{"id":15234,"date":"2018-02-21T00:00:00","date_gmt":"2018-02-21T00:00:00","guid":{"rendered":"https:\/\/identifi-global.eu.applyflow.com\/success-in-this-industry-means-knowing-how-to-learn-interview-dr-budgie-dhanda-ceo-of-bletchley-park-qufaro\/"},"modified":"2022-12-09T06:16:37","modified_gmt":"2022-12-09T06:16:37","slug":"success-in-this-industry-means-knowing-how-to-learn-interview-dr-budgie-dhanda-ceo-of-bletchley-park-qufaro","status":"publish","type":"post","link":"https:\/\/www.identifiglobal.com\/news\/success-in-this-industry-means-knowing-how-to-learn-interview-dr-budgie-dhanda-ceo-of-bletchley-park-qufaro\/","title":{"rendered":"\u201cSuccess in this industry means knowing how to learn\u201d \u2013 Interview: Dr Budgie Dhanda, CEO of Bletchley Park Qufaro"},"content":{"rendered":"

\n\t\"\"<\/p>\n

\n\t <\/div>\n
\n\tWhen it comes to cyber security, the UK faces a drought of professional talent.<\/strong><\/em><\/div>\n
\n\t <\/div>\n
\n\tThat\u2019s great news for experienced IT managers and technicians, whose skills are in heavy \u2013 growing \u2013 demand. Pressing commercial and geopolitical realities mean something must be done to prepare the next generation of experts<\/a>, however.<\/div>\n
\n\t <\/div>\n
\n\tStep forward Qufaro: the team behind the National College of Cybersecurity, set to open its doors at Bletchley Park in 2020.<\/div>\n
\n\t <\/div>\n
\n\tWe spoke to Budgie Dhanda, Head of Qufaro \u2013 the team behind the college \u2013 to find out about more about the project, their Extended Project Qualification, and why interpersonal skills are essential in even the most technical roles.<\/div>\n
\n\t <\/div>\n
\n\t <\/div>\n

\n\tidentifi global: How did Qufaro come to exist?<\/h2>\n
\n\tBudgie Dhanda, Qufaro:<\/strong> One of Qufaro\u2019s founding directors runs an organisation called Bletchley Park Capital Partners. They own a couple of the buildings on the Bletchley Park site here, including a Science and Innovation Centre. He got together with people like Stephanie Daman (former CEO of the Cyber Security Challenge, who sadly passed away last summer). They thought it would be great to do something worthwhile with the buildings \u2013 something both vocational and educational at the same time \u2013 and so they came up with the idea of Qufaro.  <\/div>\n
\n\t <\/div>\n

\n\tIG: And what about the name, Qufaro?<\/h2>\n
\n\tBudgie:<\/strong> A great guy named Tony Sale, who was the guy that rebuilt Colossus \u2013 the first-generation computer \u2013 was trying to set up a company of his own and every time he went to Companies House to set up a business, the name was already taken. He used Colossus to come up with a code name for him, and that was Qufaro.<\/div>\n
\n\t <\/div>\n
\n\tUnfortunately, Tony then passed away; but when looking through his books, Margaret \u2013 one of the directors of Qufaro \u2013 found the paperwork and thought, \u2018Why don\u2019t we call this Qufaro?\u2019<\/div>\n
\n\t <\/div>\n

\n\tIG: When did you join the project?<\/h2>\n
\n\tBudgie:<\/strong> I got involved probably about eighteen months ago when Stephanie asked me if I could give them support. Qufaro originally asked if I could do a little bit of stakeholder engagement, helping them navigate their way through various government departments; the DfE, the DCMS, the Cabinet Office and the agencies that are involved in this space.<\/div>\n
\n\t <\/div>\n
\n\tThat\u2019s where I got involved originally and then, after poor Stephanie passed away, the organisation needed to do things on a more formal footing and asked me to become the CEO last October.<\/div>\n
\n\t <\/div>\n

