Anatomy of a cyber team

Mike Fell, NHS England: 
Hello and welcome back to The Cyber Sessions podcast. I'm your host still Mike Fell, exec director of cyber operations here at NHS England. In today's episode we're going to be discussing the anatomy of a cyber team.

We often think of cyber professionals as coming from technical backgrounds and working in the bits and bytes, but recent research from ISC2, the training organisation that delivers exams such as CISSP, identified that actually about 58% of us working in cyber currently started from non-technical fields. So just as cyber criminals don't all come from the same backgrounds, I'm led to believe, it's essential that our cyber defence teams also have a diverse range of skills, perspectives and experience, and that's what we're going to be exploring today.

It is called 'The anatomy of cyber' - it genuinely was a tough call against calling it 'Did you hear the one about the copper, the teacher and the radiographer?' Because today I am delighted to be joined by 3 guests - a former radiographer, you’ve got it, teacher and police officer. They've traded their previous careers for the exciting world of cyber security, showing that each brings a unique experience and thoughts to the work that we do, and that's what we're going to be chatting through today.

So let's kick off with some introductions. Can you say a bit about yourself and also how on earth you've ended up in this wacky world of cyber? Cathy.

Cathy O'Keeffe, NHS England: 
Okay, hi everybody. I'm Catherine O'Keeffe and I am the deputy director of cyber delivery at Cyber Operations in NHS England. And I often ask myself how I ended up here, but mine was I trained as a radiographer in Oxford actually a long time ago. I've been in the NHS now 35 years if you include training as well. Moved through the ranks of radiographer to reporting radiographer in Liverpool Women's a long time ago. And then around 2005-2006 when our national programme for IT was created, somebody needed to lead the introduction of PACS into a hospital, so I volunteered into doing that and I took us from dark room processing right through to electronic storage of x-rays within 6 months.

Our IT team were that impressed I was asked to go and run their business operations for a year and from then on I've worked my way up. I left Liverpool Women's 7 years later as a deputy chief information officer and then moved into NHS England as I said 7-8 years ago practically actually as a director of IG. And then I moved into cyber security two years ago - three years this week actually, hasn't it been? It's been a long time. So yes, so that was my journey.

Mike Fell, NHS England:
Fantastic, thank you, Catherine. Paul?

Paul Carpenter, NHS England: 
Hi everybody, I'm Paul Carpenter and I'm a senior cyber security analyst. I'm an area 2 lead for national networks which deals with cyber alerts across secure boundary and StealthWatch in detect and respond team, and also the analyst pool coordinator so responsible for the analyst pool within detect and respond.
So my background is that I was a secondary school teacher for 15 years where I taught ICT, computer science, business studies. I also taught media and a bit of travel and tourism. So you know what they say about teachers - those that teach can. Those that…therefore I did several different subjects, loved it, really good fun thing to be working with really interesting students, some more interesting than others as you can imagine. And I worked my way up to being a head of faculty in the ICT and business department and it was really good.

Problem is that teaching is changing a lot. There's so many more things involved with it OFSTED, lots of league tables and it became really difficult to do what you wanted to do. I teach the students, the curriculums are forever changing, you've got people on your back all the time asking for new things in the classroom. A lot of the people asking for this aren't necessarily in the classroom that regularly so they don't really sort of see how it is. And it was kind of "I think I need to move away from this sort of career and get into something different."

One of the things I started teaching and became more prevalent on the curriculum was cyber security and it was a real interest for me. So teaching it at A level and it was something I thought "Yeah, I really like this." One of the things as a teacher, especially in the curriculum I was teaching, is you're learning it a lot yourself before you teach it. And obviously as we all know cyber is developing all the time so I was learning it as I was teaching it. I thought "Yeah, I could get into this, I could really sort of get involved in that sort of industry."

So initially I started applying for some roles and I got a couple of interviews but very quickly realised that talking about teaching it and having an understanding of it wasn't going to get me into the place where I wanted to be. So I then realised I had to go away and I did a part-time Masters in Advanced Security and Digital Forensics at Edinburgh Napier University and during that Masters it gave me the opportunity to work on digital forensics and some of the more practical side of things. So then eventually I applied for NHS Digital as it was then and was successful in getting an interview and was able to give examples of where I'd actually been involved in the cyber side of things. I was delighted that I became a band 6 and I've worked my way up from there from May 21 to where I am now.

