Opening up the world of cyber security: How the online landscape calls for increased knowledge

Opening up the world of cyber security: How the online landscape calls for increased knowledge

Professor Awais Rashid shares his thoughts on what the future might hold and the reasons why CyBOK (Cyber Security Body of Knowledge) has evolved.

As the pandemic spread across the world, practically every industry and organisation took their operations almost entirely online, bringing into sharp focus the importance of data security and privacy. Cyber security is no longer the mythical realm of a singular expert – nor should it be, says Professor Awais Rashid, who believes that in a complex and interconnected world, everyone has a role to play.

Why does cyber security matter?

With or without the pandemic, more of our lives are moving into the digital sphere. The pandemic showed that despite the world being in the middle of this massive crisis, we were able to continue working and interacting with people, because of the platforms we have and because we have some assurance about the security of the software, hardware, networking and communications infrastructure that forms the digital fabric on which we rely.

How can organisations better equip themselves and their workforces in the online landscape?

Two people in front of bank of monitorsAs we focus increasingly on building and operating organisational infrastructures in more secure ways, we need to have a workforce that fully understands what is involved and has the capabilities to do what is needed. There is a big shortage of cyber security professionals worldwide. Part of the problem is that we tend to think that there is a singular cyber security specialist, one expert who knows everything, and that’s not true! The work required dictates the expertise needed, whether it’s someone who can build a secure communication mechanism so we can engage with others without concerns about eavesdropping, or someone who can make sense of the data coming into a security operations centre to identify an unfolding cyber-attack.

As an organisation you need to know what expertise you need. As a learner, you need to understand which course will give you the knowledge that will equip you with the insights required. As a provider of academic programmes or industry training, you want to clearly articulate your offering. This is why fundamental knowledge matters – it allows you to distinguish the needs of different roles and plug the knowledge gaps.

What role does CyBOK play in meeting these needs?

There is a lot of material out there about cyber security, of varying quality, which makes it hard to distinguish between authoritative sources, especially in the absence of a common knowledge framework, which to date, the field of cyber security has lacked. CyBOK provides that missing component – it has been designed with real knowledge and expertise, by multiple authors across the globe who are experts in their own topic areas. You can then choose to read a thorough summary of a particular knowledge area, listen to a more digestible podcast, or dive into the full text with reference materials.

The National Cyber Security Centre (NCSC) is now using CyBOK as the basis of its certification of undergraduate and postgraduate cyber security degree programmes in the UK. The CyBOK-based certification makes it possible for programmes to showcase and trace the specialism and coverage of particular knowledge areas within CyBOK. This, in turn, supports an educational landscape where broad general cyber security courses and deep specialist programmes cater to the needs of learners and employers.

As a practitioner, you can map your current training and knowledge on to CyBOK to see the breadth and depth of your understanding and areas that you may want to develop further. This can enable you to go deeper into your area of specialism or branch out into new roles in cyber security by identifying the knowledge you already have and what is needed to further the specialism or expand your role and knowledge. It’s also then easy to demonstrate to potential employers your suitability for particular knowledge requirements of specific roles.

CyBOK is open access and freely available – why?

Transparency is one of the key drivers of what we do. We consciously chose to make everything downloadable with permissible licences that don’t ask you to pay even with your data. No registration or login details are required. This means we don’t know who is downloading or using CyBOK but that doesn’t matter – ultimately the purpose is to remove barriers and uplift the community.

The more we can be open and clear about what knowledge is needed to build systems at scale, the more we can make that knowledge accessible and the more effectively we can raise the bar of training and education.

If you’re not from a very technical background you can still see yourself contributing to a large body of work around, for instance, human factors, risk or regulation. Maybe you’re someone from a deep technical background or you’re an engineer who builds systems; you can see how you could bring that knowledge to bear in building secure power grids or water treatment plants, for example. All perspectives have a valuable contribution to make to cyber security, and that helps us address the big gaps in the workforce – if we have a diverse range of people, we can meet complex, interconnected needs.

Why did you decide to move from CyBOK 1.0 to CyBOK 1.1?

A body of knowledge is, by definition, not final – all fields evolve and new knowledge comes to light or the existing one needs to be presented in different ways. Cyber security is no different. Furthermore, CyBOK is for the community, by the community. We have an open call for community comments on changes to CyBOK. We respond to community input and comments. Based on feedback and direct input, we decided to complement the existing Cryptography Knowledge Area – which covers fundamental and theoretical concepts – with one on Applied Cryptography, where a significant body of knowledge exists on how to use cryptography in practical settings. We also added a more extensive coverage of Formal Methods for modelling and verifying secure systems and protocols; formerly this was recognised as an important crosscutting topic in the Introduction to CyBOK. We also broadened the scope of the Network Security Knowledge Area to provide a wider coverage of different types of network architectures and security mechanisms therein. These changes are not done lightly. The scope of change is publicly available for community comments and is refined based on these before a Knowledge Area is revised or a new one added. The new Knowledge Area or revision follows our rigorous process of peer review and open community comments before finalisation.

How has the cyber security landscape changed in recent years and what does the future hold?

Digital map showing connections between countriesCyber security interacts in very complex ways with other properties of any given system – the question is, how can we build more secure and resilient systems? If you look at big systems like power grids, water treatment systems and manufacturing environments – or even larger scale environments such as smart cities – they have a large number and variety of computational devices and software within complex cyber-physical infrastructures that are highly connected. To be secure, we need to have secure ways of building, maintaining and evolving those infrastructures – they have very long lifespans of several decades – and we need the knowledge to make that happen.

Sustainability and cyber security are two of the biggest challenges facing the world. From a geophysical perspective, we need to get a firm handle on what we do and how; from an infrastructure perspective, we need a world in which we trust the systems on which we rely. In all fields, we need experts who have the knowledge that will ensure we can meet the demands of the future. That’s the purpose of CyBOK, to raise the bar on how we build systems that have the desired impact on society.

Professor Awais Rashid is Principal Investigator and Editor-in-Chief of the Cyber Security Body of Knowledge (CyBOK), a virtual network of internationally-renowned experts who are pooling their knowledge for the benefit of open access education and professional training. The entirety of CyBOK’s peer-reviewed resources and publications can be accessed online under the Open Government Licence, cost-free.

Book your place – CyBOK showcase event, 13 September 2021 – to hear more about the new and updated Knowledge Areas and see the full agenda.