\n\tIG: What\u2019s the project seeking to achieve?<\/h2>\n
\n\tBudgie: <\/strong>The idea was to do something educational and bring more people into the cyber-security community. There are three real pillars for what we\u2019re trying to do at Bletchley Park.  <\/div>\n
\n\t <\/div>\n
\n\tThere\u2019s the establishment of a National College of Cyber Security. There\u2019s reusing the facilities to run summer schools and online qualifications and continued professional development for teachers teaching cyber and computer science. Finally, we\u2019ll set up an investment fund to invest in cyber security companies, startups and scale-ups.  <\/div>\n
\n\t <\/div>\n
\n\tThese projects will all happen in due course. The college is the flagship and the one which has captured most imaginations, though. The original idea was to launch in September 2018, but because of the General Election and then subsequent changes in DfE, we\u2019re still waiting on a decision from them on when the next wave of free schools are going to launch. We\u2019ve had to delay opening until September 2020.<\/div>\n
\n\t <\/div>\n
\n\tIn the meantime, we\u2019ve continued to launch our virtual qualifications. This includes our EPQ \u2013 Extended Project Qualification \u2013 which is the equivalent of half an A level, which we ran as a 60-student pilot a couple of years ago. It worked very well; we got a lot of good feedback on that and we\u2019ve run it again this year with a larger set of 160 students.<\/div>\n
\n\t <\/div>\n
\n\tThis was done as a free pilot. This year we\u2019re charging students, but will repay them thanks to Deloitte, which have kindly sponsored the programme \u2013 enabling all the students that complete it to have their fees refunded at the end of the process.<\/div>\n
\n\t <\/div>\n

\n\t“Our syllabus has to be about wider skills as well.”<\/strong><\/h4>\n
\n\t <\/div>\n
\n\tPart of the challenge for us as a college is that we teach technical skills like maths, physics and computer science. We also teach the Cyber EPQ in the first year and we\u2019re developing what\u2019s called a Level 4 qualification for the second year of the college, which will offer foundation to degree-level learning. We\u2019re also introducing other disciplines. We\u2019re going to have lawyers coming in to talk about the legal aspects of cyber security, and HR people and entrepreneurs. Our syllabus has to be about wider skills as well.<\/div>\n
\n\t <\/div>\n

\n\tIG: What\u2019s the next step for the EPQ?<\/h2>\n
\n\tBudgie:<\/strong> We\u2019ve got plans to grow it quite significantly next year. This year has been about proving ourselves and building the qualifications to attract people into the industry. Interestingly, we thought the program would be aimed at school children and sixth form students. We found that around a third of the people taking it are independent learners \u2013 those looking for a career change, or with an interest in cyber security. That\u2019s been an interesting development for us.<\/div>\n
\n\t <\/div>\n

\n\tIG: On this subject of independent learning: why do you think the UK is in a position where there\u2019s such a shortfall of skilled professionals in the IT industry?<\/h2>\n
\n\tBudgie:<\/strong> The shortfall is global, and is behind the two reasons I got involved in Qufaro. One is personal, the other professional.<\/div>\n
\n\t <\/div>\n
\n\tThe personal reason was that my middle son has got a real interest in cyber security, and there was no career path for him, which got me interested in setting up the college.<\/div>\n
\n\t <\/div>\n
\n\tThe professional reason was that I\u2019ve worked for some of the largest companies in this space \u2013 at Raytheon, QinetiQ and IBM \u2013 and, particularly during my more cyber-focused later years, it was obvious that we couldn\u2019t meet the demand of our customers. There just weren\u2019t enough professionals for us \u2013 not just in the UK, but internationally as well.  We had international programmes where people were coming to us saying, \u201cWe haven\u2019t got enough people. Can you supply some?\u201d and we didn\u2019t have any either.<\/div>\n
\n\t <\/div>\n
\n\tWhy aren\u2019t there enough people? I think partly it\u2019s down to the same reason there aren\u2019t enough people doing STEM topics, and engineering in general. It isn\u2019t perceived as sexy enough in some spaces or is more difficult to get into. These subjects tend to be more difficult than others. They carry the same UCAS points when you\u2019re applying for university, but mathematics and the like are seen as much more difficult subjects. The lack of girls going through those subjects is a particular concern  \u2013 although that\u2019s not unique to cyber security, but one that affects STEM and engineering more widely.<\/div>\n
\n\t <\/div>\n