Mike Fell, NHS England: 
Thanks very much and listeners are going to have to note that I am now feeling like I should be on best behaviour with a former teacher in the room. And I don't think that's going to improve as we pass over to Martin. So Martin, how have you ended up here?

Martin Jarvis, NHS England: 
All right Mike, thanks for having me on the podcast. Yeah I'm Martin Jarvis, I'm currently the Incident Management lead within the cyber security operations centre. We investigate the more complex and nuanced incidents that we detect within the cyber security operation centre.

So just a little bit about me then - I used to be a police officer before coming into this role. The progression is you kind of start in the uniform, then I was plain clothes detective working on drugs teams predominantly in the Leeds area. Then working into CID doing the more complex investigations, you know the robberies, the more serious armed burglaries, more serious crimes. And then ultimately becoming a detective, and then from there becoming a detective within the homicide major inquiry team within West Yorkshire Police. So we'd investigate murders, rapes, attempted murders across the whole of West Yorkshire.

The theme here is, or what got me into cyber, is that when we used to work on the drugs teams originally, what you'd find is a lot of the offenders were young men predominantly around 15 or 16. But they weren't the people who were ultimately running the drug scenes. So how do you actually get the people who are behind this crime? And to do that you need to get to grips with the technologies that they use.
The ring and bring mobile phone situation is that the drug addict would phone a mobile phone that would be held by a central person who will hold the line. The line number would never change throughout the years because it's like a brand - everybody needs to know the number. And so these drug addicts could know the number off the top of their head and they'd be told to go to a location where they'd be met by one of the drug dealers.

So what we discovered was that by doing phone work, analytical work on the phones, we could soon discover who accessed the dealer number and then who was in contact with that person who was accessing the dealer number. We developed a network and information, and that all information came from computers and technology. We were able to deliver successful prosecutions and bring people to justice, people who had previously eluded the police and been difficult for the police to deal with and brought hardship and difficulties to different areas of Leeds through utilising these technologies.
And the other thing we found as well was that because as we got more advanced and into the robberies and the homicides, a lot of the criminality - people won't talk out against organised crime, they won't talk out against the vicious criminals that are in the areas. But what there was, there was lots of information on phones, on computers, cars, on CCTV and you could use this to bring prosecutions. And that's what kind of got me interested in cyber really.

Mike Fell, NHS England: 
Excellent, and I think all 3 stories are those, you know, pivoting from roles with real purpose and an altruistic kind of intent of making society a better place that I think naturally pivots but also kind of, I think, some tangible technical kind of reasons for getting into this. And I know cyber has like its caricatures doesn't it? It's - we all see the memes with the typically a guy in a hoodie with a green and black and there's that kind of perception of what cyber is in society.

So has that been the reality? Is that what it's like to work in - you know you've kind of pivoted mid-career - is that what, has it turned out to be what you thought it would be?

Martin Jarvis, NHS England: 
So from my perspective, is what I learned more and more coming here - we, because of the visibility we have, we deal with such a range of cyber security incidents. A lot of it is faceless, we will never really bring anybody to justice for it.

Although we will do our best, a lot of it is faceless. We don't really know who is responsible and there's no borders with this thing, you know. It's all across the world - we're up against people from all over the world, all sorts of different backgrounds. It's such a diverse range of people.

Mike Fell, NHS England: 
I agree, and but for the record just in case there are any cyber criminals listening, I am pleased that the slam of a prison door has been heard on a number of occasions with teams that I've worked in for those conducting cyber fraud against the great British public. But yeah, I mean Cathy, Paul, is it what you were expecting when you kind of thought about that career change?

Cathy O'Keeffe, NHS England: 
I think it's more - I think what I find is every day has a purpose, no two days are the same and I quite like that to be honest that no two days are the same. We don't know what we're going to face every day but when we do face it, we all face it together and really good team when we face things together. So no, we don't have the hoodies and the dark room - can belong to the criminals because you know we're quite a sophisticated operation really. But so yeah, they can stay like that but you know we are really a really good team of professionals I think and I really enjoy every day.

