How cyber competitions can help fill the cybersecurity talent shortage

A cyber intelligence firm offers a new service in the form of secure storage for cryptographic keys. It partners with a cryptocurrency firm to offer key hosting, but one of the crypto firm’s applications is painfully insecure, and as a result the cyber intelligence company suffers its second major security incident a year.

While the attack is partly attributed to a hacktivist group, as the truth unfolds it becomes clear the insider threat from the first event – who is now behind bars – is still involved, as are the security company’s new CTO and CIO. None of the investigators of the incident – tasked with finding out who was responsible, how they got in, and plugging the holes — were actually cybersecurity professionals.

In reality, this isn’t an actual hack. It’s the Masterclass competition from Cyber Security Challenge UK, held annually in November. This event is designed to get more people into cybersecurity and offer a way for new talent to meet potential employers and for employers to find talent.

How cyber challenges can help fill the talent shortage

It’s no secret the cybersecurity industry is suffering from a shortage of skilled workers. (ISC)² estimates the shortage of workers has now reached 3 million globally, while ESG reports that half of organizations have a “problematic shortage” of cybersecurity skills.

This lack of talent makes security workers a hot commodity. The unemployment rate of cybersecurity professionals is around zero percent, and an (ISC)² study into security staff retention found 46 percent of cybersecurity professionals are contacted weekly by recruiters, and most would consider switching jobs if the right offer came along.

Competitions and contests give organizations an opportunity to circumvent the usual rat race of a hiring processes. Events such as the Cyber Security Challenge Masterclass aim to widen the potential talent pools and show participants what a real-world cyber environment looks like.

Once described by The Register as “Hack Idol,” the event sees 42 competitors across eight teams – all non-professionals – attempt to investigate and remediate the hack on this fictitious cyber intelligence firm’s infrastructure. The contestants must secure infrastructure, discover the root cause and perpetrators, and explain their findings both to the board and in a mock press event.

“The challenge is incredibly useful for encouraging new cyber talent into the industry,” says Paul Gillen, head of the Cyber Security Operations Centre and Barclays. Hosted at Barclays’ UK HQ in London, the Cyber Security Challenge UK team has been working with the bank for two years. Barclays has helped craft the challenge scenario to reflect the kinds of incident it might face in the real world.

“The contestants had to think on their feet and work to strict deadlines, with constantly changing information, just as we would in a real-life situation,” says Gillen. “It’s also a great opportunity for the contestants to get exposure to what a threat or attack might look like in a large corporate [environment].”

An automated scoring system assesses each competitor’s technical capabilities. Human assessors from companies such as Lloyds, BT, Airbus, and the Bank of England, among others, patrol the event talking to each team and judging individuals on softer skills such as communication, leadership and ethics. Each assessor is also a potential employer looking for staff.

“Part of this is about pulling people into our funnel, but also part of it is about creating a much bigger population to form that funnel,” says Oscar O’Connor, lead assessor at the challenge and also security director at Cognizant. “We want everyone here to leave as an ambassador.”

How cyber challenges help employers

Hackathons, capture the flag contests, and cyber competitions are increasingly seen as a viable recruiting tools for companies. “It is a great way for us to spot up-and-coming talent,” says Barclays’ Gillen. “Protecting Barclays against cyber attacks and enhancing our resilience is a key priority for us, and it’s something we continue to invest in. That includes investing in the very best people in the field, some of whom will no doubt come to us through the challenge in the future.”

The Bank of England is also a sponsor of Cyber Challenge and has hosted its own similar events. “We are trying to tap into a different demographic as far as skills are concerned, so we don’t really want to fish in the normal ponds of the Oxfords and the Cambridges,” says Neal Semikin, head of security and infrastructure at the Bank of England. “With the cyber challenge, while we’re trying to generate skills [for the now], we are also looking out for skills for the future and offer internships off the back of that.”

Semikin explains that the Bank of England recently had a group of youngsters who came in to visit after its own cyber challenge event to understand what the potential career might be. “I would rather use that as a means of interviewing people and tapping into their interest in the subject rather than just going out with a job advert.”

However, says Colin Lobley, CEO of Cyber Security Challenge UK, some companies use this as a marketing or corporate social responsibility (CSR) tool rather than a genuine hiring method and can be reluctant to break with their standard hiring practices to recruit from such events. “The companies that get it understand they are going to pick up some talent, but they are playing the long game. If they don’t invest in stuff like this, when they turn to their recruitment agencies and traditional recruiting models in two or three years’ time, there isn’t going to be anybody there or they’re going to get priced out the market.”

“The CISOs and their teams, they get this,” Lobley continues. “They want to see and have candidates who have demonstratable hands-on skills, which you can’t always test from a CV or an interview.”

Cyber skills don’t always make it through the HR filter

While a large proportion of contestants at the event are still in school, the challenge is also known for having a number of mid-career participants looking to move into the security field. One of the assessors was a former RAF engineer who was a finalist in a previous Masterclass and has since held various security roles across the UK. The event’s first winner back in 2011 was a postman.

“I think there are massive cohorts of people out there — hundreds of thousands, if not millions, of mature people who I would class as complete novices that probably haven’t even the thought [of] a career in cybersecurity,” says Lobley. “Return-to-work parents, job seekers…there are people out there in their droves in those sorts of categories. There is no reason you cannot take those complete novices with soft skills and experience from previous jobs, get them interested in a career in cyber, and in a year or two get them into their first job.”

However, on paper, many of these people may not tick the boxes required for HR to consider a candidate, and this is why lead assessor O’Connor feels such events are important recruiting tools. “Recruitment is such a screwed-up process, the ‘HR filter’ tends to filter out the people we want to see,” says O’Connor. “If you just got a CV off most of these guys, they would probably not get through HR. Yet when you can come here and see them in action and watch how they behave, most of them will end up with jobs.”

Events such as this are more like two-day interviews, meaning the employers can really get to know a candidate. Often, people who are good on paper crack under pressure, or a particularly quiet candidate suddenly grows into being a leader for their team. “As a way of identifying talent that you just won’t see otherwise, this is the place to be. What could be better than having two and a half days of being able to see people working on stuff, see the lights turning green, see the way they respond to that environment?”