Cyber Security Month 24: Interview with John Madelin, one of the world’s most recognised Cyber Security Experts (part two)

The American non-profit foundation National Cybersecurity Alliance (NCA) promotes awareness of cybersecurity. Its core activities include ‘Cybersecurity Awareness Month’ in October. John Madelin has over 25 years of experience in designing, building and managing cybersecurity. He has led security teams that have identified, analysed and mitigated security risks around the world.

This is part two of the interview with John Madelin who after 6 years at Cognizant is now working as a consultant for the UK government.

You have just returned from a government and academic conference in Portugal on cyber education. This seems to be a new passion of yours. What was it about?

We recently attended a cyber education conference in Porto as part of our CSE Connect initiative, with two primary goals in mind. First, to meet with our US academic colleagues working on similar challenges, and second, to explore educational approaches in engineering disciplines, such as composite material sciences and adhesives technology, that could offer new insights for the cybersecurity field. Both objectives are part of our ongoing efforts to align educational standards between the UK, the US, and other global partners, particularly among the Five Eyes countries, and to bring in best practices from other technical disciplines.

One of the most valuable outcomes of the conference was the opportunity to compare and contrast how complex technical subjects are taught in other fields, and how these pedagogical approaches could be transferred to cybersecurity education. For example, just as engineers working with advanced materials must bridge theoretical knowledge and practical applications, cyber education similarly needs to evolve to integrate deep technical expertise with real-world problem-solving skills. The conference workshops allowed us to exchange teaching methods, share tools, and discuss pathways for improvement in both regions.

An exciting development from our discussions is the creation of four Problem Books aimed at enhancing the quality and consistency of cyber education in the UK. These books focus on four key areas: Routes into Cyber, Cyber Education, Cyber Employability, and the Cyber Education Community. Each of these are as tackles a different aspect of preparing students for the modern cybersecurity workforce, ensuring they are work-ready and equipped to address the complexities of cyber resilience and digital assurance. The problem-based approach will help bridge the gap between academic learning and practical application.

Additionally, we are collaborating with US academia in three Special Interest Groups (SIGs) to drive innovation and alignment in cyber education. The Working with Industry SIG focuses on creating better synergy between academia and employers, ensuring that educational offerings align with the career lifecycle and industry demands. A key focus is the development of talent pipelines and addressing the diverse expectations of employers regarding workforce readiness.

The Diversity SIG addresses the barriers to entry for underrepresented groups in the field of cybersecurity. We explored the need for a more inclusive approach to cyber education, one that champions equality and access while considering factors like gender, ethnicity, socio-economics, and neurodiversity. Promoting diversity in cyber education is not just about meeting quotas; it’s about tapping into diverse perspectives to solve complex cyber challenges.

Finally, the Innovation in the Classroom SIG explored how technology can transform education. From enabling remote learning and creating virtual labs to integrating real-world simulations that reflect current cybersecurity challenges, this SIG is dedicated to innovating what, how, where, and when cybersecurity is taught. The use of technology to model real-world threats and environments is essential to preparing students for a field where adversaries are continually evolving their tactics.

In summary, the Porto conference was a major step forward for CSE Connect in developing new educational frameworks and partnerships. By blending cross-discipline insights, international collaboration, and a focus on practical, real-world readiness, we’re helping shape the future of cyber education to meet the increasing demands of the industry.

You say that the old guard of cyber experts have failed to prepare their students for the world of work over the last 30 years. What is the failure?

This is still a relatively “young” immature and rapidly evolving domain, and as such has been quite vendor and technology-led over the last 30 years.

Historically, cybersecurity has been treated as a niche, technical field, often isolated from broader business and operational concerns. As things have evolved, digital systems have become increasingly complex and directly business affecting, whilst simultaneously some core components of the critical Cyber piece have been commoditising and moving down the technology stack into IT Infrastructure.

This has necessitated Employers to look for cybersecurity practitioners equipped to deal with the new environments, whilst graduates are emerging from their Education unaware, in real terms, of how security integrates with business processes, legal frameworks, risk management, and governance.

The evolution of this domain has accelerated over the last 5 of those 30 years, also affected by changes in the threat environment, with growing attack volumes, from a wider diversity of activities, supported by increasing business-enabled street-smarts of attackers.

So when I said “…failure of the old guard of cyber experts” I rather oversimplified! It’s more the fact that this is a complex patchwork of technology that has suffered from a lack of real attention from the business leadership and been slower to adapt to the pace of change than the environment within which it sits.  

It has also been inhabited by training and certification organisations with a financial motive and vested interest in the way things are. Relying solely on certifications has created a workforce that is credentialed but not necessarily competent. Other training and education incentives (like the UK Apprentice levy) are tightly formatted around technical skills rather than combining those with a proper emphasis on competencies, the practical application of skills, and organisational complexities.

