Sergey Nivens - Stock.Adobe.com

How the UK Cyber Security Council plans to professionalise security

As chair of the new UK Cyber Security Council, Claudia Natanson is in a superb position to develop professional standards in IT security and she intends to fundamentally reimagine what a security job actually is

This article can also be found in the Premium Editorial Download: Computer Weekly: Are we getting cyber security skills all wrong?

The so-called elevator pitch has become something of a cliché espoused by motivational speakers at a hundred Ted talks, but in the late 1990s, Claudia Natanson got a chance to deliver one in person to then CEO and chair of BT’s executive committee, Peter Bonfield.

“I remember, Sir Peter was the CEO at the time, and I knew he was coming over to where we were so I started to polish up my elevator pitch to him. I wanted him to think about selling incident response management to support other organisations because I thought that that was going to be very important,” she tells Computer Weekly as we begin the now-standard Zoom-based interview.

“With the explosion of people doing things on the internet, I felt that BT was going to be moving more away from telephony. I said to him, ‘As much as I like the red phone boxes, they aren’t going to survive this situation; we are going to do more communication on the internet than through those phone boxes. People will want support from us as they move on to the internet’.”

An apparently impressed Bonfield agreed to let her pitch her idea into the whole executive team, and with the wind – and BT’s head of security – at her back, Natanson was able to win support (and money) to start a new business within BT, which ultimately became BT’s security services unit.

Now, as chair of the newly established UK Cyber Security Council, Natanson is on a mission to professionalise the cyber trade – according it the same status as the accounting, legal or medical professions – and attract new and diverse talent into the sector.

Shaping policy and education

Natanson began her journey as a nuclear chemist, where she was struck by the growing number of computers being used in her work. She decided to change course as a result, pursuing a masters in computer science at Birmingham University. Here, she had the idea – no longer a revolutionary one – that computer sciences needed much more support and education in schools than they were getting, so she got special permission from her professors to do something that had never been tried before.

“This was to allow me to span my PhD across the School of Education and the School of Computer Science, with the supervisors for each looking at my work. It turned out very well because I knew nothing about education per se, as a field of study, so I studied a lot of things that had to do with education – the mind, psychology and special needs – and that’s when I went into schools as well to see how computing could help in that way,” she says. “I’m very grateful to the University of Birmingham for having supported me on that.”

Into her subsequent career, Natanson has carried forward the idea that science, technology, engineering and maths (STEM) teaching practice and curricula should be formed in such a way that they allow young people the freedom to form new ideas and come to different career paths in their own way, and at their own pace.

Now that she has the opportunity to shape government policy on the cyber security profession – at a panel held at the May 2021 CyberUK event, digital minister Matt Warman said the government would be listening intently to the Cyber Security Council’s recommendations – she wants to bring this to bear on skilling up Britain’s young people to pursue careers in cyber, but only if they want to, she adds, chuckling as the discussion turns to the government’s badly received ‘ballet dancer’ ad from 2020.

This, says Natanson, can only happen if the concept of equality is built in at the foundation of the educational system, to give every child an equal opportunity to follow a path that will eventually lead to a cyber security qualification and career, through collaboration with charities, schools, volunteers and other professional bodies.

“I have to make sure I support some of those collaborative thinking actions to make sure that every child has an opportunity. I can’t just start at specialisms or frameworks; I need to start at equality. And this is why I keep saying that every part of the council’s work for the profession, every part of it, is going to be underpinned by collaboration,” she says.

This notion of collaboration extends throughout the other areas of work the UK Cyber Security Council has been tasked with undertaking. Indeed, it has already begun a programme of collaborative work with its 16 founding member bodies, each of which is currently being invited to input into its inaugural initiatives, establishing reference frameworks for qualifications and careers along with professional standards and ethics.

Reimagining cyber security

Such frameworks and standards are sorely needed, says Natanson. “One of the things I want to start with is the definition of cyber itself. Cyber security is not well-understood by organisations,” she says.

“By placing cyber security into the technology stack we are miseducating people, because immediately they think it is a technology problem, but it is not, it is a business problem, and when you deal with the business you have to work across functions, influence and educate, because security is actually about hearts and minds – you have to win people to it, people have to understand why they are doing it,” she says.

Natanson believes that re-education may be achievable if the industry can collectively reimagine what a security job actually is. She contends that most cyber security job descriptions aren’t really for security roles, but for solutions engineers and systems architects.

“Security is actually about hearts and minds – you have to win people to it, people have to understand why they are doing it”
Claudia Natanson, UK Cyber Security Council

She believes this is causing hiring problems for organisations because, having failed to understand what they want from their security leaders, they go to market with job descriptions that read like a technological wish list and fail to account for other skills that are needed to truly excel in cyber, in areas such as risk assessment and people management.

“We need to help organisations understand what they want to begin with,” she says. “We have a skills shortage because we are not communicating, not defining properly, because we have misplaced where cyber should be.

“To support organisations [we need to] bring them back to base, bring them back to how cyber is affecting the business [and] help them to understand the kind of help they will need,” she says.

“This will be important, especially to smaller organisations. Those are the ones that will need a lot of support because their understanding of cyber could be anything that they just heard or read. We will need to really put our arms around them to support them.”

The industry also needs to emphasise adaptability, says Natanson, because unlike some other areas of the technology stack cyber security is in constant flux. “I want to make sure that we keep relevant and that we make sure we have a profession that can help folks as they try to keep up with this moving target,” she says.

Chartered status

In the long run, the ultimate goal of the Cyber Security Council is to oversee the creation of a professional accreditation, backed by royal charter, for cyber security workers, akin to those that already exist in fields such as accountancy and law. Work is already in train towards this goal, and Natanson expects to be able to report on progress towards this within a year.

“The government is looking to us to set the standards, the baseline standards that we want the profession to have,” she says. “That standard has to embody a lot of things, it has to embody discipline.”

“Britain should feel very proud because nobody else is trying to look at the profession from this point of view. This is a key time for us to be shining as a beacon to the rest of the world, and I know the rest of the world will embrace that, because I’m getting those messages already”

Claudia Natanson, UK Cyber Security Council

Just as chartered accountants are bound to an ethical code of conduct, chartered security consultants – for want of a better term – will presumably be tightly controlled when it comes to areas of incident disclosure, client privacy, data protection and ethics in general.

“One of the things I look to a profession for, beyond anything else, is ethics,” says Natanson. “I want to make sure there is an ethical path, and ethical behaviour, and that you can trust that professional body.

“For us, first of all, that will be about setting the benchmarks. What do we think a good standard looks like? What does an entry standard into the profession look like? Where can you go once you’re in? How should you behave?”

All of these things will be important, particularly to security leaders making the case for investment to their boards, who will expect consistency of standards, behaviour and execution when they engage a third party, just as they would if tendering for a new financial auditor.

Steering the conversation

Looking ahead, Natanson is optimistic that the council’s work can steer new conversations and embrace new ideas around cyber security practice, and not just in the UK.

“Britain should feel very proud because there is nobody else trying to look at the profession from this point of view,” she says. “Everybody is so busy on the defensive, and nobody is talking about the profession. I think this is a key time for us to be shining as a beacon to the rest of the world, and I know the rest of the world will embrace that, because I’m getting those messages already.

“The mandate that the government has given us to be that umbrella, across all organisations not just in cyber security, and to be the voice of the profession – the council takes it very seriously. It is looking to us to guide it on standards, and to influence academia and education. Those two things are very important because they will determine whether we’re successful,” she concludes.

Read more from the Security Interviews series

Read more on Regulatory compliance and standard requirements