������Ƶ

 
Philippe Leroy, business development director for Thales's critical information systems and cybersecurity business, and Vincent Mattei, head of recruitment and mobility for France, talked about the challenge and the opportunities it opens up for students and for Thales.
 
How it happened
The competition kicked off on 21 October with a series of technical tests to be solved individually online. Students were assessed on the speed and skill with which they responded to a wide range of cybersecurity problems. This initial online qualification phase ended on 6 November. Then the top 48 students were grouped into teams of three to pit their wits against each other in a five-hour non-stop series of simulations at the final in Rennes on 24 November. Out of the 16 teams taking part, three were declared the winners. They were the ones who succeeded in minimising the damage caused by a fictitious international group launching cyber attacks against critical energy infrastructure. The nine members of the winning teams were each offered an internship at Thales and Airbus Defence and Space, and went home with prizes like computers, smartphones and connected watches.
 
 

Why did Thales take part?

Philippe: It was a way of showing students what we do in the cybersecurity field, and a chance to prove to them that we are capable of organising technical challenges that really test the skills of the young graduates who will be the cyber specialists of tomorrow.

First we devised 14 tests of increasing difficulty and put them online to gauge the contestants' abilities and select the best candidates to take part in the finals in Rennes. Some of the tests involved detecting and exploiting vulnerabilities in web servers and applications. Others evaluated encryption skills, which play a central role in most of today's security functions, and measured quality of execution, the ability to crack an encryption algorithm, key complexity and protection, etc. Yet others tested students' forensic skills based on their ability to trace and analyse attack pathways.

The initial tests were all designed to measure a combination of imagination and technical skills. They drew extensively on lessons learned in actual use cases involving penetration testing or audits of enterprise information systems. The tests addressed every aspect of the fast-growing cybersecurity market to cover as many of the skills that Thales needs as possible. We regularly use this cybersecurity expertise in our consulting and evaluation projects, and also to design and implement solutions like resilient networks, where our business lines face growing demand and have lots of job opportunities on the horizon.

Vincent: For us, one of the main takeaways from the event, and from our interactions with the students, was how little they knew about some of Thales's cybersecurity activities, like penetration testing for example. They seemed surprised to discover how many openings we have in these highly technical fields. We have solid experience and world-class expertise in this field, so we're always on the look-out for high achievers!

Taking part in an event like this helps to reinforce perceptions of Thales as a major player in the cybersecurity field. And above all, it helps us hire outstanding people. We are delighted to see how many CVs we have received as a direct result of our involvement in the challenge at European Cyber Week.
 
 

Why is it so important for Thales to recruit cybersecurity specialists?

Philippe: If we want to provide our customers with equipment and systems that are truly cyber-secure, we need to stay permanently ahead of the curve. The cyber field has changed a lot. The vast majority of companies and critical infrastructure providers are ill prepared to deal with the kind of powerful, coordinated attacks we have seen in recent times. In addition to the type of high-grade security required by defence ministries, for example, there is a growing need for "sovereign" threat detection capabilities offering the highest level of trust and performance. To be effective, these permanent new active detection capabilities rely on the same skills as the attackers, who are becoming more and more imaginative and better organised.

Official qualifications now exist for providers of the trust services needed to conduct cybersecurity audits, respond to cyber incidents and conduct forensic analyses. Our cybersecurity teams are steadily expanding, so training is a constant requirement. Cybersecurity not only helps us to reach our strategic business objectives — it is also a way to promote our capabilities to new customers so we can expand outside of our consultancy roles.

Vincent: In terms of figures, at the end of 2016, Thales is looking at 400 new hires in cybersecurity positions, half of them in France. We are looking for profiles like penetration testing consultants, cybersecurity engineers, IT security and ISS architects, security/risk analysis engineers, and cybersecurity bid & project managers.

We are looking for a broad range of profiles to cover all the different aspects of cybersecurity.

What else are you doing to raise awareness of Thales's cybersecurity activities and attract and hire new talent?

Vincent: We have a whole series of other initiatives underway both inside and outside the Thales organisation.

We are running recruitment ads in the trade press, often to coincide with technical features. We participate in events like European Cyber Week and encourage our employees to take part in hackathons. We will also have a major involvement in the International Cybersecurity Forum in Lille on 24-25 January 2017.

There is also an online communication campaign, with Thales employees talking about their jobs in cybersecurity. This is designed to encourage potential candidates to get in touch with their counterparts at Thales and share experiences on various projects and technologies.

Inside the organisation, we are promoting cybersecurity in a number of ways and talking about the training opportunities available to help people move into these career paths if they want to.

Philippe: Our involvement in FORCYS is a good illustration of how we are stepping up the training effort. This is a short, specialised training programme leading to a recognised engineering qualification in cybersecurity. The 12-month apprenticeship programme combines 120 days of classroom teaching, including a lot of practical exercises and projects, with time spent working in a company. It's a great opportunity for personal growth as well as professional development. It is aimed both at engineers who are already experts in their respective fields but want to acquire the cybersecurity skills that are now needed in their jobs, and at students with masters degrees in information systems or networks.

Thales is also investing in advanced cybersecurity training by supporting academic chairs. These chairs really demonstrate the level of excellence that has been achieved in this field by combining advanced mathematics skills for cryptography with expertise in computer sciences for information systems security.
Cybersecurity is one of the major new issues of our times, and Thales is helping to address the challenges by providing both financial support and technical input for these academic chairs, with Thales engineers work alongside faculty members as doctoral advisors. Thales also helps to promote events and symposiums on specific topics and supports training programmes at the Saint-Cyr Coëtquidan military academy, where we have created a masters programme in cyber crisis management. In addition, by supporting the chair in naval cybersecurity, where about a dozen doctoral students are working on ways to protect naval vessels and shipping from cyberattacks, we are helping to shape advanced research and development priorities based on an uncompromising assessment of security needs in this area.

Philippe: I would like to make two final points about the Cyber Challenge — one of them technical, the other behavioural.

Technically speaking, organising a challenge of this kind is a challenge in itself in that the website needs to be particularly well protected from unethical hackers.

When you put IT security challenges online, they regularly attract all sorts of people who try —usually with some degree of success — to bring down the server or even gain access to modify the tests. Contestants themselves may try to claim flags they haven't really captured. So setting up security for the server, which was hosted by an outside provider on this occasion, separating the tests and keeping everything under permanent surveillance was a real tour de force for the organisers.

This was the biggest IT challenge organised in France so far, and the fact that nobody managed to hack into the system after it went live at the end of October is a testament to the technical excellence, diligence and far-sightedness of the administrator.

The other point is about assessing contestants on their technical prowess and perseverance in different situations and operational contexts.

A technical challenge tests the skill, perspicacity and endurance of the people taking part. The contestants in this case were still students at universities and engineering schools, which makes their sheer technical stamina even more remarkable. To make people even more competitive, contestants could see the rankings of everyone else taking part. But we also wanted to assess how well they worked together as a team and how they behaved under stress.

Shortlisting the contestants based on an appreciation of individual technical abilities was just the first step. The shortlisted candidates were divided into teams for the finals, so we could also measure their ability to work collaboratively and solve a new challenge that required coordination and the ability to work under stress. For example, they had to recreate a map of the architecture of an industrial information system, which is one of the first things needed to protect a system properly. Then different types of attacks were introduced, depleting the company's resources and raising the stress level inside each team, which could see its relative ranking in real time. The way each team organised itself was another measure of endurance and competitive spirit. It provided valuable insights on the contestants' ability to work together to overcome technical challenges and limit the impact of the attackers' attempts to disrupt the system.