In the field, cybersecurity professionals close the practical application of skills gap in their day-to-day work, with spanners and cables. Of course, the real world gets more complex than just using a spanner, soon we find ourselves working across complex systems, managing real-time incidents, and having to navigate cross-functional ownership of not just technology and process, but also legal, finance, HR. However, universities are not training students in the practical application of these skills, focusing instead on passing exams rather than solving real-world problems.

The application of these real-world skills always reveals a competency deficit, a gap which closes with experience. Applying those skills in complex systems to perform at a high level in a dynamic work environment involves a combination of knowledge, skills, judgment, and behaviours without which Cyber defences don’t become properly ingrained, organisationally.

For instance, a student may learn how to use a SIEM tool, but without the analytical competency to understand the context of an alert or the decision-making skills to determine the right response, they are not prepared for a security operations centre (SOC) role. Shouting “Fire!” when there isn’t one is an expensive business, and failing to shout is destructive. That’s a delicately balanced and quite stressful line that analysts need to be ready to navigate.

This also requires soft skills. I have employed and managed a diverse range of practitioners, where neuro diverse and details-oriented staff are a critical component. But this doesn’t mean in our ideal and diverse team that soft skills can be neglected. These are practitioners who may perhaps follow a different career path.

It’s become clear that the industry now requires more than just technical prowess. Communication, teamwork, and risk management are crucial, especially for senior roles like a CISO. And preparing students from the earliest moment to understand and navigate those paths with the opportunities they present is important. Even at Apprentice level we mustn’t condescend but instead, enrich the syllabus. Traditional programs often ignore soft skills, leaving graduates without the ability to present cybersecurity issues to non-technical stakeholders or lead incident response teams under pressure.

There are some signs of evolution here; yesterday I was chatting with Professor Angela Sasse, who has experience of both UK and German Cyber Education. She shared with me that in Germany, many students work in Businesses, and study part time. The students tend to challenge and engage more in the classroom, demonstrating their understanding of the practical application of their studies, which sounded refreshing when compared to the UK. If we can’t resolve an improved combination of working and studying then the introduction of learning environments which use live-fire simulations, cyber ranges, and ethical hacking labs to immerse students in realistic scenarios might be a compromise.

By the way, this lack of practical input of one sort or another is not the fault of the Universities, since they do look for input from Employers, but both educational institutions and Employers have often operated in silos, and the volunteers that Employers send to Universities are often disconnected from the rapidly changing demands of the cybersecurity industry, since the employers seemingly can’t afford to send practitioner-advisors, who are working long hours. This results in a disconnect from Industry needs, with courses and syllabuses which are designed by academics without direct input from the industry professionals who understand what competencies are currently in demand.

Seeing this problem through the eyes of a student also brings interesting insights. They tell us that unlike other domains worthy of their study-investment, in Cyber the syllabus, the career paths, not to mention the Demands from Employers and the roles aren’t clear.

Students tell us that they want a sense of accomplishment when they complete their studies, with proud friends and family, and tellingly, with an expectation that employers will pay a premium for their important specialist skill. Today, Employer’s aren’t paying a premium at entry level for “Cyber” specific knowledge and experience. Because of this confusion, they produce expansive, unrealistic job descriptions, and to mitigate their risk and recognise the cost of investment on non-work-ready students, ask for “3 years plus experience” for entry level.

To accelerate these adjustments in such a complex domain suggests close alignment between Employer, Training organisation, and Student, around a clearly articulated syllabus that is suited to the complexity and deep integration of modern IT, but also adaptable to change.

Meanwhile, given the technology vendor-led history, and the prominence of CISO’s who have been proud to pick the latest tool, the training material continues to mirror these behaviours. This approach is still producing students technically trained but often ill-equipped for the practical and fast-evolving demands of real-world cybersecurity roles.

Conclusion:

The failure to prepare students for the workforce is rooted in a rigid, outdated, and overly technical approach to cybersecurity education. The focus on skills without fostering competencies and real-world readiness has led to graduates who are academically prepared but ill-equipped for practical work in dynamic, high-pressure environments.

To address these issues, academic institutions need to:

• Engage more closely with industry-practitioners to ensure curricula align with modern needs.
• The emphasis should shift towards a focus on hands-on, practical training that mirrors real-world cybersecurity challenges.
• Foster soft skills and interdisciplinary thinking to prepare students for the collaborative nature of the modern workplace.
• Move from a skills-based approach to a competency-based model, where students are trained not just to know how to use tools, but to think critically, solve problems, and communicate effectively under pressure.

What needs to change?

Much of what needs to change I covered above but a quick amplification of these conclusions.

