Our Conversation with Awais Rashid - A Leader's Brief Special
12:00 Tuesday, 02 August 2022
UK Cyber Security Council
Could you tell us about your journey to professorship?
My journey into cyber security was quite typical. I’m old enough to have seen computers with punch cards, so my journey began when computers weren’t a widespread thing. Certainly when I was going through school the concept of computing as a discipline, let alone cyber security, wasn’t really there.
I came to cyber security fairly late in my undergraduate days. I’m an electronics engineer by background, which at the time, was basically building digital circuits and understanding power and communications. There weren’t really that many computer labs, and we didn’t do any kind of computing courses until much later.
I knew nothing about computers except that they were made of circuits and microchips. I remember convincing one of my lecturers to let me have access to the computer lab, which was a prized resource. I used to go in a try to work out what the operating system was doing, so I was very much self taught until we started to do some proper computing courses.
At that time I also managed to convince my father to get me a personal computer, which by today’s standard is nothing, but at that time was unusual. I then learned to programme on my own.
From there, my interest in cyber security grew. At that time someone who was in a higher year than me at the university said something to me that always stuck with me, he said “the best way to learn about computers is to either study viruses or play lots of computer games.”
I’m sure that’s music to the ears of a lot of people, but the purpose of that was to work out how is this algorithm working? I’m not very good at gaming, but I have often been able to beat better players by working out what the algorithm is doing just by observation.
With viruses, a friend and I used to run a pro bono service. Viruses were a very new thing, our computers didn’t even have covers yet, and so if people had problems with viruses they would bring their entire tower to us, take out their hard drive and clean them up. But we’d also collect some of the more exotic viruses.
I didn’t know that cyber security was a field at that time, and it never occurred to us to ever monetise it. It was just a service given to colleagues.
I didn’t pursue electronics engineering in my further education, to the disappointment of some of my lecturers, but instead, I went on to do a Masters in software engineering.
I then took a PhD in the field of programming languages and software engineering, dynamically evolving systems and so on. I then went on to a more traditional academic career.
From there, things started to transition towards security as I realised that was an area of interest, especially as systems evolved and new technologies emerged. After many years, here I am as a professor of cyber security.
In your younger childhood, was there any indication of your interests being more analytical?
I would love to say yes, but unfortunately that wasn’t really the case. I think what is quite key is the interest in problem solving. If I wasn’t in cyber security, I would be a mathematician. I love mathematics, and it wasn’t just because it’s beautiful, it was the problem solving I loved.
When things break, I want to work out why they’re broken. Those are the kind of things that interested me and pushed me towards cyber.
I’ve often said to other colleagues that there was a time when hackers were referred to positively, and now we always have to ask “are you an ethical hacker or not?” Hacking didn’t used to be bad, hackers would work out what the problem was and try to fix the problem.
It’s that kind of problem solving that has been a mainstay for me, and I think that’s what attracts me to cyber security.
Tell us about your academic journey. You’re at the University of Bristol now, where were you previously and how did you end up here?
Following my PhD, I did a short period of work at Xerox, they used to have a lab in Cambridge, and I worked there for a very short while. I then took up a lectureship at Lancaster University, where I recently did my PhD. Subsequently most of the first part of my career was at Lancaster University where I continued to a range of activities including teaching research.
One of the key things I did at Lancaster back in 2011 was, NCSC had recently launched the Cyber Security Centres of Excellence research programme, and we put together an application to be recognised by the Centres of Excellence. A colleague and I realised we had real capacity, and we didn’t really tell the world about it.
We were successful in that, and we formed a university level research centre called Security Lancaster. That grew from about six people in a room, to 100 researchers across eight different disciplines.
You need people from different disciplines, with different expertise, from computer science, psychology, physics, to politics and international relations.
With a certain sadness, I moved on from Lancaster. I had a wonderful time there, I had great colleagues, but there was an interesting opportunity at Bristol to set up a cyber security group alongside a long-established cryptography group, and I moved here along with some colleagues from Lancaster. I’ve now been here as head of the group since 2018.
I worked at the centre for doctoral training in cyber security, which is training at least 50 PhD level graduates in this area, and I also head the national research centre on privacy, harm reduction and adverse area influence online.
Let’s get on to CyBOK. Can you tell us what it is, what does it do, and also what it doesn’t do?
If we look at any mature discipline, it has established foundations on which education and training is based. If we look at software engineering, the Software Engineering Body of knowledge developed by the US has been immense, and we should accept that cyber security is maturing.
