Skip to content

Our Conversation with Phil Legg - A Leader's Brief Special (May 2022)

Council news

12:00 Tuesday, 28 June 2022

UK Cyber Security Council

Phil Legg, UWE’s Professor of Cyber Security, delivered our first-ever leaders briefing.

The UK Cyber Security Council’s CEO, Simon Hepburn, talks to Phil Legg, Professor in Cyber Security, Co-Director of the UWEcyber Academic Centre of Excellence in Cyber Security Education (ACE-CSE), and Programme Leader for the NCSC-certified MSc Cyber Security.

Tell us about yourself

I’m a bit of a geek, and always enjoyed computers from a young age - playing around with BBC Micro computers, copying out code listings on the back of magazines, through to making my own websites and playing around with JavaScript.

Computing has always been a hobby for me. But then it became a question of how I could make that passion a career? I studied computer science at university and developed this academic career, conducting research into cyber security.

That initial interest came when I was 5 years old, placed in front of a BBC Micro computer by my parents. Back in the 80’s, it was really common for people to code from scratch – a ‘makerverse’ around coding. What I love to see is that coming back again these days with the Raspberry Pi initiatives to get kids excited about coding again.

My family are all teachers – and I spent a large part of my younger days saying I didn’t want to follow them into it. But, I had an epiphany at Uni, seeing people teaching about computing with projects on the side, which got me interested.

I love doing the teaching at UWE, but it’s great that I can also involve myself in all these other projects.

At school, I chose ICT, music and business studies before doing math, drama and business studies at A-level - I never did an IT A-level. It was always something that I saw as a hobby, but it’s been great to be able to transform that into a career path.

I then did computer science at Cardiff University, and it was in my last term when my academics came to me with an opportunity to do a PHD. I loved the module it aligned to, so, I went along, had the conversation and applied to the post. The PHD was around how we can use machine learning techniques in terms of medical diagnosis and early prevention of blindness.

From there, I took a conventional academic career, going from a postdoc to lectureship. My postdoc took me on a journey from the machine learning, to apply that to sports science, looking at player movement on a rugby pitch, analysing sports data and bringing in techniques to grow understanding.

Machine learning opened my eyes to the cyber security sector. I worked on a project with CPNI and the Uni of Oxford, bringing together skills to recognise cyber security issues and insider threats. From a wealth of data, we wanted to understand the actions of people who might be hiding behaviours, how we tease that out and piece together nefarious activity patterns which might affect security.

One of the projects we run is called Unlock Cyber – bringing 300 year 8 students onto campus for a taster day on the industry and the opportunities available. As well as getting the students on site, we also have teachers here, running sessions to address challenges that they face, which might be how they get the school, individuals or students engaged to think more about cyber security and risk.

What is your role at UWE?

We’re recognised as an academic centre of excellence by NCSC – It means we’ve got a certified degree course, but we go above and beyond just that. It's not just thinking about our own students, but how we teach everyone about security, both regionally and nationally. It’s something everything in society needs to acknowledge.

We do work across the university in upskilling other disciplines and academics in those teams to understand the multi-faceted problem of cyber risk. Then there’s other aspects, working closely with the Information Security team, asking ourselves if we’re teaching good practice and delivering it as an institution – practicing what we preach.

And then there’s our community outreach – working with schools, community groups and the vulnerable, to better understand what cyber is, how we address personal cyber security, and opportunities into the sector.

It’s no good if we say, “the South West has it covered in terms of cyber” – we need a joined up approach, bringing the entire nation on the journey with us.

We’re keen on outreach and working with schools to make sure they’re getting the things they need to inspire them into the profession.


How do you get the Uni’s other departments engaged in cyber?

It's quite often the case that large organisations need to link the dots in terms of cyber risk. Cyber security is multifaceted; there’s no getting away from that.

We can only do so much from the technical aspects, but if you speak to colleagues in the law faculty for example, they’ll be talking about regulation, operational practice, all the things from the organisational aspect for which cyber security is crucial. It’s the same for criminology and psychology departments, to better understand the motives of the hackers.

We’ve been able to tease out these pockets of activity to create an institution-wide take on cyber. It’s very much about finding people across the institution to find link ups.

You might have some people where they don’t think it applies, but when you dig a little, cyber is a key part of keeping a business running. It's an enabler, but also a vulnerability, which opens up organisations to attack.

We want to engage with those who don’t understand, or don’t have interest, in the technological aspect. Digital underpins our economy and cyber security is an intrinsic part of that.

What does your student cohort look like?

Our undergraduate students have increased in numbers over the years – not just cyber, but cyber security and digital forensics.

Our Postgrad Masters programme is a straight cyber security course. Unlike the undergrads, our masters come from all backgrounds – people who’re mid-career and changing roles across a variety of industries, to those later in their career who’re keen to learn more.

We’ve got a good deal of those doing the course part time, alongside their day jobs with large corps and within public sector across the country. They’re either working in the field and wanting to be upskilled, or are in a different department and want to transition.

The international market has been really popular, too. The post-study work visa has made it more appealing for students to come here and we get a lot of students from Africa and India in particular.

What does a typical week look like for you?

As an academic, my role covers a variety of things. I might be teaching a module on cyber analytics, data visualisation, bringing that into the cyber domain – or focused on malware analysis, network traffic analysis, fake news detection.

We’ve also been running online bootcamps alongside the Institute of Coding, which has worked well for students who might not be withing the region.