\n\tIG: What has caused today\u2019s focus on cyber security training?<\/h2>\n
\n\tBudgie:<\/strong> I suspect it\u2019s probably over the last three, four, five years in which people have become more aware of the risks of cyber security. There have been more attacks going on, so it\u2019s in the public domain.<\/div>\n
\n\t <\/div>\n
\n\tThe PlayStation hack in 2007 was when it really hit home in my family. My middle son was distraught when he lost his PlayStation account and couldn\u2019t play online with his mates.<\/div>\n
\n\t <\/div>\n
\n\tIn the industry \u2013 in government circles in particular \u2013 people have always been aware of cyber security. People took information insurance \u2013 the old term \u2013 very seriously, especially if you were working in any sort of major government department.<\/div>\n
\n\t <\/div>\n
\n\tMy background is in MOD, where systems were harder and people were more aware. Then cyber security entered the public domain; the banks started becoming aware and that\u2019s really driven the uptake of cyber professionals into the industry. Demand has followed as more companies become aware of the risks and the fact that they\u2019ve got to do something about it.<\/div>\n
\n\t <\/div>\n
\n\tMore legislation, including data protection and GDPR, means there are now compliance issues for an awful lot of companies, which means they\u2019ve got to take things more seriously because the fines can be substantial. With GDPR, that means up to 4% of global turnover for a company. This means that, while some professionals have been there for a long time, the demand is now to bring in new products, services and ways of thinking. Now people are coming in with things like artificial intelligence solutions to try and manage and fight the threat. This requires new skills.  <\/div>\n
\n\t <\/div>\n

\n\tIG: What are the consequences for cyber security professionals?<\/h2>\n
\n\tBudgie:<\/strong> The demand for cyber security skills has grown so quickly that we haven\u2019t been able to keep up with demand, and the only people we\u2019ve got are the people that were already there \u2013 professionals who have had to change tack and develop their skills as they go along.<\/div>\n
\n\t <\/div>\n

\n\t“Intelligent organisations now recognise that people are probably already inside their network.”<\/strong><\/h4>\n
\n\t <\/div>\n
\n\tThe people that were around in the old days \u2013 like CLAS consultants focussed on assessment \u2013 have gone and people are now looking more at business risk as opposed to just locking down systems and trying to keep people outside. There\u2019s been a paradigm shift in how people approach cyber security. Previously, the idea was to put barriers in the way to keep people out. Intelligent organisations now recognise that people are probably already inside their network. How do you detect them? How do you limit what they can do there? How do you fight them?  This type of thinking requires new skills, new products, new services.<\/div>\n
\n\t <\/div>\n
\n\tThe former workforce still has relevance but they\u2019ve had to change what they\u2019re doing. While there is more demand today, it takes time to build people up to work in the industry. At the same time, there\u2019s always been the challenge of trying to get people into STEM subjects. There\u2019s always been a shortage of engineers, so now in that small pool, cyber is fighting for the same talent as all the other companies that were fighting for software engineers, electronic engineers and the rest. It\u2019s not surprising that there\u2019s a shortfall.<\/div>\n
\n\t <\/div>\n

\n\tIG: What excites you about the cyber security industry, and what are the challenges facing IT professionals?<\/h2>\n
\n\tBudgie:<\/strong> I like variety and there is constant change in this industry. New ideas; new ways of tackling the problems. I think it\u2019s exciting for anybody that\u2019s going into the industry, because not only is there lots of variety, but it\u2019s actually a long-term career. The threat\u2019s not going to go away. The requirement for cyber security professionals is going to be here for the next twenty or thirty years.<\/div>\n
\n\t <\/div>\n
\n\tThe challenge is still that people are overstretched. There are just not enough people to do the work and it was constantly frustrating in the corporate world. I found that in bidding for work, the problem was not winning work. It was finding people to actually deliver the work. I talk to a lot of companies that are trying to build their cyber businesses, and they face the same issue.<\/div>\n
\n\t <\/div>\n
\n\tActually, what is good is that a lot of companies are now starting to build their own eco-systems. They\u2019re working with other suppliers, particularly SMEs. The industry is dominated by SMEs at the moment, so they\u2019re all starting to work together. They\u2019re collaborating together to fill gaps that other companies have and that\u2019s an exciting place to be at the moment.<\/div>\n
\n\t <\/div>\n

\n\tIG: With technology moving so quickly, what do you learn today to ensure your career is ready for problems that might arise in ten years?<\/h2>\n
\n\tBudgie:<\/strong> I think the educational sector has changed a little bit on this front. If you look at many of the top schools now, they don\u2019t teach subjects anymore, if you\u2019re very clever. Instead, they teach students how to learn. Those that are going to be successful in this industry have to learn how to learn.<\/div>\n
\n\t <\/div>\n
\n\tMillennials are seeing constant change and churn in technology, and they\u2019re constantly adapting \u2013 so I think part of that will always be there now. It\u2019s beneficial to have a steady plan for what you\u2019re going to do next, but actually the world doesn\u2019t work like that. There are less and less people like that now.<\/div>\n
\n\t <\/div>\n