Paul Carpenter, NHS England: 
I agree with Cathy in that teaching was like that - every day was different even though they were teaching a timetable. Kids say the funniest things and something will happen and I find that with the work that I do here that every day is different. You don't know what you're going to come into each day - there could be a major incident, there could be something you've never seen before. You're always learning in cyber so it certainly keeps you on your toes and it's given me more than I expected when I came into it. It's more than just an office job, that is for sure. It's just enjoyable and the people you work with as well - the amount of support and dedication from others that we work with is just amazing.

Cathy O'Keeffe, NHS England: 
And the people we do work with – and I tell them, don’t I - I am in awe of you every day because I see people do some really good stuff every single day that protects our NHS. And you know, I personally as deputy director am really, really proud of the entire team. But you know, when you look at what we do on a daily basis I just think it's amazing.

Mike Fell, NHS England: 
Well there you go, you heard it here first - there is not black screens with green scrolling text, there is not hoodies. Although there may be a few hoodies and it is a great place apparently. So let's scratch underneath that point and obviously I'm going to say I think it's a great team. I'm massively proud of the work that goes on across the teams but let's scratch underneath - actually what makes that greatness to it? I think we've got examples of that here with the kind of difference and that, but what are the constituent parts of powerful cyber teams?

Cathy O'Keeffe, NHS England: 
I think it's the diversity we've got to be honest. I think we, you know, not only about careers, it's about attitudes, it's about frame of mind. It's the fact that we have all come from these different backgrounds and I think because everybody brings that unique perspective to it but we come together as a team to manage everything - to me - is probably one of our greatest advantages. To me that's what I'd say makes our team so great.

Martin Jarvis, NHS England: 
I think one of the capabilities coming from the incident management perspective - just being able to talk to people and also share information with people and take something that might be fairly complex and put it in a way that everybody can understand. And that way people can come together to take action because it is a team sport, cyber. You're not - there's so much to know, there's so many challenges and that's the exciting thing about it. But also, unless you work as a team, no one person is going to solve the problem. So it's a proper team sport and one thing I do like about working in the CSOC is we do have a great team and people will come together when - and me, Cathy and Paul have been there in the early hours of the morning on a Sunday morning coming together to solve problems at organisations in other parts of the country. So yeah, that's where teamwork.

Mike Fell, NHS England:
Yeah, and I think that resilience point that you put there about - I mean I think a number of us have worked in either formally hostile environments or challenging environments whether they be on a clinical basis or in a classroom. I think everybody's there and I think that resilience point really chimes.

Martin, I know the experience that you bring from policing where conviction rates can be low and keeping that motivation in teams can be challenging when actually it can feel like a - yeah as I say you know, low conviction rates and the frustrations of doing all the work on investigation to ultimately not have something at the end is I think something that has an immediate overlap into cyber where frequently investigations can be left with unanswered questions in the end of it. I don't know, is there?

Martin Jarvis, NHS England: 
I think you're right but the thing is we have to be mindful of part of a bigger picture. So although I kind of said earlier yeah it is hard to bring people to justice, but we do bring people to justice and maybe not on that day but eventually we will do because the way we gather information and intelligence and share it and keep working on the problems and we don't give in - we will get there eventually. And as a result of that we know we protect people, we get people informed, we improve people's quality of life. Yeah it's maybe not today but eventually and you know we are patient and we are hardworking and we will get there.

Mike Fell, NHS England: 
Yeah and I think that communication aspect for me is one that's massively important about what makes a great cyber team because you know, the again the cliche is back to the "is it what you expected?" The cliche is of working in a closed cell that doesn't talk and you know security works in the shadows kind of mindset. Whereas actually I think it's a really important aspect to be able to talk openly about all the harm that's been prevented.

And it's a bit like the Millennium Bug - people look back and they go "Well why was there such a noise about it? Nothing happened." It's like well nothing happened because of all this amazing work going on. And that in itself I think is something that is important to talk about.

Okay, it's trigger warning time. I always go with something slightly inflammatory and intentionally provocative, so here goes with that for today's podcast. So I'm told (he says in the slightly cheeky voice) that you need to be deeply technical to work in cyber and if you're not deeply technical you're not going to bring any value to any of the stuff that we do in cyber. Ba-dum tish, is it true?

