadly intended for the 40 delegates who attended the session, but it might be of interest to anyone who may have an interest in cyber security. In some ways, this event follows on from an earlier CISSE Cyber Security Education Workshop that took place in 2021. This blog can also be viewed alongside other OU cyber security blogs.
The event began with an introduction by Charles Clarke, from the University of Roehampton.
The first session was presented by Alex Collins, who presents a tool called Cyber Springboard. Clicking on this link takes you to a page which clearly summarises the aim of Cyber Springboard, which is to help students to “build and evidence the skills to get a job in cyber security”. The site also presents “activities and ideas for you to get curious about to build fluency in cyber skills”.
Alex told us that he sits on certification panels, and his work on Cyber Springboard comes from 20 years of working in industry.
Alex made some important points that were reflected throughout the session. He emphasised that cyber is more than pen testing (penetration testing), more than forensics, and more than risk management; a career in ‘cyber’ is more than one of those things. An interesting reflection is that each of these areas have different stereotypes, in terms of the type of work that is performed within each area. The point is clear: cyber is broad. There are 21 Knowledge areas within the cyber security body of knowledge, the CyBOK; it’s a broad area.
Cyber Springboard enables users to find what they like and don’t like. I made a note that there are 301 cards and activities which are connected to the CyBok knowledge areas. When registered, users can tick off cards. Each card contributes to a shape of a cyber knowledge profile, which can be shared on a personal profile or a CV. The next steps are to consider courses and pathways, developing improvements to the structure of Cyber Springboard, and increasing Cybok coverage.
Alex was asked an interesting question about how it is possible to move to cyber security. The question was answered in terms of building practical skills, finding time to learn what you enjoy, and evidence what you have achieved. An important point was: demonstrate enthusiasm. Also, consider providing a Github link on your CV. Sharing something will give you something to talk about in an interview.
Routes into cyber education: discussion and sharing
Next up was an informal session by Phil Hackett and myself, facilitated by Charles Clarke. The aim of the session was to discuss routes into cyber security teaching through a discussion, and sharing of resources.
One of the themes to emerge from this session was the notion of transitions. Phil began as an OU student, and then became a computing teacher at a secondary school. From there, he had ‘crossed the floor’ to work within the university, where he is involved with modules such as M269 Algorithms, data structures and computability.
My own story is a bit different. I moved from the university sector (where I carried out some research which was about the practice of computer programming), to industry, and back again. One thing that Phil and I have in common is that we’re both tutors; he teaches on M269, and I tutor on a Java module that has the title M250 Object-oriented Java Programming. Another commonality is that we have both had to deal with different types of cyber security incident. These incidents connect to the importance of having knowledge of controls and technical knowledge.
One thing that is common to transitions is the importance of evidence, and having a story; points which relate nicely to Alex’s presentation about Cyber Springboard. In terms of moving from industry to academia, one thing that we didn’t have time to share was a short Badged Open Course, which helps potential applicants understand more about the role of an OU tutor: Being an OU tutor in STEM. Anyone completing this course will be providing evidence that they understand what it means to be a distance learning tutor.
Another point that I think I made was about the important contributions industrial professionals can make to teaching. Importantly, and significantly, their industrial experience can help to make module materials come alive.
I made a note of two questions that were asked. The first question was about how to gain access to internships. Some thoughts were: make sure you have a good LinkedIn profile, know what you’re interested in, and don’t be afraid to be cheeky. What I mean by this is: don’t be afraid to get in touch with people and companies.
The second question was an interesting and challenging question: is it really necessary to have strong publication record if you want to be in academia? There are different roles within academia, and different institutions have different requirements. The short answer is: no, it isn’t really necessary, but you may have to choose where to apply to, and what you wish to do. Just like with cyber jobs, evidencing experience is really important. I’ll conclude by saying that becoming an OU tutor is a really great way to evidence your cyber teaching skills, and is a great way to join academia.
The penultimate session was by Patrick from CyberFirst which is a part of the UK Government National Cyber Security Centre.
CyberFirst aims to “identify and nurture a diverse range of talented young people into a cyber security career”. As well as providing activities to “inspire and encourage students from all backgrounds to consider a career in cyber security”. CyberFirst also offers bursaries to undergraduates and degree apprenticeship students. (As an aside, the OU also offers cyber security analyst digital technology solutions degree apprenticeships for employers who want to support the development of their workforce).
For those working within the schools sector, CyberFirst is divided into a number of UK regions. CyberFirst is “working on ways to build a diverse and sufficient talent pipeline into the cyber sector (in all its forms) no matter what students have studied before”. Linking to the earlier presentations, some related questions are: how do we get people to use Alex’s tools, and how do we encourage students to study cyber security (and related subjects) at the OU?
