Recent announcements that GCHQ will host summer camps to boost interest in cyber and improve skills, as well as the ongoing Cyber Security Challenge, show that there is a need to draw people from outside of IT to fill the skills gap.
One idea that could be better exploited, following a model used in Israel, is utilising skills learned in the armed forces. I recently met with Tracy Andrew, head of information security and compliance, at law firm Fieldfisher, a business with data protection running through its veins. So with that in mind, and working with some of the UK’s leading legal minds on data protection, his life should be easy, right?
Within the firm, Tracy said that there is a young age range, and as it takes a savvy person to do the job, there is a need to understand how IT security is an enabler and is there to protect rather than prohibit. Tracy is an advocate of the term “COPE” to enable mobile workers – corporately owned, personally enabled.
“We have a written COPE policy which allows for backing up personal applications by the user, but not the firm; for passwords it is five digits for personally owned MDM enabled and eight digits for corporately owned to fit with our existing policy,” he said.
We assume that law graduates and those in the legal profession are pretty smart, so how does IT security training work? Tracy said that upon induction they are given an introduction either by him or via a video, and feedback so far has been positive.
He said: “The information security policy is now at version nine and I’ve taken it through four versions in four years, with 32 iterations. We change when we have had an issue or there is an ICO change, and we modify it to include social media and promote the benefits so it has positive connotations.
“They are professional staff, and they are receptive. We don’t sell security, we sell the benefit to the firm as a business enabler and if they do it at work it protects them at home.”
Tracy’s background is not one of business IT, in fact despite his seven years in information security, four of which includes his time at Field Fisher, his career until the last decade was mostly spent in the military.
“I joined the army at 17, played rugby and joined the Royal Military Police RMP, specialising in signals and radio technology and I was sent to fix them,” he said. “I trained with the Royal Electrical and Mechanical Engineers (REME) where I retrained to maintain bomb disposal wheelbarrows and digital electronics.”
Following this spell, Tracy left REME in 1994 and worked for a telco as a Business Manager but got into security again when a security officer was needed, to support their Government contracts. “After this I joined the NHS and they were reluctant to hire me, but I told the board ‘give me three months’ and told them what needed to be done,” he said.
“There I became an information security person and became head of information governance for NHS Berkshire,the first NHS organisation to have ISO27001 accreditation.”
In the late 2000s, Andrew attended a talk by former Fieldfisher partner Stewart Room, and was introduced to the firm and realised there was no CISO. “I was asked to present by Fieldfisher and then asked to interview, and in a second interview was asked to give my thoughts on ‘how to build security on a green field site’,” he said.
Tracy showed me the presentation, which only consists of a small number of slides, and he told me that one of his roles in the army was as an electronic warfare instructor. This led me to ask him what he feels about terms such as “APT” and “cyber war”; he said that it is simply a new packaging of existing threats, as those in electronic counter-countermeasures know what to do in such an instance.
This led me on to ask about how he sees the state of skills and how he is finding the process of hiring, considering his counter-measures background. Tracy told me that in a recent effort to hire for a wide range of security skills, one applicant did have a military background and was short listed, but was hired elsewhere, while another was “a wildcard” but had skills in operations. He joined at the end of 2014 and “had been a complete revelation”.
He said: “The individual had no security certifications, but was skilled in data protection and had a degree in the data protection area, and is still doing a masters in business law.
“With no formal data protection qualifications, I put him through a BCS exam on data protection and we will do something later on privacy (via the International Association of Privacy Professionals), but really it is about applying knowledge, they had industry experience in different business context. If there is a real world problem, how do you apply it in industry, can that work here?”
Where there are skills, perhaps it is a good idea to adapt and retrain in order to get the best people learning about cyber security. Tracy has shown that he was able to adapt his military skills into the business world, surely there are many others who this could work for too?
Tracy Andrew, head of information security and compliance at Fieldfisher, was talking to Dan Raywood