Paul Carpenter, NHS England: 
No definitely not. There's so many skills that you need to be involved in what we do. Obviously technical is important but we've already talked about and covered it in communication. We work in a team with different pillars, we've got different areas that we need to reach out to - organisations, ICBs etc. Yet that is a key thing - if we can't communicate what we're trying to tell people that is technical but they need to understand it, so you've got to have that communication skills there.

I definitely think resilience is key to it again. Martin's touched on this - you know there's nobody I've worked with since I've joined NHS England that isn't prepared to work into the hours of the late at night or early in the morning, weekends being involved in things. A couple of years ago Log4j over Christmas period - people involved, nobody has ever said no I haven't got time. So I think resilience and determination, tenacity - there's so many different skills that are really important to have other than the technical skills. And I think a lot of the different personalities we work with and diversity as you mentioned Cathy is clearly a key to why it's such a great place to work and we're so successful in what we do.

Mike Fell, NHS England: 
I feel like my false attempt to spark some different opinions is going to fail but Cathy you look like you're going to come in.

Cathy O'Keeffe, NHS England: 
So I'm head of profession for cyber aren’t I in NHS England and the one thing I talk about and people have all heard me say before is you bring your holistic self to work. And that is just not your technical self, that is every other characteristic, attitude and experience to bring to work. And with Paul it's about those softer skills as well and it's something that I do push within our profession as well is to look at those softer skills. And I'm not talking just about finance and I'm not talking about commercial, I'm talking about how to present yourself, how to communicate. You know it is that whole holistic development of a person I think shapes our team.

We do have a multidisciplinary team - we have project managers in our team, we have business people in our team, we have service managers. And I think that's what again makes our team work now because it's not just about the cyber professionals anymore, it's about everything else that we can deliver. That I think has elevated cyber operations and the data security centre we were before that. We've progressed - people are listening now, people know that we're increasing public trust because of the work we do. But that's because we've got a multi-disciplinary team around us that push us on.

Mike Fell, NHS England: 
I think that's absolutely right and one thing I'm wanting to start is for us as an industry and a sector to start challenging this 'soft skills' language. Because it strikes me actually we talk about soft skills and we talk about by assumption 'hard skills' and the technical skills. The technical skills are put into the association with the hard skills, but the soft skills are such hard-earned, such hard-learned, and actually typically the ones that are a lot more difficult to - because they can't be taught in the same way as a technical course.
I know each and every single one of you has cast a really long and positive leadership shadow in your areas and I know personally kind of the impact that you've had in helping shape careers and development that I know I know you're massively proud of or you should be - not only in NHS England but in local communities and in the wider sector. So I just wanted to touch on like as leaders in cyber and within the Cyber Operations team here in NHS England, how do you create those opportunities to upskill people both in what historically until this point in history has been referred to as soft and hard skills? How do you do that, what approaches have you taken? Martin let's start with you.

Martin Jarvis, NHS England: 
Yeah so I mean we manage the major incidents that come into the cyber security Operation Centre and this is where we kind of have to have those. And I'm glad you talk about this Mike because you said, you know you mention and you mentioned the other day the soft skills element of it. But to us these are the essential skills that we need to be effective within the incident management team. And I recognised within my team that you know some people have different sets of skills and it's how do I kind of - we have to have a broad range of skills. So how do I get them to understand you know the different areas within the CSOC, understand aspects of that and then be able to take that information and put it out in a way or a format that is easily digestible to a wide range of audiences? That we can communicate information so it's effective and action can be taken quickly and that the way that we do things is inclusive. So mostly people can feel that they can access us, speak to us and understand the issues and they can come and then be part of the team.

So like we have the regional leads, we rely on them quite a lot because they have that deeper understanding of the local organisations. And as we know people locally are always different wherever they are, it's just human nature. And to understand people and personalities is key to our success. So I - we have to bring a lot of the training and development that we do is through a) making awareness to the team, b) me kind of creating resources that will hopefully train our team members so they have structure and understanding which is really key during those stressful times. But also a lot of it has to be kind of on the job, a lot of it has to be kind of getting people to work shadow with us because sometimes you can't get everything down in a book. You can't kind of explain everything - a lot of it just comes through experience.
Some people have a leaning towards you know being good communicators, other people don't. But people will - if people are enthusiastic about a subject or a topic you can see that and you can bring them on. So I'm always keen to kind of ensure that the training pathways with the incident management team will give people the skills that they need to kind of tackle the environment that we're in. And some of it or a big part of it is actually doing the thing itself.

