Interview: Colin Gillingham, NCC Group

At the start of this year, Infosecurity attended the Cyber Careers Show in central London, an event intended to showcase the career options and opportunities in UK industry.

Among the exhibitors were NCC Group, and on the speaker track was its director of professional services Colin Gillingham. In his presentation, he looked at “How to land your dream cybersecurity job” where among the details of what employers are looking for in their next recruit and what skills are needed for different cybersecurity jobs, he spoke about how the NCC Group was aiding the next generation of cyber specialists.

Speaking directly to Infosecurity later, Gillingham said that he was very happy with the attendance at the careers fair, as he faced full audiences and more questions from them as the day progressed. 

“The audience were either university type students starting to explore their first steps in their career, or a lot were people looking for a career change and looking at other IT roles,” he said. “Some were military or police looking for a second career, and it was interesting to see the different people.”

One thing Gillingham talked about that was particularly interesting was the hands on testing in exam conditions which NCC Group deploys. In the hiring process, he explained that anyone who comes into the technical consulting team will have an interview in two parts: the first part is going through CV and discussing skills and what like and don’t and what looking to achieve.

He said: “For me the CV does one thing: it gets you to the interview, not to the job, so I use it to ask some questions to dig in to see if they are the right person. It gives me an idea of the individual.”

The second part is a deployment with a senior technical consultant and put them through a network scenario and web application test. He explained that this does not cause a pass or fail, but gives an indication on whether they are suitable or not.

“A main aim of putting them through that test is to see what they can do, what they know and what they don’t know and what training we may need to give them and how quickly they pick things up.”

How important is it to get ‘hands on’ with the candidate? Gillingham said that this is “really valuable as getting them to do what they will be paid to do” is more valuable than sitting them in suit and asking them 100 questions, as he said that this is not going to give you an understanding of what they can technically do when they are sat in front of a keyboard.

He said: “They are going to be more expressive in what do on a keyboard and in a hands on test than sitting in front of me trying to think up examples and deem what they like and don’t like. This is a good vehicle to get them to talk and get their confidence up and putting them in front of a keyboard is so much better.”

Gillingham explained that this can determine what sort of training a person needs. 

At a company like NCC Group, and at the careers fair, there was a distinct mix of age groups. Gillingham said that as he had a background in the military, he was seeing more former military and police officers looking for careers, especially in social engineering and red team engagements.

“Having that police background and confidence and knowledge on how to bypass the human is equally good, as someone with a forensics background can increase their skills in other areas and do other things for us.”

As for graduates, Gillingham said that it is rare that people are seen straight from school, but NCC Group is looking more at aptitude rather than the CV, but the majority of focus is on university level students and that is what it launched its graduate program.

So how does someone join the graduate program? Gillingham explained that there is an online challenge ‘the ninja challenge’ where participants register and are open to attempt to what is on the challenge portal. “There are varying levels of expertise required to accomplish challenges, and if they get all the way through they are pretty much guaranteed a job interview,” he said.

Is there a limit to how many people are on it at any one time? He said that it depends on the requirements of the company, as a certain amount of people are needed every year and this year 12-15 new people were being sought to start in September. They are trained for six months and on a continual learning process.

Gillingham explained that graduates “shadow some jobs where they have got less knowledge and experience”, and they are eligible to attend training but even though they have finished the graduate program “there is still a learning curve that they need to go through.”

However that learning curve can be beneficial in two ways, as Gillingham explained that in one case a graduate showed a principal consultant how to do something as they had more knowledge on the subject. He said that is a positive aspect of working in a team environment, and that goes back to recruitment and understanding what an individual can and cannot do.

What’s Hot on Infosecurity Magazine?