As the Cyber Security Challenge enters its final hours of existence, in this second part of our look at its legacy, we consider those who passed through its tasks and competitions.

In our first article, we spoke to those who made the CSC happen, but all of this required participants. What became clear from those we interviewed was that there was a desire to work in cybersecurity, but the career pathways were not always clear.

For example, Calum Vickers says he started “in its infancy” back in 2010-11, in an initial challenge held at the offices of QinetiQ. Vickers admits he had been involved in “conducting fraudulent activities” during a period when he was ‘black hatting’, but upon discovering the Challenge, he became interested.

“I wanted a career in cybersecurity, I wanted to hack stuff, but at the time, there wasn't really much for you to break into,” he says. “Like, how do you become a pen tester in the UK? It wasn't really advertised. You went to university, and then what?”

Secure Infrastructure

After entering the Challenge, he pulled a team together and took part. After facing the first task—where they were given a scenario and had to come up with a business plan on how to secure infrastructure—he later received an email inviting him to the face-to-face challenge.

“The Challenge set my career up. I had never been employed previously; I had never even attended a job interview. Having the Cyber Security Challenge on my CV meant I could go directly to IRM, who were sponsoring the Cyber Security Challenge.”

Vickers attributes that experience to giving him the confidence to speak to industry leaders, and he credits the social skills he learned in the CSC. He says that other initiatives do not offer the same face-to-face experience, and “the actual social networking with people, actually being on-site” and live, in-person hacking were part of what he calls a “mad whirlwind of activities that were phenomenal.”

“It's something that won't be had sitting behind a desk, looking at coursework, watching videos,” he says.

Confidence

Getting involved in the Challenge from a participant’s perspective required a degree of confidence in yourself and your technical know-how. Sara Moore tells SC UK how she was studying at the Defence Academy in Shrivenham when a Challenge event took place there. Saying she was one of 40 participants, she called the experience “phenomenal” but admits she was “not very technically talented.” Although she was doing a Cyber Assurance course, her understanding of it and the people involved was limited.

She calls herself a “liability on the team” as she didn’t understand what a hash was, but the experience was “real fun” among a real mix of participants: mostly male, “some cheeky teenagers and old hats who were really talented and represented the cyber community in my imagination.”

Her later involvement included opportunities for networking and meeting potential employers, and she admits that she realised it didn’t matter where you came from—if you had aptitude, you were noticed.

She says she was “just exploring Metasploit” when she realised there was a need for people with soft skills to communicate between technical jargon and management speak. “There was no criteria about yourself that was limiting whether or not you'd get a job—it was just really how well you did.”

Information Assurance

Moore was studying International Relations and admits she was entering the cybersecurity space “from a completely different angle,” as she was graduating with a humanities degree and was “thinking really carefully about what I wanted to do to make sure that I was doing something that was relevant.” This led Moore to the field of Information Assurance: she was able to do a course in this at the Defence Academy that was connected to her degree.

“I was the only one there paying for it, because the rest were being sent there by their companies as they already knew this was going to be something they would have to do from a regulatory perspective,” she says. “I was sat there with people from the Foreign Office, insurance, people from three different branches of the military—and then there was me! That was just me saying, ‘I think this is a problem we should be solving.’ Honestly, I was completely out of my depth, but at the same time, my instincts are pretty good sometimes, and that’s why I was there.”

Looking back, Moore says she “sat in this crowd of people I didn’t know yet.” In her professional career, through a series of internships, she was able to build a career working in threat intelligence. Commenting on the work the CSC did, she believes the change in industry operations and skill sets has caused the Challenge to change its tactics.

“My view is that it's probably because the threat environment is different, and the skill sets we need are slightly different. So I see it as a massive tragedy, but I also see it as potentially necessary because we need to be attracting talent into areas like AI, and I think it is due to the landscape shift.”

Make Something

Reflecting on her time in the Challenge, Moore says the community element was “fantastic” as it “gave you this idea that you could make something of yourself.”

She says: “I think that a lot of careers can be quite limiting, and the Cyber Security Challenge offered that stepping stone; it gave you the ability to be seen by employers through your unique strengths and talents.

“I think that confidence stayed with me, to be honest, and you’re talking about someone who knew very little at that time. The problem-solving mindset has stuck with me—a lot of that comes from the hacking community. It's like creative problem-solving, and that’s something I’ve always been very inspired by. Rather than thinking, ‘This is a limitation,’ now it’s, ‘How can I get around this?’ and that’s never left me since.”

One of the key points Moore says she has taken from the Challenge experience is the social side—that she can always reach out to this community and ask for help. “It's very different from some of the sharing groups and intelligence spaces that I am now part of,” she says.

Another alumnus we spoke to is Vincent Yiu, now director at SYON Security and previously a Computer Science Master’s student at the University of Warwick. He tells SC that he was unclear on his career options but knew he wanted to do something in cybersecurity. “Everyone in the class seemed to be pouring towards software engineer roles.”

Then the Challenge came along, offering some offline tasks that led to an invitation to a face-to-face event. He attended but found the experience “rather incompetent.” However, his abilities were noticed, particularly “that I had some idea about manual SQL injection, and someone probably put in a good word for me,” leading to an invitation to the masterclass.

Yiu admits he was not particularly skilled in tech at the time, saying he had no idea what Metasploit was until he joined his first job as a consultant and learned it on the job.

After the Challenge final ended, many masterclass participants joined MWR InfoSecurity. “They weren’t sponsors of CSC, but I also wasn’t getting offered jobs at the few sponsors I tried to apply to,” he says.

Since then, he has focused on red teaming and offensive security, earning certification as a CHECK Team Leader and founding an independent security testing firm in Hong Kong.

Looking back, he says the Challenge “opened up a lot of opportunities.” He describes CSC as a “once-in-a-lifetime event,” contrasting it with the remote Capture the Flag events he now participates in, which rarely offer funding for hyper-realistic simulations like those in the Challenge.

Intervention

There are hundreds of stories from the many candidates who took part in the Challenge. While researching the first article, we found that many participants are now working in senior roles worldwide.

Vickers recalls receiving a knock on the door to discuss ‘black hatting’, which led to him speaking at an intervention day “to a group of young children caught up in illegal activities.”

Vickers calls that one of his proudest moments, as he mentored someone who later gained employment at NCC Group and is now a senior application tester at a fintech start-up in London.

“He’s messaged me a few times to say, ‘Thank you so much for all you've done.’ I told him, ‘It’s not a problem—you just needed to realise you didn’t have to do criminal stuff to have fun. There are legal paths.’”

He concludes, “I owe a lot to the Cyber Security Challenge—a hell of a lot.” So do many others.

Dan Raywood

Dan Raywood is a B2B journalist with 25 years of experience, including covering cybersecurity for the past 17 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.

He has spoken at events including 44CON, Infosecurity Europe, RANT Forum, BSides Scotland, Steelcon and the National Cyber Security Show, and served as editor of SC Media UK, Infosecurity Magazine and IT Security Guru. He was also an analyst with 451 Research and a product marketing lead at Tenable.