Cyber security spotlight on... Jill Trebilcock, CIISec
08:00 Thursday, 04 November 2021
UK Cyber Security Council
Jill Trebilcock is a director of the Chartered Institute of Information Security (CIISec), one of the founding members of the UK Cyber Security Council having been part of the Council’s formation project. In fact, Jill herself was personally involved in the formation project, running two of the committees. We caught up with Jill again to ask her about her thoughts on cyber careers.
How did your career in cyber security begin?
I was a graduate entrant at Coopers & Lybrand which is now part of PwC. After qualifying as an accountant, I moved into Computer Audit in 1982, when all computers were mainframes and the issue for audit was that the manual records were disappearing. I was taught COBOL and JCL to run our software, and learned how to evaluate the strength of input, throughput and output controls, CIA and how to evaluate the controls in a data centre so that the auditors could place reliance on the results. Not a lot has changed in the basics of information security.
And what's the most exciting part of your job now?
Helping people increase their understanding of information security/cyber, boosting their knowledge and confidence in the sector. CIISec recognises, through its frameworks, both the technical and interpersonal skills individuals need to succeed at their roles, and it’s a pleasure to communicate these behaviours and skill sets to those at all levels of development within the industry.
What advice would you give to somebody considering entering a career in cyber security?
Don’t feel as though you can’t join the industry if you don’t have a technical background. Those not in the industry hear a lot of the jargon and assume it’s all full of cryptographic experts, but it’s not. Security demands a whole host of attributes - from the ability to carefully consider and weigh up information from various sources, to the ability to evaluate risk and make decisions based on the information available to you at the time.
There are a huge number of people with these desirable qualities who are perfectly suited to a career in cyber security. The pitfall is that they just aren’t aware that they fit the career and aren’t on the radar of the businesses looking to recruit cyber individuals. Changing the mind-set of some organisations that people need certain qualifications will not only be key to remedying the skills shortage but to fixing the issue with the right people!
At interview, show your transferrable skills. If you don’t get the role, ask why and act on it. Some organisations enable internal secondments - that’s another route in too. You must show your determination and commitment to cyber in your interview. Impress them, show the skills that you have! Knowledge is transferable once you have the role.
What would actively strengthen cyber security skills within the UK?
There are many paths individuals can take within cyber security, from security analyst or engineer, to consultant, cryptographer, CISO and more. However, the profession is not doing enough currently to showcase these diverse career opportunities Instead, cyber security is viewed by many as a purely technical discipline that requires a STEM background.
We must break down the barrier which says that those leaving school need to have taken Computer Science to get into the profession. By advertising the cyber security industry better, we must show the opportunities, excitement and variety of careers that are available to anyone, from any background. Without this image overhaul, cyber security risks losing out on the best and brightest talent for other, more widely understood professions. It’s also important to demonstrate opportunities for improvement and advancement for those already in the industry.
The industry needs to recognise that managing cyber risks demands much more than technical skills. There’s a real need for security personnel with the business skills to understand security’s place in the business and help guide the organisation to improving its overall security posture in relation to the risk profile of the organisation. At the same time, security teams need interpersonal skills so that they can educate the wider business; convince their co-workers at all levels of the need for security; and teach them best practices that the business can follow.
Most in cyber need soft skills to educate, manage, and communicate threats across the business. CISOs need technical as well as communication and management skills to understand the issues the organisation faces, make decisions and manage their staff. Recognising that cyber security professionals at all levels require a mix of skills acquired through training or hiring is an essential part of 21st-century security best practice. Without this, the industry will become inflexible and unable to keep up with rising threats.
What are the three most important issues facing the cyber security industry in the UK?
The supposed lack of people. If employers were willing to be more flexible with their requirements - which they are when inside companies, but if that also extended to external recruitment - then a lot more people would be eligible and be perfectly capable in the profession, given sufficient support. I personally have brought people into the profession from call centres and claims teams. CIISec represents 10,000 people that are or want to get into the profession. We need to get out to those who don’t know they want to be in the profession and enthuse them too, and not put them off with the technicality.
When I spoke to the head of sixth form in my old secondary school recently, she said that none of the current sixth form saw cyber as a profession because the school did not offer Computer Science at A level. What a wasted opportunity; I’ve enjoyed a fulfilling and long career in information/cyber with my geography degree and law masters (which I took when head of third-party security in order to understand contracts better). Essentially, it all begins with educating the next generation from infancy about the industry and to shape an awareness surrounding cyber in general which we are keen for the Council to get behind alongside the right Government organisations.
Also: A common way of understanding the profession. The profession does not know how to describe itself - there is no teacher/hairdresser/builder terminology which the general public understands; look at the way “security architect” has changed its meaning over the last ten years. We need to stabilise how we describe ourselves and our roles. A longer term goal would be to stabilise where the best fit in organisations is, too, so people know where to look for roles on web sites.
And there’s the third-party issue. Every organisation relies on other organisations for its information/ cyber security. We use cloud platforms, we use external development teams, we use third party software. We all have different ways and apply different criteria to how we get comfortable about our data, our programs, our computers and our relied-on people not being in our own organisations. There is a huge professional side to third party security. We need to find a way of making it easier and more uniform for every organisation. Even an agreement on how we handle sub-contractors across the industry would be a great step forward.
What’s the most common misconception people have about working in cyber security?
That they need to be technical whizz-kids; they don’t. Managing cyber risks demands much more than technical skills. There’s a real need for security personnel with the strategic skills to understand security’s place in the business and help guide the organisation to improving its overall security posture. Coupled with this, security teams need interpersonal skills so that they can educate the wider business; to convince their co-workers at all levels of the need for security; and to teach them best practices that the business can follow. The industry also desperately needs good people managers. We’re eager to work alongside the Council to create a more inclusive environment within the cyber community.
An independent, not-for-profit body governed by its 10,000 members, the Chartered Institute of Information Security is dedicated to raising the standard of professionalism in information and cyber security. CIISec is one of the founding members of the UK Cyber Security Council, having been involved in the formation project.