James Matchett shares his journey from being a 14-year-old at Kainos’ CodeCamp to becoming a Senior Cyber Security engineer through the higher apprenticeship scheme
Q. What made you choose the higher level apprenticeship scheme with Kainos?
Every year, Kainos runs their CodeCamp where anyone aged 14 and up can spend 1-2 weeks with Kainos and their mentors as part of a coding competition. I took part in 2016 during my GCSE year and I would describe it as two of the best weeks of my life. I ended up winning that competition which I didn't expect, but I obviously loved it. It wasn't all about just teaching coding or engineering, I learnt a lot about Kainos as a company as well as how to develop your own skills.
When I heard about the Earn as you Learn scheme, it seemed like the perfect opportunity to break into the industry without having to wait four years doing a full-time degree and a one-year placement. In the summer between lower and upper sixth, I did a placement at an IT firm for about six weeks and I found that working on real code with real customers at such an early age had a really profound impact on me, it felt like I was fixing real problems and helping real people.
My experience of the higher-level apprenticeship has been fantastic from day one. It started with four weeks of dedicated training to bring everyone up to the same standard followed by two 6-month rotations on different projects to get a really good feel for different areas of the company. At the same time, you're doing your first year of university with one day a week at university and then four days a week in the office getting used to projects, picking up new skills and really finding your feet. I found that by the second year whenever a new university module came along it felt like I'd done it before because I had already done it in the offices of one of the best software companies in the world!
Q. How did the pandemic affect your experience?
Being a higher-level apprentice during the pandemic affected two parts of my life. One of them was university and the other was work. Everything very quickly had to move remote but as a technology business, all the essentials for remote work were already in place. I wouldn't say it affected the academic side of things so much as all our resources were already online, so it was mainly a difference of not having the in-person teaching.
In terms of working over the pandemic, I had my first independent security project, and it really gave me the fundamental experiences that I'm currently taking forward into my career in cybersecurity. Things such as reverse engineering, figuring out how systems work and even valuable soft skills such as how to approach someone in a business you've never spoken to before.
Q. As a cybersecurity engineer, how much of your day is involved in coding?
I've seen this shift slightly as I've progressed from trainee to associate and in my current role as a senior associate. I'm looking more at big-picture design stuff now trying to catch flaws before they're even written into code. Typically, the design process follows a blueprint, or a design proposal and I find that that's the best opportunity to catch flaws rather than further down the line.
I'd say about half of my day is involved in the technical side of things such as running audits, technical scans or reviewing code and the other half is involved with calls, planning proposals and even education. A developer will have a query and I'll spend half an hour explaining what I feel are the best practices are for them and their specific scenario.
Q. What would you consider to be the main threats organizations face today?
The first one would be the users themselves and making sure that they're well informed about what the risks are, such as not clicking on dodgy emails or installing third-party software. In my experience of doing penetration testing, a hacker will spend hours trying to find a flaw in a technical system but most commonly if we look at the biggest cyber-attacks, it's often been the user doing something to compromise their own security. So, it's very important in terms of education to make sure that users are aware of what the risks are but also putting technical controls in place as well such as scanning email attachments to make sure they don't contain viruses.
The second one would be, if you're a public infrastructure or critical national infrastructure, you have to ask questions like "are we at risk from advanced persistent threats or APTs?”. We have to keep in mind their tactics, techniques and procedures as we've seen them hack other things in the past so we can learn lessons from that and apply them to our own infrastructure. Quite often, it’s the easy security wins that provide the biggest improvements to security posture.
Q. What makes cybersecurity an interesting and exciting sector to be in?
It's different every day, so you always have to come to work with your thinking hat on. Whenever you're presented with a problem and someone makes a suggestion such as “this can't be hacked” or "it's very secure” you have to be the one person in the room to say "Obviously I trust you but I need to verify what you're saying". Even though people sometimes see cybersecurity as people that find magical technical exploits, hacks and vulnerabilities, what they don't see are the four weeks of hitting your head against the keyboard for one day of success.
A developer may write code and be happy that it works but as a security engineer, I'm really interested in what's going on under the hood. Whenever you have that transition from having no idea how the system works to knowing it inside out, it is a magical moment and I can't really describe it as anything other than that. It's taking something that seems impossible and then finding a solution is what I love about it.
Q. A common perception around cyber is that it's a very male-dominated industry. Are you noticing women getting involved in the sector?
I help manage and mentor several colleagues from underrepresented backgrounds who have recently joined the cybersecurity capability and I really feel that it's a capability that anyone can join regardless of demographic, background or previous experience because all you really need to have is a passion to learn. As cliché as it may sound, you can't teach someone who doesn't want to learn and that's a prerequisite for cyber. I could be in the industry for 15 years, wake up tomorrow and a new bit of technology is dropped or a new paradigm has been adopted. So, it's a constant battle of staying on top of what's new and what's fresh and as a result, an attitude to learn is absolutely essential.
What I really am happy to see are initiatives like CyberFirst or Women in Cyber which are really encouraging people who think they can't to realise that they are more than capable. I think we're making steps in the right direction, but we just need to keep at it and find those people who just need a little nudge to say you can do it and let us help you get there.