An important point Patrick made was that “every job is a tech job” and that “our skills gap is pretty much everyone in the UK” given that technology is so interwoven into our lives. There are some fundamental issues that need to be address, such as 80% of cyber security employees are male. It is important to address how to increase the diversity in the sector.
In earlier presentations about cyber security, the ‘leaky skills’ pipeline was highlighted. In this presentation, Patrick offered a brief summary that explains this. If computer science was the only gateway subject into cyber security, it would begin with 300k students going through KS1 through 4. Looking towards the secondary sector, 12% of students study computer science, and only 9% of those are girls. Overall, only 2.5% of students then move on to study computer science at A level.
One way to begin to address diversity is to make people aware of the different career structure that makes up cyber security (which, again, connects to the earlier Cyber Springboard presentation). This of course, links to the earlier question posed in the last session: how do learners get to have a go ‘at some stuff’ to find what they’re good at?
Faced with these challenges, Patrick suggested that it might be instructive to look to other domains to see what they do, such as sport and medicine. A question is: how do you find out what things people are good at? In terms of sport, the answer might be to let people have a go at something and then coach and train people to their full potential. For medicine, give students the time to make informed choices and after they’ve tried different things, only then do learners move into specialism.
A rhetorical question was: what do we do in the security cyber space? How might a “sports model” be applied to cyber? There is a diversity of people, and many of them have not studied computer science. There are non-techies with a little cyber awareness, techies with limited cyber awareness, and techies with a genuine interest in cyber.
Patrick shared an idea of a talent pipeline, which begins with scale and diversity, moved onto learners and people making their own decisions about the subject, engagement and learning, and then directed activity which leads into employment, roles and responsibility.
Towards the end of this session, there was a reference to something called the CISSE UK problem book, which is intended to help educators not just in terms of education and teaching, but also for outreach and engagement.
In the question answer, I noted down two questions. The first question was: “does a degree title matter? How important is the label?” His response was: “we don’t mind the degree title, but it’s more about what the degree enables you to do. Your degree may well help you into the next step; knowing things about yourself is important”. A further point was: it is really important do show and demonstrate passion in an interview.
The second question was about experience: “as a post-graduate student now doing a part-time masters’ in computer science with cybersecurity, what sort of work experience can I gain whilst doing this degree and where would I look for these opportunities?” In the context of the OU, and other universities there are the career services, which students should feel free to consult. Also, if you want to move into cyber it is possible to do your own thing to build evidence and demonstrate capability. Look to see if there’s some open source projects you can get involved with. Find a way to build a narrative that you can take to potential employers. As was mentioned earlier, consider adding a link to a GitHub repository on your CV, to give yourself something to talk about during interviews.
Academia and industry certifications aligned: An Open University case study
The final presentation of the day was by Lee Campbell from the OU. Lee is the module chair of TM359 Systems Penetration Testing which is due to be presented for the first time in February 2023. TM359 is a part of the OU BSc (Honours) Cyber Security. Lee takes us through a set of slides which presents the background context and much of the rationale for the module.
Why create a penetration testing module?
Business have a skills gap; they need more people with cyber security skills. Plus cyber security issues is a UK government tier 1 threat to national security. Also, students have been requesting a penetration testing module, and there is a need to complete the OU cyber security qualification.
A really interesting aspect of both cyber security and pen testing is that they cover so many different areas of computing, such as programming, databases, and networking (which are all aspects which have been studied, in one form or another, during earlier modules).
OU options to build a pen test module
There are two key choices: build something in house, or outsource. One key need was to create (or to find) a technical environment that would be used by 600 students that would be separated from the OU technical environment. There are, always challenges; these were the resources that were available and the time.
The key considerations (or requirements) that I noted down from Lee’s presentation were costs, student access, the need for a web-based solution (to avoid the use of virtual machines), ease of integration with university education systems, and scalability. In light of all these considerations, a decision was made to look around to find a solution from an external supplier.
Lee made a point about education philosophy: both education and training is needed “to develop and adapt to society’s needs”. As an aside, training is about how to do things, whereas education is about when and why to do things. Any solution must amalgamate both perspectives.
Why align with a certification body?
If the decision is to outsource, which provider should the university go with? Lee highlighted a number of certifications that relate to pen testing and ethical hacking, such as CompTIA PenTest+, CPSA, Offensive OSCP, and Certified Ethical Hacker (CEH). There are also a number of laboratory tools, such as HackTheBox, TryHackMe and NDG Netlab+.