Engage Closely with Industry:

• Alignment with Modern Needs: Cybersecurity curricula must be developed in close collaboration with industry experts to ensure they reflect current threats, technologies, and practical needs. Regular engagement with businesses will help ensure that students are learning the most relevant and up-to-date skills. This will also encourage or “pull through to” the creation of certification programs that meet real-world requirements and provide students with better job prospects.

Focus on Hands-On, Practical Training:

• Real-World Application: Theoretical knowledge alone is insufficient in today’s fast-evolving cyber threat landscape. Cybersecurity education needs to prioritise practical, hands-on learning through simulations, labs, and real-world case studies. By engaging in cyber ranges or live-fire exercises, students can experience real-world attack scenarios, better preparing them for incident response and operational roles upon graduation.

Foster Soft Skills and Interdisciplinary Thinking:

• Collaboration and Communication: Beyond technical expertise, modern cybersecurity professionals need strong communication, leadership, and interdisciplinary skills. Cybersecurity today spans across legal, financial, and operational domains. Training programs should therefore integrate modules that teach teamwork, cross-departmental collaboration, and how to communicate technical risks effectively to non-technical stakeholders, such as executives or board members.

Move from a Skills-Based to Competency-Based Model:

• Developing Problem-Solving and Critical Thinking: A competency-based model focuses not only on knowing how to use tools but also on critical thinking, problem-solving, and decision-making under pressure. This ensures that students can not only complete specific tasks but also adapt to new challenges, think strategically, and lead in dynamic situations. Competencies such as risk assessment, ethical decision-making, and adaptability must be incorporated into the education framework to produce well-rounded professionals capable of addressing complex and evolving cyber threats.

By reforming cybersecurity education to integrate these points, we can bridge the gap between academic learning and industry readiness, ensuring graduates are better prepared for the demands of the modern cybersecurity workforce.

You have supported a variety of cyber programs in academia. Can you give us some examples?

Throughout my academic and professional career, I’ve been deeply committed to sharing knowledge and fostering resilience in cybersecurity through several high-impact roles across leading academic institutions. As a former academic supervisor at Cambridge University and having lectured at Royal Holloway, UCL, and supported Oxford University on government projects, I’ve had the privilege of directly contributing to the education and development of future cybersecurity leaders. In each of these roles, I’ve focused on integrating practical, real-world insights with academic theory, ensuring students leave with not only technical skills but the ability to apply them in evolving, complex environments.

I’ve also been honored to serve as the Advisory Board Chair of RISCS (Research Institute for Sociotechnical Cyber Security), a body producing crucial cybersecurity research for the NCSC (National Cyber Security Centre). This role has allowed me to help shape sociotechnical research that explores the intersection of technology, people, and organisations, addressing cybersecurity from a holistic perspective. Our work ensures that cybersecurity strategies are informed by research that understands human behaviours and societal impacts, not just technical vulnerabilities.

Additionally, as a Co-director of CSE Connect, a body sponsored by the NCSC, I’ve had the responsibility of helping organise and align improvements in UK cybersecurity education. This role has given me the opportunity to collaborate with various institutions to ensure our education system is producing work-ready graduates, prepared to tackle the cybersecurity challenges of tomorrow. My passion in all these efforts is driven by a desire to ‘give back’—sharing my knowledge and experience to help build long-term resilience in the sector.

I believe that my work has contributed not only to individual student growth but also to strengthening the broader cybersecurity ecosystem by ensuring that the next generation of professionals and leaders are equipped to handle both the technical and sociotechnical challenges that define modern cybersecurity.

Part one of this interview was published on October 21, 2024.

John Madelin has over 30 years of hands-on experience in numerous front-line roles which have focused on the design, build, and management of cyber security—and included intense cyber incident management responsibilities. John’s experience spans across government, banking, retail, manufacturing, and utilities. His practical approach is re-enforced by his involvement managing one of the Industry’s largest Cyber-incident databases with Law Enforcement.

A long-standing member of the security community has led to many prominent roles and responsibilities. In recent years, this includes: 

• Drafting the UK Government public consultation document on the cyber profession;
• Chairing RISCS, one of the leading research committees providing cyber security material to the UK Government;
• Heavily involved in early days Verizon Data Breach Report
• Worked with Analyst Cyentia (Wade Baker ex Verizon DBR) on two years of Board and CISO interviews 
• Becoming an Oxford Martin Associate on the topic of international co-operation which became NIS2;
• Offering guidance an academic supervisor at the University of Cambridge; 
• Advising another large national government as a regular panel member;
• And Co-Director CSEConnect an NCSC sponsored Cyber Academia professionalisation initiative. 
• Both CISO and Service Provider for Large Security Enterprises.

Read also: Part one of the interview with John Madelin