Mike Fell, NHS England: 
It is and I'll avoid the massive bear trap of whether that leads you to believe that people should be in offices in cyber teams kind of seeing it. But I do think for me there's a key point you make there about the way in which that leadership shadow, that leadership radius goes out and around just hearing the way in which more senior experienced people interact and manage the relationship so that hard messages can be given but in a way that's supportive and driving the right outcomes, particularly important in incidents, and Paul I know you've worked really closely with some of the more formal training schemes and those on apprentices and that with it. What's your kind of reflections about what makes a success about that side of things where there's more formal?

Paul Carpenter, NHS England: 
I'm very fortunate I work with a lot of the analyst pool so they're more some of the less experienced people and newer to cyber. And what I find - we've got apprentices, we've got graduates that have come through, we've got people coming through from just out of university starting their careers with us from their skills that they've got. And it's so rewarding because you see them learning and they build up. They come in quite unconfident but very quickly that confidence starts rising. And a lot of what Martin just said - the shadowing they do so they're able to sort of see what people are doing, see it kinaesthetically in terms of doing it on the job. Therefore they get the skills to then understand it but have the confidence to reach out and ask questions. And it's not just to their direct person above them, they're reaching out to people in different organisations, they're reaching out to senior team members within the CSOC itself and they're having that confidence to do that.

In terms of the apprentices, it's amazing - the apprentices start with us and the idea is they start with pretty much no cyber knowledge whatsoever but we get them involved in the cyber alerts, we get them involved in the analyst pool looking at the same things. And there's an expectation obviously they're not going to be able to do so much to begin with but the speed they pick things up.

The graduate scheme is amazing as well because we've got people from different backgrounds - we've got math graduates, computer science graduates, people from very limited IT/cyber knowledge. And yet again they go to different parts of the organisation and you see them grow so quickly. And they come sort of quite mild mannered and then they build up to being these real confident people. And the success we've seen from some of our graduates that are now in similar positions to ourselves that were 3 or 4 years ago, were still graduates. It's brilliant.

Mike Fell, NHS England:
I get nervous for my own role sometimes when I see the pace at which these people are developing. We've got some amazing kind of talent coming through in that bit so you know, for the record thank you from me for the stuff that you're doing in that.

I think lastly in this space, maturity for me is about moving from the tactical bits through to a real repeatable process but that flexes around it. And Cathy I know you've done some thinking around articulating that. Do you want to talk to us a bit about that because of the more strategic approach you've taken?

Cathy O'Keeffe, NHS England: 
So I have written a attract and retain talent strategy. So I've taken it from or taken some words from the UK cyber strategy where they're talking about the UK becoming a cyber powerhouse. So I've built our own cyber powerhouse or the plan for our cyber powerhouse. And that is a series of activities that one, absolutely bring our people on, but the other one is to make this place and continue to make this place a great place to work.

So I've built it on strategies as the foundation and then I've got some walls which are real tactical ways that we absolutely involve all our team and we all take ownership for our own directorate really. So you know I'm a great believer in 70-20-10 form of training and I've picking up on what Martin's just said again - a lot of it is on the job. You know we're quite fortunate that we do offer quite technical professional training, we do offer that as part of our package but it's more than that. So it's more about allowing our people to thrive and flourish in the job they're in.

So you know we offer a mentorship scheme but a mentorship scheme where you can actually - it doesn't matter what grade you are, you can actually mentor people who are higher grade than you or you know a lower grade than you. And then people get to buddy - it's another one when you first start in our team now we give you a buddy so you know you're never alone. So there's a whole catalogue of opportunities that I'm about to introduce into cyber operations that give everybody an opportunity to learn and thrive. Because to me every day is a school day in this place - we've already said that every day is a school day so why don't we learn from each other?

You know, people council - so we now have a people council but that's not run by anybody who's actually manager or senior manager, it's actually run by our juniors. And they get together and they are slowly shaping and bringing in initiatives to make this place an even greater place to work which you know I'm really proud of. So there's a whole scheme of initiatives we've got in here now that gives ownership to others for their futures and shaping the direction on how cyber operations go moving forward.