In the end, the Certified Ethical Hacker (CEH) from EC-Council was chosen, which is one of the leading certification bodies and is one of the top 10 certifications that relate to the subject.
There are a lot of CEH resources. There are up to 20 modules, and each module relates to a subject area. Each module has a dedicated video that presents an overview. There are eBooks, and a browser based lab called iLabs. There is also something called the CyberQ platform where students can carry out a pentest.
Integrating the new module
The TM359 module has integrated many of these resources over 31 weeks of study to enable the materials to be delivered through the OU VLE. Significantly, TM359 covers most of the areas in Cybok 1.1. Also, efforts have clearly been made to ensure the module is clearly about education rather than training.
Students study a module per week. Every week begins with an introductory video, and there are additional materials and tools to help students to make notes. There are five blocks. Block 1 is an introduction to the module and the subject; block 2 concerns reconnaissance, scanning and enumeration; block 3 is about system hacking, gaining, maintaining access and clearing tracks; block 4 concerns stakeholder engagement and automation; block 5 covers countermeasures and mitigation.
Question and Answer session
I made a note of three questions.
The first question relates to the challenges that accompany using a vendor certification within an undergraduate programme. Lee emphasised that the materials explain important concepts and it is hoped and expected that there is a good balance between developing technical understanding and academic learning. A further reflection from this question is that the OU already has substantial experience of linking academic study and appropriate vendor qualification through its connection with Cisco, through the modules TM257 Cisco networking (CCNA) part 1 and TM357 Cisco networking (CCNA) part 2.
A follow up question relates to how the module team deals with iterations or changes. The university has a formal process following the launch of any module. Some of the changes occur through the vendor, and there are clear benefits in using a web-based platform in the sense that the extent that changes can be managed.
The final question was more of a comment. Rather than seeking an industrial provider, one alternative may have been to facilitate a greater level of collaboration with other higher education institutions to facilitate sharing of resources. A challenge that had to be faced was, of course, timescales. A further reflection is that the CISSE community may well have a role to play in facilitating the understanding of needs for cyber security educators.
Plenary discussion and next steps
During the forum, through a link shared in text chat, participants were encouraged to share something about their background and to say something about priorities for the community. Students made up the biggest group, with 19 participants. The other participants were academics, tutors, or members of government.
The priorities were ranked as follows:
- How can we ensure students get access to work experience?
- How can we improve the quality of learning resources in academia?
- How do we get more cyber security lecturers in academia?
- What are the alternatives to placements and internships?
- Alternatives to CVs?
- What should be in a cyber education problem book?
- How can job descriptions be improved?
- The significance of cyber learning hubs between institutions
Regarding the first point, academics have a responsibility to speak with the careers teams or department, to make sure they are fully aware of the diversity of cyber security roles.
Another important priority, which reflected earlier discussions, is the need to increase gender diversity within cyber security. This led to a discussion about the lack of women computer science teachers. Some accompanying questions were: why is this the case? Also, what can we do to change that? One reflection concerned the language used in job descriptions is an issue. For example, adverts which contain references to “rock star developers” might be attractive to one group, and not another.
The final point I noted down was about cyber security recruitment. Here is the final paraphrased question which I think was presented by Patrick: “how do we get recruiters to engage with the person, rather than asking the technical questions that need to be asked?”.
Perhaps the answer is to take the technical questions out of the interview, leaving space and time for the important question of: which aspect of cyber security do you feel you are best suited to?
What was significant about this event was the practical focus of some of the questions that were asked, and also how each of the sessions linked to each other. A key question was: how do I go about gaining practical cyber security experience? There are different ways to answer this: network to gain contacts, be bold when it comes to asking about opportunities, seek advice from your university’s career service (if this is an option open to you), and try to find ways to develop and demonstrate your skills on your own terms.
The lack of gender diversity was a theme that emerged a number of times. Within the OU there is a plan to setup a new OU Women in STEM conference. Linked to this is the importance of role models and teachers which was mentioned by one of the speakers.
The biggest take away point that I took away from this event also related to diversity, diversity of roles that exist within cyber security. Looking to future CISSE sessions, it will be interesting to learn how this aspect of diversity can be expressed and embedded within the ‘problem book’ that the community is working on.
This blog post has morphed from a set of notes I made whilst attending the forum. Subsequently, many of the words presented within this blog come from each of the speakers, who all gave fabulous presentations. The idea for running this event came from Charles, who proposed themes, managed the registrations and worked through all the idiosyncrasies of MS Teams to make for a successful event. Thanks are also extended to Charles for his excellent proofreading. Finally, Jill Shaw helped with some of the technology admin on the day.