\n\tIG: So your message for Gen X-ers and baby boomers is to learn how to learn?<\/h2>\n
\n\tBudgie: <\/strong>Cyber security is going to need more people that are constantly evolving and, actually, if you look at millennials these days, that\u2019s the way the world is.<\/div>\n
\n\t <\/div>\n
\n\tThere aren\u2019t that many people that spend 30 years in one company doing one job. Even if they\u2019re in a single company for 30 years, they will move around. Instead, what you tend to find now is people move from company to company to company picking up new skills as they go along. I think this is a generational change. People are becoming more aware that they\u2019ve got to adapt constantly as they go.<\/div>\n
\n\t <\/div>\n
\n\tI remember in Tony Blair\u2019s early days, he developed the idea that we should be a knowledge economy.  We can\u2019t compete with low-cost economies dependent on a very cheap labour force doing manual work. Instead, as a country we\u2019ve got to be focused more on value-building, knowledge-centric services and products. That\u2019s the only way we can survive in our current world.<\/div>\n
\n\t <\/div>\n

\n\tIG: Which age group are you taking into the cyber security college, and which skills are you looking for from candidates?<\/h2>\n
\n\tBudgie<\/strong>: As a sixth form college, students will be aged sixteen to nineteen years. What we\u2019re looking for is people that are going to have an interest in cyber security, but they don\u2019t necessarily have to have been trained in it.<\/div>\n
\n\t <\/div>\n
\n\tThere will be minimum GCSE grades to set the bar, but what we\u2019ll be looking for is people that are self starters and good at problem-solving, with a keen mind. We\u2019ll have online games, for example, to test people\u2019s aptitude for problem-solving. We\u2019re not necessarily looking for coders or hackers. If you\u2019ve got the aptitude, we\u2019ll provide you with the skills to actually become a cyber security professional.<\/div>\n
\n\t <\/div>\n

\n\t“There are plenty of opportunities to develop interest in this space.”<\/strong><\/h4>\n
\n\t <\/div>\n
\n\tReally, it\u2019s about interest. There are plenty of opportunities to develop interest in this space.  There is the new DCMS programme, which is provided by SANS and BT, which will roll out cyber skills across secondary schools. There are things like Codecademy. My own son became interested in this and started looking for free resources online \u2013 which provides insight as to how the cyber security profession is developing, the skills you need to have, different career paths, pen testing and the like.<\/div>\n
\n\t <\/div>\n
\n\tThere are many different ways into cyber security. It\u2019s not just about somebody sitting with a hoodie in front of a laptop. You could be a security architect, auditor, pen tester, architect. There are an awful lot of different disciplines within cyber security and then there are an awful lot of disciplines which touch on cyber security, or cyber security touches them.<\/div>\n
\n\t <\/div>\n
\n\tFor example, law. You have to understand the legal aspects of cyber security. You also have to understand the HR aspect. If you\u2019re an HR professional, what happens if someone is constantly exposing a business to phishing attacks?  What policies do you have around what you can and what you can\u2019t do as a pen tester? The issues extend to the supply chain. In procurement, how do you address cyber risks through your supply chain in a large organisation or government department?<\/div>\n
\n\t <\/div>\n

\n\tIG: You said you were surprised at the number of independent learners enrolled onto the EPQ (Extended Project Qualification) programme. Did anything else surprise you about your first graduate intake?<\/h2>\n
\n\tBudgie: <\/strong>Surprised? Possibly not. I met a few of them when they came down to Bletchley Park for their graduation ceremony and more than anything else, it was exciting just how passionate they were and actually just how bright they were, how well they understood the subject and how keen they were to progress into a career in cyber security.<\/div>\n
\n\t <\/div>\n
\n\tI think we\u2019ve found a very valuable niche where people are looking for a qualification but weren\u2019t given that kickstart into a cyber security career. The fact that that actually fits with the learning pathways for the IISP (Institute of Information Security Professionals) works well.<\/div>\n
\n\t <\/div>\n

