If the best hackers can train themselves better than they what they could get from a graduate course, is there no real point or value in the GCHQ-certified degree?
The best hackers are too expensive to be hired by governments, or simply don't want to work for governments. If government wants to recruit them, it will take a combination of money, career advancement potential, interesting, meaningful work, and an independent work environment.
Do you think the government's goal, "for the UK in 2015 to derive huge economic and social value from a vibrant, resilient and secure cyberspace," will be achievable through an initiative like this?
It won't guarantee it a certification program is just a very small part of what it would take. The only thing that would make a significant change would be to require every citizen pass a certification in ethical hacking and Infosecurity by 2025.
But that's not feasible. It would be like obliging every citizen to be trained in jujitsu and boxing to fight crime on the street.
If you were advising government intelligence officials on this, what would you tell them?
While brainstorming for my keynote presentation about cybersecurity for government at the Regional Cybersecurity Summit (April 20), I decided that there is a need for a different approach the government of every country needs to develop better cybersecurity regulations.
I think cybersecurity is actually collapsing because hackers are becoming more sophisticated. The problem is that companies don't have the budget, time, skills and desire to spend the money efficiently on it. Either they purchase something that is ultimately worthless, or they purchase something to pass a security certification like PCI "Here's the paperwork, purchase order is done" but practically speaking they remain hackable.
You can explain to CEOs that security is important, that it's obligatory because the consequences can be huge, and they will say, "Yes, yes, we absolutely agree. Thank you. Bye bye." Nothing will change.
Look at Target. They fired CSO and sued the company in charge of their PCI compliance. Everybody is trying to put responsibility on somebody else it's not our fault. The result is simple nobody is really in charge of security. Until we have straight, clear and comprehensible regulation by government, don't think companies will do something about security.
I used to agree with people who said that more and more companies becoming victims of hackers can be a good thing, because only then do they start spending and thinking about security. But after conducting several tests, analyses and having discussions with people, I found it becomes even worse than before.
Sign up for CIO Asia eNewsletters.