It has foundations in a long-standing body of work - in computer security, information security, commercial assurance – so as a discipline we need a collection of foundational knowledge on which we can build our education and training programme. That’s the fundamental principal of CyBOK.
Can we provide a set of core topics and descriptions upon which you could draw if you were creating a new educational curriculum? If you are, for example, an employer and you’re looking to hire people you can say, “these are things I want people to know, because the community broadly agrees on these as a foundation.”
When CyBOK was developed, we did a large scoping exercise to get community input as to what should go into this foundational knowledge. Not everything is in there, it’s not an encyclopaedia, so it’s important to know what should go in.
We’re not creating new knowledge, the knowledge exists out there in textbooks, industry reports and standards, we’re putting them together and saying, “this is the kind of material we should be drawing on and these are the concepts that people need to learn.”
Each of the knowledge areas is authored by an expert internationally recognised on the topic, but reviewed by a panel of experts, then it goes out for a further public review. It’s that rigour that brings a high degree of credibility to CyBOK.
But equally it’s not a how-to guide. If someone is looking for the exact steps they need to follow to do a task, that is very important but that knowledge comes from other things like user manuals.
There’s this view that there’s a singular cyber security expert who knows everything, and that isn’t true. What we have to ask is what knowledge areas are relevant to particular roles, and its those elements you need to know. You might not even need to know all of them, you might only need to know parts of them.
What we see time and again when we do mappings of professional certifications or undergraduate and masters courses is that they all look very different because they are all trying to cater for different needs in the workforce, and that is not a bad thing. If we had everything look identical, then that would mean we’d only have one cyber security role. The person who does risk assessment is different to the person who does security operations.
Finally, I think some of it is about taking some of that mystery away. CyBOK is open, it’s freely available, because we want more people to learn about cyber security. We want them to be able to freely access this material because that creates its own democratisation effect which brings more people into the field, and I think that’s working.
How do you communicate what CyBOK is to the profession, that it is a directory and not an encyclopaedia?
In any discipline, both knowledge and skills are important; I think the key element is that CyBOK provides the knowledge and the subsequent training provides the skills. One of the things that we’ve been trying to clarify throughout is that there are multiple pieces of the puzzle; CyBOK kind of sits at the base of what people are trying to do.
For instance, we have been funding small projects in the community with the community builds resources. There are resources out there for example that use case studies in their training materials with CyBOK, or lab resources where people have built labs and made them freely available, so if you want to run a training programme, you can go, and by following that you can build the skills.
CyBOK can never do everything, if you think about it, CyBOK sits at the core, and we build resources around it to provide the training.
I’m not saying anything that we don’t do ourselves, we have a Masters programme, which is starting this September, there will be the conceptual material that we will be covering but also there will be loads of hands on stuff in the labs, where people will be applying all those concepts, and that kind of builds the skills that go hand in hand with the knowledge.
We have a lot of people that contact us who have degrees and even masters in cyber security, who then can’t secure a job. We often find that the course they’ve done has been titled ‘cyber security’ but has really been a more general computing course, but not the area that they wanted to go into. What advice would you give to those people, and what advice would you give to course directors?
I’ll answer the second question first. We map the concepts and areas of cyber security to CyBOK, and out come these kind of spider charts, which say which knowledge area is covered by each specialism. You may see a programme that has a huge focus on risk management, security operations and human factors, and less so on software security and cryptography.
That is not to say that that is not a suitable programme, it’s ideal for people who are interested in that, but those aren’t the people you would hire unless they’d done other training on building crypto systems.
The reason I’m saying that is that’s what happened when the National Cyber Security Centre certified degree programmes, they asked degree programmes to map their degrees onto CyBOK and produce similar bar charts.
It would be great if all programmes were publishing these, so then anybody coming in could have a look at these and say ‘I can compare these two programmes, and this one is going to meet my learning needs better.’
But I think there’s also the reverse side of us setting expectations better, and this is something I was talking about to someone at another university. They said they used it to describe what their course would cover, and what it would not cover, so it was clear to students that they were going to get a particular flavour of cyber security, rather than something that was very generic.
In terms of people who’ve already done Masters degrees, the question to ask is ‘how do you make yourself stand out?’
If your degree programme has a particular flavour, for example the UK Cyber Security Council has put up these career routes to look at where your knowledge may relate to those career groups, that may help to align yourself to a particular role.
