Cyber security spotlight on... Cevn Vibert, Institute of Measurement and Control
02:30 Thursday, 14 October 2021
UK Cyber Security Council
Cevn Vibert is chair of the Cyber SIG (Special Interest Group) for the Institute of Measurement and Control. He has spent over 30 years in Industrial Control Systems (ICS/IACS/IIOT) and has been “industrial cyber”-focused for the last 20 of those; during his career he has launched and managed major UK Critical Infrastructure security projects and solutions, and cyber and physical security demo labs. As part of our “Cyber Spotlight” series of interviews, we asked Cevn for his thoughts on aspects of the cyber security sector.
Using ten words or fewer, sum up the UK’s current cyber security capabilities in your view.
Work in progress.
What advice would you give someone considering a career in cyber security?
I’d say: decide on your current dream, follow that dream, discover more, and change as needed. There are endless paths to follow. Choose aspects you both enjoy and are good at, then ask the community for advice.
What could be done to actively strengthen cyber security skills within the UK?
I'd like to see greater provision of cyber apprenticeships. I’d like to see mobile ‘cyber buses’, actively taking the word out onto the streets and into organisations. I’d also like to see far more interconnectivity and joined-up thinking between groups of vendors, end users, systems integrators, government organisations and academia. For example, academia struggles with funding to get gadgets, vendors struggle to get the right kind of third party views and independent external input, end users struggle with resources, SIs struggle with resources and funding. If groups want to test real world cyber security, then how do they do this with appropriate budgets and a useful timescales? How can we securely network these resources together in an independently managed fashion? If a university needs devices from four different vendors, can they connect to them securely over this managed network and could they do this either for free or via an annual subscription?
Cyber security, physical security and operation security and resilience gamification should be much more widespread and accessible in a modular fashion. Multiple groups running security scenarios working as disparate-role teams have shown enormous benefit in cross-enterprise awareness.
Cyber security culture needs to be as high on the corporate agenda as health and safety. In some instances it is interlinked.
I’d also like to see clearer career pathways for practitioners; we need to avoid losing people because they don’t see where their next career opportunity is coming from, or can’t engage with mentors or peers.
What's the role of the InstMC’s Cyber SIG?
In keeping with the purpose of the Institute itself, the role of the SIG is thought leadership, knowledge and experience-sharing and guidance. It’s important that we keep in mind our opportunity to help change some elements of the world for the better.
What do you see as the biggest cyber issues facing the UK?
I could speak for hours – and often do, at conferences – on these very subjects. For me there are several very definite themes, encompassing education, recognition, certification, risk and impact management. We have some way to go but the pace of improvement is dramatically accelerating.
We need better education at for all, at all levels, with sensible recognition certificates. By this I mean that cyber education needs to be appropriate to the level of ‘student’, that it needs to cover the right subject matter, and access to that education needs to come at the right price. Completing a curriculum needs to result in an appropriate certification for all ages and all organisational levels. And by that, I mean from primary school kids up to chief executives.
We also need to acknowledge that people new to the sector gain experience very quickly, especially at the start, and, we need to acknowledge those experiences that they gain; I’ve thought about an ‘experience badge’ system to promote the reality of experience, not just certification.
What do you find to be the most common misconceptions people have about working in cyber security?
For me, there are very specific misconceptions, notably that Industrial Cyber is the same as IT Cyber. They aren’t apples and apples; they are apples and pears. For example, you need to do some good research before doing a pen test on an industrial system. Organisational seniors (CxOs) need to fully understand impacts and be properly informed of the risks and of the mitigations proposed.
Another misconception is that cyber security is all about being a hacker. There are actually thousands of roles across all disciplines, and new entrants can always find roles and then adapt to fit new skills and most enjoyment.
The purpose of the Institute of Measurement and Control is to promote best practices and shared knowledge of Industrial Cyber Security in applications, industries and infrastructures. The Institute was one of the founding members of the Cyber Security Council, having been involved in the formation project. The Institute’s Cyber Special Interest Group(SIG) is one of the fastest growing groups in the Institute.