The National Crime Agency recently revealed a fascinating intelligence assessment, uncovering the ‘pathways into cyber crime’. The key finding was that most young hackers are motivated, not by financial reward, but by idealism. The NCA added that many of those involved in cyber-crime had “highly marketable” skill sets, and evidence showed that positive role models could help steer ex-offenders towards productive technology careers.
Many people feel that re-training young cyber offenders as cyber security professionals offers a chance to kill two birds with one stone; reducing cyber-crime and simultaneously helping to reduce the cyber skills shortage. The NCA proposed creating a “toolkit of positive diversions” for young people deemed to be at risk of online criminality, such as positive mentors, coding clubs and job opportunities.
It is certainly true that today’s cybersecurity profession is in desperate need of more young talent. Our Global Information Security Workforce Study found that only 12% of the UK workforce is under 35. The NCA’s initiative is a welcome one if it can steer enthusiastic and gifted young people towards the many career opportunities awaiting them, recognising that the devil makes work for idle hands.
However, if we are to find a long-term solution to youth cyber-crime and the skills gap it is not sufficient to target educational resources, mentors and job opportunities at a narrow band of gifted youngsters on the periphery of cyber-crime. The true solution is make such career opportunities available to all by making cybersecurity a core aspect of the education system at all levels and across a range of relevant subjects; helping prepare the future generation for work in a digital economy. Cybersecurity is increasingly fundamental to many industries and many different jobs, from engineering to web design and the education system needs to reflect this. Why wait until young people are already on the periphery of cyber-crime to divert them onto the straight and narrow when we can equip all young people with the skills to make a positive contribution from the outset?
Fortunately, this is starting to happen now. (ISC)2 has worked with organisations including the Council of Professors and Heads of Computing (CPHC), to design cybersecurity Principles and Learning Outcomes which have been turned into part of the official accreditation criteria for all UK computing degrees under the bodies BCS and the Chartered Institute for IT.
At a subsequent curriculum development roadshow supported by the Cabinet Office, 60 UK universities demonstrated a will to champion and embed cybersecurity more comprehensively across their computing degree courses. There are now opportunities to go further and teach cybersecurity within an array of popular disciplines from psychology to business management. Further efforts are being made in Further Education; with our involvement in the development in the UK’s first ever cybersecurity EPQ helping to embed cybersecurity skills in curricula at all levels.
Employers could also aid this effort by working with colleges and universities to ‘mentor’ promising students, organising graduate recruitment fares and offering cyber apprenticeships to graduates or college leavers.
I recently attended an inspiring event at the Plymouth Science Park hosted by Bluescreen IT, which echoed these very sentiments of bringing cybersecurity into the fold at a much earlier stage. The event, which brought together leading organisations including businesses, schools, universities and the local authority examined how recent online threats and the shortage of qualified and experienced cybersecurity professionals could be tackled by both business and government. It was proposed that through bringing their respective bodies together, it could mean that their agendas could be aligned and integrated to form a proactive ‘cyber cluster’, enabling parties to shape curriculums to incorporate information security and in turn provide a pipeline of nurtured talent to the profession and local businesses.
With the internet overtaking TV as children’s favourite pastime, there is also a real opportunity to engage children in cybersecurity by incorporating it into primary and secondary school teaching materials. Cybersecurity content could be included in everything from maths classes to World War One and Two history lessons on the role of code-breakers at ‘Room 40’ and Bletchley Park. Teachers could create code-breaking competitions to make the content engaging for children.
There is also an opportunity to teach internet safety to all young people, in an age when children are increasingly exposed to the hazards of the internet, from hackers to cyber-stalkers. (ISC)2 volunteers from across the cybersecurity profession have been going into UK schools to teach over 5,000 children each term on everything from ‘sexting’ to cyber-bullying. Similar initiatives could be rolled out across all schools at a national level.
The only viable long-term solution to youth cyber-crime and the skills shortage is to ensure that our education system gives all students (and their parents) the necessary skills, knowledge and awareness to feel included in, able to contribute to and benefit from the digital economy.
By Adrian Davis, CISSP, Managing Director EMEA, (ISC)²