It may not be the role that you were initially looking at, but it can get you into the sector, where you can then look at what additional training you can do to help you build towards the route you want to do. A number of masters programmes will allow you to do part time, so there’s no harm in a second masters. I know people who’ve done that, people who’ve done one and it didn’t meet their needs so they’ve gone on to do a second one.
What does a normal day or a normal week look like for you?
My week has the typical set of things you would expect an academic to do. Quite a lot of focus goes around research, and working with a number of excellent colleagues on developing ideas. I primarily teach on our first year centre for doctoral training who use CyBOK as a basis to provide a foundation on cyber security for students who come in from many different backgrounds.
Quite a lot of it is related to management, perhaps what would be described as leadership, I have to set strategy, and work with senior members of the organisations which I’m a director for. They’re all interesting activities in their own right.
In relation to the students, particularly masters and PhD, is there a good balance of both national and international students?
It’s difficult to answer. There’s a balance of course, we have students from the UK, across Europe, across the world, and I’m not sure that the issue is about whether enough students are being trained from the UK. It’s more that we are retaining that talent within the UK.
Ultimately there’s a huge shortage, as we know, and I think the key thing is as a field in which there is a significant shortage, the more people we can train, the better.
It’s also very important that the people we train, if they’re returning to their home countries and taking their skills with them, I think that’s also very important. UK cyber security doesn’t exist in isolation from the rest of the world.
Ultimately, we have to raise the bar globally, and I actually think it’s a great thing that we’re training a diverse group of people, some of whom will pursue roles within the UK, some of whom will go elsewhere, whether they’re UK nationals or not.
The key question we always have to ask is, we have many masters and professional courses across the UK, but the workforce gap doesn’t necessarily change. I think the answer to that is cyber security has come out of this kind of niche activity that a few people used to do, into us now being much more aware of the challenges we are facing.
We also understand that when we build these big data systems, we need to build cyber security and privacy into these systems. If we have a global pandemic, we need secure global systems to exchange information and trace the pandemic. All of that means there is a growing awareness that we need more people. The challenge is that we’re not producing people fast enough to fill that gap.
How do we raise awareness of the profession? How do we not only attract people into the profession, but also retain them?
It might be a cliché thing to say, but this begins very early. We have to make sure that young people see cyber security as an exciting career pathway, but also being clear that it isn’t going to be a tedious dry subject. Students that want to go on to study psychology, law, many other things can all be relevant to cyber security. There’s a whole legal and regulatory side, related to cyber-crime.
Then there’s those who want to build secure systems, the more traditional route, and I think if we can provide better and clearer signposting and engage young people early, in the long term that will certainly address both our talent pipeline question but also bring a more diverse set of people into the field.
And I think that’s where we can make a significant difference. There are courses like Cyber First doing a lot of work, but I think a lot more can be done.
I think with regards to people who are looking to move into the field from another career, it’s important to understand that people from different viewpoints can bring something very interesting to the field.
I think my colleague will forgive me for using her as an example, but one of my colleagues here at the University of Bristol is Professor Genevieve Lively, and if I were to say to you ‘what has a professor of Classics got to do with cyber security?’ You would say, ‘I don’t know!’.
Genevieve Lively is a professor of Classics, and she’s done amazing work around risk narratives and how do we communicate cyber risk. How does that impact our perceptions and understanding of risk in this field?
I think that is a wonderful example of someone who would not be typically considered as a cyber security person bring a very interesting perspective on cyber security. Her work has really led to significant advances in how we talk about cyber risk.
People often say to me, ‘I’m interested in cyber security, how do I get into it?’ and I say to them, ‘if you go to the CyBOK website there are podcasts with the authors. Go and hear them talk about the different knowledge areas that they worked on, and why they matter. You will find the one that interests you most.’
What are some of the projects CyBOK has funded, and what do you do for them?
There are many good examples across the country. I think there are two that I often use as examples, the first is Nancy Mead, formerly of Carnegie Mellon University, she led an effort where a number of colleagues across the country contributed case studies of real cyber security incidents to build secure systems.
The interesting thing about cyber security is that we always talk about it like a problem. The thing with these case studies is that yes, you have to understand why a breach happened, but also this is how you go about building a secure system. People have made these resources available. In many cases they have instructors notes, students notes, model answers, so you can really use them in your training.
The other one is by Dr Cliffe Schreuders at Leeds Beckett University, where there’s this treasure trove of labs that are available on GitHub, and they’re all linked to CyBOK knowledge areas. You can really work through these labs, either on your own or in your classes with your students. It gives this massive amount of resource for students to go and learn these concepts.