I’m passionate about building a research culture around Cyber security. We’ve got a number of PhD students working with SMEs across the region, looking at defence and telecoms security – identifying what sort of problems the businesses have come up against.

I love teaching, but I’m a geek at heart – get me in front of a computer and let me get coding!

We've also been running regular workshops with schoolteachers. We had NCSC’s support to get supply teachers on site for some of these workshops, looking at how we can support schools with practical exercises.

On the back of this, we created a portable Raspberry PI cyber range, which doesn’t impact the school network, used to upskill the teachers – getting them to muck in and how they can then pass on what they’ve learnt to students.

DCMS’ consultation on standards and pathway addresses whether the sector should be regulated. What’s your view on this?

It’s a tough one. In terms of pathways, there’s a lot of focus on how people get into cyber security. We hear day-in-day-out of entry level roles needing 3+ years' experience.

Another challenge is that if you spoke to most people 35+ working in cyber and asked them what their pathway was, they wouldn’t be able to say from the age of 12 they knew what they wanted to do.

No one has that straight from the off. There’ll always be those conversations, and who knows where that might lead.

Pathways are a good idea, but having said all that, it’s too easy for me to say to students ‘don’t worry because an opportunity will land on your plate’. It doesn’t sit well with me, even though that might be the case. It shouldn’t be overly prescriptive, but make people aware of the opportunities.

The work the UK Cyber Security Council has done to scope out the 16 job areas is a great way to identify what you need to know. It’s really valuable.

What I’d say to my students is, if you’ve seen a job ad, ask yourself what you’re being asked to do in that job and spend your 9-5 doing. If you like getting your hands dirty with data, perhaps an analyst role is for you. It’s getting them to think about the day to day rather than striving for a senior job title.

What advice would you give to those with a qualification – with elements of cyber security – but would like advice or guidance

The best advice I can give is for students to ask how they’re going to make themselves stand out from the crowd, and they should create a portfolio on who they are and what they do.

When my PHD opportunity arose, I thought it’d be a way for me to say, ‘I’m now senior’, but I found it presented a whole bunch of other ladders and further opportunities. I never considered an academic career path until that moment.

Having an online portfolio will let you elaborate on your qualifications. There’s a lot of unis offering cyber degrees, but they all look different. We even have assignments where we get students to make videos for YouTube, which you can demonstrate the modules you undertook – it helps to illustrate the experience.

There are so many job adverts posted nowadays and it’s frustrating to see the entry level role, entry level pay, but with a large amount of experience required. As a graduate, you have to ask yourself if that’s the kind of organisation you’d want to be working with.

It can be a minefield out there. All you can do is market and publicise yourself in the best way possible.

What is the CyBOK mapping?

We need to assess our programmes against the CyBOK (the Cyber Security Body of Knowledge – sponsored by NCSC) encompassing 21 knowledge areas, which paints the picture of all the areas which touch upon cyber security.

As a term, so often, people have no idea what we’re talking about when we mention cyber. The CyBOK looks at mapping out hardware security, infrastructure and software, through to human and regulatory aspects.

It paints a body of knowledge, demonstrating the literature on a particular topic and collates that to help people interested in certain fields.

For us, working with NCSC, we need to align to the CyBOK body of knowledge. We can’t align to all knowledge areas, and it’d be wrong for us to claim we’re doing loads of stuff in those areas.

But it’s been great to see more and more programmes go towards the NCSC accreditation and mapping. Students can look at this and assess how a particular institution could compare with ours. If they’re interested in the human aspects of cyber security, for example, it can help them to identify which uni to attend.

Do you engage with industry for student placements/grad jobs?

Yes, we’ve got a bunch of different initiatives with industry, with regular talks from speakers in industry. Our Cyber Guest Seminar series runs weekly during term time, where we can hear from industry.

We get a wide range of speakers, but often, it’s alumni, from firms such as CGI. Having students like that is really valuable. You hear about how they’ve got the job, progressed and built their career. They often come back to put forward grad roles and opportunities.

Undergrad students also get a sandwich year for an industry role, drawing on our own networks with the private sector for placements.

What is your view on those without a qualification but who might have strong experience?

It shouldn’t be a barrier because everyone is going to take a different path. I followed an academic path, but I don’t work in industry and government.

One of the things we’ve run recently is a bootcamp, getting people in other sectors interested in cyber security. It’s not going to guarantee your foot in the door, but it’s an intense, concentrated delivery of cyber security materials.

It's then about how you market yourself, building up that portfolio and finding the organisations which are willing to get you onboard.

How can applicants navigate the jobs market when employers are looking for ‘ready cooked’ talent and how can those entering the industry progress when the median tenure of workers is getting shorter with younger generations?

It’s all about the training offered. Employers should be investing in their people and help support people where they want to get. If they can see the potential, they can see how to adapt them into the right role.

We see a lot of students getting their first grad job and then get a new role after a few years. Sometimes that’s progression within business, but a lot of individuals need to find the right fit.

Anything else to add?

At UWE, we’re working with communities across the region. Although we’re in Bristol, we say we’re the Uni for the whole of the West of England, and we truly want to operate across that area. Through our outreach, we go all the way down to Bridgewater, Tiverton and the edges of Devon and Cornwall, and we’re keen to work with more groups and industry across those areas.

But we’re also really keen to work across the UK. There’s no point having the South West secure, if other areas aren’t, and I’m keen to hear about how we can work collaboratively; both with industry on research, partnerships, or through our outreach.