\n\tIG: Setting a culture that makes cyber security a priority and communicating this across a business is a challenge. What skills do IT professionals need to make this happen?<\/h2>\n
\n\tBudgie:<\/strong> In the past we\u2019ve had cyber professionals who love doing cyber work, but they tend to be very technical and speak very technically. Most suppliers talk to providers at a very technical level. They might engage with a CISO, who might be on a board, but they more often talk to IT security managers or IT managers. The challenge \u2013 particularly for those at the top, like the CISOs \u2013 is to talk the language of business, because CEOs don\u2019t usually understand technical jargon.<\/div>\n
\n\t <\/div>\n
\n\tWhat they understand is reputation. They\u2019ll understand impact on bottom line, impact on share price, but if you go in talking about details of cyber security, it doesn\u2019t mean anything to them. We need to have people that understand more about the impact of cyber security threats to businesses more widely.<\/div>\n
\n\t <\/div>\n
\n\tYou must understand cyber security in context to be a successful professional. Yes, there will be people doing the deep-dive technical skills. That\u2019s great. We need them, but they\u2019ve got to understand the business context within which they\u2019re working in order to make themselves relevant. What we can\u2019t have is cyber security as a stovepipe inside any particular business, because it touches across everything, and if the other departments don\u2019t understand the cyber risks then they can\u2019t address them. In turn, cyber professionals won\u2019t get the budgets they need to protect those companies in the first place.<\/div>\n
\n\t <\/div>\n

\n\tIG: Should all IT professionals be concerned about this?<\/h2>\n
\n\tBudgie:<\/strong> The challenge is greatest for graduates. Unemployment rates for computer science graduates are at about 8%. On the one hand, you have a lot of organisations saying they need cyber professionals. On the other, you\u2019ve got computer scientists that are coming out of university and not finding a job. Why is that? It goes back to soft skills. It\u2019s not just about being very good at your subject, which is important; you\u2019ve got to be able to work in context. You\u2019ve got to have presentation skills, business skills, financial skills. You need to be a rounded personality.  <\/div>\n
\n\t <\/div>\n
\n\tThat\u2019s what people are looking for, so I think wrapping cyber security with other disciplines is quite important. If you look at the universities that are teaching cyber security well, more and more of them are starting to take a multidisciplinary approach to this. They\u2019re looking at psychology and economics, as well as the pure technical skills.  <\/div>\n
\n\t <\/div>\n
\n\tIt\u2019s often been said that the biggest gap in cyber security is the person in the middle \u2013 whether through negligence or intentional breaches, and understanding the human dimension of cyber security is very, very important.<\/div>\n","protected":false},"excerpt":{"rendered":"

  When it comes to cyber security, the UK faces a drought of professional talent.   That\u2019s great news for experienced IT managers and technicians, whose skills are in heavy \u2013 growing \u2013 demand. Pressing commercial and geopolitical realities mean something must be done to prepare the next generation of experts, however.   Step forward… Read More »\u201cSuccess in this industry means knowing how to learn\u201d \u2013 Interview: Dr Budgie Dhanda, CEO of Bletchley Park Qufaro<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":14370,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_seopress_robots_primary_cat":"","neve_meta_sidebar":"","neve_meta_container":"","neve_meta_enable_content_width":"","neve_meta_content_width":0,"neve_meta_title_alignment":"","neve_meta_author_avatar":"","neve_post_elements_order":"","neve_meta_disable_header":"","neve_meta_disable_footer":"","neve_meta_disable_title":"","footnotes":""},"categories":[43],"tags":[],"class_list":["post-15234","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-training-events"],"acf":[],"_links":{"self":[{"href":"https:\/\/www.identifiglobal.com\/af-api\/wp\/v2\/posts\/15234","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.identifiglobal.com\/af-api\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.identifiglobal.com\/af-api\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.identifiglobal.com\/af-api\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.identifiglobal.com\/af-api\/wp\/v2\/comments?post=15234"}],"version-history":[{"count":0,"href":"https:\/\/www.identifiglobal.com\/af-api\/wp\/v2\/posts\/15234\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.identifiglobal.com\/af-api\/wp\/v2\/media\/14370"}],"wp:attachment":[{"href":"https:\/\/www.identifiglobal.com\/af-api\/wp\/v2\/media?parent=15234"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.identifiglobal.com\/af-api\/wp\/v2\/categories?post=15234"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.identifiglobal.com\/af-api\/wp\/v2\/tags?post=15234"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}