Mike Fell, NHS England: 
And I think it's really important to have that diversity of that such that there's clearly a welcome mat on the door for anybody into a cyber team, whether that be folk like yourself that have come in from different careers which I think hopefully we've demonstrated the huge value that brings, as well as the welcome mat for those through the emerging and really positive more formalised routes that we've got. As well as building up our own people in different ways it's really really important work I think to make clear back to the point earlier about the misconceptions about cyber with it.

So to wrap things up I want you to cast your minds back to 2020, the pandemic, the somewhat absurdity of some of it when we look back now - the social distancing, the banging our pans. Full disclosure - I once accidentally went on a bike ride and cycled home at about 8 o’clock on Thursday and thought everybody was clapping me as I came down the street and then found out that it wasn't for me at all. And then took a bike ride at the same time every week. But putting that to one side, I want to also remind us of the meme from 2020 or advert the of Fatima the ballerina who we were told her next job was going to be in cyber.
If we can put to one side that dissonance and the stereotypes and some of the criticism and rightful pillaring of what it was there, I think there is things to take away. And my question I guess is how far away from reality was the message that it was trying to convey about people that can come from different careers into one in cyber? So you know from your former experiences, the closing question is – out with your own roles, what do you think of the other areas, professions, experience, training, qualifications that would bring great experience into cyber and why?

Cathy O'Keeffe, NHS England: 
So a recent study from ISC2 says that people with Fine Art degrees are people more likely to come into the Cyber profession because they can look at a picture and they can analyse it and they can talk about it and that they can sell the story of a picture. So that's ISC2 have told us that. So to me, as much as Fatima has a career in cyber, it's probably true. We've proven it - anyone can have a career in cyber and you don't have to come into it through those traditional technical routes. As I said, we are going to grow our own in our own team through the Cyber Powerhouse track and retain talent strategy. So you know if people want to work in cyber, it's accessible. We've proven it's accessible, so you know, why not?

Mike Fell, NHS England: 
There we go. I'm a big supporter of that. I have needs for a lot of slideware. I do a lot of presentations and having some fine artists on the team would probably help me out as well. Any other ideas about other untapped careers and qualifications that we're not seeing?

Martin Jarvis, NHS England: 
Well, coming from an investigation role, I think anybody who is in an investigation role would be good in cyber. Being able to take data and overlay it and gather different sources of data from different areas and put those together, and also someone who is kind of robust in their questioning and doesn't take things at face value - that's a great thing for cyber. So anybody with that kind of investigative mindset is probably going to really enjoy a cyber career because there's so much to it, there's so many different aspects now and different areas and working with such different types of people. And you know, highly motivated people and the types of technologies we have. I think yeah, if you're an investigator and you're looking for change, I think you'd probably find cyber a fascinating option.

Mike Fell, NHS England: 
You’re making me think we need a new theme tune for the team of suspicious minds. Paul, any ideas from you?

Paul Carpenter, NHS England: 
I think as has been said, any background and inquisitive mindset that will to work and to want to sort of keep being resilient in what you're looking for. Because as we keep saying, it's not just scratching the surface - you sometimes really need to dig deep to look for something and it might not always be obvious. So having that mindset of wanting to find what you're looking for, be inquisitive. And I don't think there is a 'cyber security' person out there - it can be any of us and we all came from different backgrounds. I don't think several years ago we all thought we'd be sat around this table doing what we're doing but here we are now and it shows that you can have any sort of background and getting into cyber is just really interesting thing.

Mike Fell, NHS England: 
Well, what a final tone to leave things on. I think we're saying it's about aptitude not experience and qualifications and that we do need those diverse teams, so I certainly support that. And that brings us to the end of today's fantastically interesting discussion for me if nobody else. I'd like to say a huge thank you to Catherine, to Martin, to Paul for sharing unique journeys into this world of cyber security but also those kinds of insights and reflections.

To all our listeners, we hope this episode has shed some light on the different pathways into cyber security and as ever demystified some of the aspects that you may be assuming. And if you are considering a career change, remember that your current skills and experience could be the perfect foundation for becoming a cyber professional and that a range of organisations, not least NHS England, has structured ways of adding the technical skills to those that do have the aptitude and right approach and mindset for it.

If you've enjoyed today's episode of The Cyber Sessions, don't forget to subscribe and follow us wherever you get your podcasts. Thanks for listening.