Research: supplementing taught skills
04:00 Monday, 29 November 2021
UK Cyber Security Council
When one talks about skills, development and education there is a tendency toward tunnel vision, picturing a student in a classroom or taking an online training course. Our subconscious synonymises these concepts with growing our knowledge and abilities through the process of being taught new things.
Teaching does not have to involve a live - local or remote - instructor. A Computer Based Training (CBT) course is driven by the student, but it uses materials that have been planned, structured, written, prepared and published by someone with the primary intention of imparting a given set of information to the student. CBT still classes as teaching in this sense.
Taught training is the standard go-to for the vast majority of organisations, and the training budget is spent on these types of course. It is incredibly rare for us to do truly self-driven learning - in a word: research.
"Research" is a word one tends to associate with university students studying for PhDs, or with scientists in laboratories. Although many organisations do indeed have the concept as part of their corporate structure, this is generally as part of a Research and Development (R&D) division - staff who spend their entire working lives carrying out research, but with a complete focus on devising new or improved products and services.
There is clearly a need for teaching as means of increasing skills: it is much more efficient to be taught about (for example) public key encryption, or how to configure a particular brand of firewall, or how to produce an infection report from the corporate anti-malware suite, than it would be to figure it out ourselves from scratch.
Taught cyber skills training has two key gaps, however.
First, unless the organisation spends significant funds on having materials custom-built, the course will never fit the organisation perfectly, and hence the student has mentally to bridge the gap between the generalities of the training course and the specifics of his or her own organisation.
Second, there is a distinct - and understandable - skew in the focus of the materials available, because writers and sellers of training will inevitably tend toward subjects that are likely to appeal to larger audiences. Training on esoteric niche materials is therefore scarce and, when it exists, expensive, and there is a reasonable chance that some areas of interest will have zero coverage.
There is a potential gap, then, to introduce research as the means of closing the gaps - to learn about things that are directly relevant to the organisation, in subject areas where the only way to find out is to investigate them ourselves. This brings two challenges, though.
First, if we are cyber security professionals our taught skills are highly likely to be in technical subjects such as computer science or engineering. While many of us will have university degrees, only a tiny minority will have any significant experience in the process of carrying out research: regardless of the subject, the soft skill of knowing how to research is a skill in itself. Furthermore, we may need to gain additional skills outside the realms of cyber security in order to achieve our research goals - skills such as data gathering, statistical analysis, data mining or system performance evaluation are the enabling skills for carrying out our research tasks.
Second, research takes time. Taught courses generally take between a few hours and a week to complete, but it would be extremely unusual for a research project to be done in just a few days in the way that, say, a CISSP or CRISC course is. The time commitment - which will have an associated cost in terms of productivity - will be significant with anything but the most trivial piece of research.
These challenges can both be overcome in several ways, though.
The issue with needing new areas of knowledge can be addressed in the ways that have been used for years. First is by recruiting - temporarily or permanently, depending on the circumstances - appropriately skilled individuals. Perhaps slightly ironically, the immense magnitude of the skills gap in cyber security gives us a greater likelihood of being able to recruit individuals with research experience and/or knowledge of the ancillary skills (statistical analysis, and so on) than to recruit mainstream cyber security staff. Alternatively, one can seek to provide training - using the traditional taught model - either to the cyber security team or, more likely, to non-cyber staff on the premise that the time of the skilled cyber specialist is precious and expensive and cannot be spared for more than part of the time required for the research project.
The time element of research projects is addressed in precisely the same way that risks are managed - by acknowledging that one of the options is simply to accept the timescale. Research projects take much longer on average than taught training courses simply because they are entirely different concepts, and so it would be unreasonable to expect the time required for each to be similar. In risk management we can choose to: terminate the risk, for example by decommissioning a system whose risks are much higher than the organisation's appetite; transfer the risk, for instance by insuring against it; treat the risk, perhaps by applying controls or adjusting the functionality in order to reduce the risk level; or tolerate it - accept it as it is. In our research example we can: terminate (decide not to proceed); transfer (perhaps by building a team so the work can be done in a shorter elapsed time); treat (for example to shrink the scope or split it into sections); or tolerate (accept that research simply takes that long).
One must be cautious when engaging temporary staff or third parties in research projects, however: the more that is outsourced, the less that will be done in house and the smaller the level of learning gained by the internal team. The point of doing research - at least in the context of this paper - is that it is an additional tool, alongside taught learning, for enhancing the knowledge and experience of one's own team. Excessive outsourcing will simply negate this benefit entirely, and while there may be value in the materials produced (for example becoming better informed of some aspect or other of one's cyber security situation) there will be no skills value. In short, you learn from the act of finding out, not just from the thing you found out.
Research is a beneficial concept, then, but how does one justify its introduction? Clearly the potential outcomes are positive, but as we have noted it takes time and, potentially, money to make a significant benefit. If even a modest scale of research is carried out, this will very likely take a number of person-weeks per year, which is unlikely to be absorbed by and existing team and hence implies team expansion. Can this be justified?
Research in its purest form is hard to justify as it's a relatively abstract concept. Worse, it often results in failure. An R&D department may spend months trying to design a particular product and then declare it unfeasible; a university researcher may work to prove a particular hypothesis only to discover that it does not hold. There are two elements to the justification of organisational cyber security research from which we can benefit, however.
Firstly, both the positive and negative have value: for example, if one spends time investigating the levels, types and sources of automated "bot" traffic that arrives at one's online customer portal, there is equal value in discovering that the levels are low and non-threatening (in which case you can take no action) or high (prompting you to see what can be done to defend against such traffic).
Second, we are not doing research as a pure thing. Cyber research will always align to one or other of the activities of a cyber security team: asset management; configuration management; threat intelligence; situational awareness… the list goes on. These are all acknowledged fields in their own right: for instance, a search on LinkedIn Jobs at the time of writing for roles related to threat intelligence returns a variety of roles such as a Vulnerability Management and Threat Intelligence Lead at a car manufacturer and a Threat Intelligence Manager for a large insurance group. Hence, justifying a research role in the context of cyber topics with which the executive and board are already familiar to some extent can ease the task of convincing these groups to fund the required headcount.
And to demonstrate that research is already an accepted concept, the same LinkedIn search returned a vacancy for a Head of Threat Research for a technology vendor.
Research can, then, provide tremendous value to an organisation by supplementing the traditional teaching of cyber skills. It may require skill sets that the organisation does not have, but growing these skill sets will inevitably bring value - both in the higher skill levels that result and in the facts and data that the research itself produces.
And although research is generally a much more long-running concept than on-the-job-taught upskilling: that's because it is a radically different concept and must be treated as such.