Case studies of working in a security environment from GCHQ.

1. Information assurance policy development

Policy development might sound dull, but one of its biggest attractions is that every day is different. Quite apart from the discussion, research, thinking and effort that goes into drafting a policy document, there are countless 'issues arising'. With meetings, calls and sundry requests for information, you never quite know what's going to cross your desk. But you do know that what you're doing has far-ranging implications for the government and the wider public sector. A typical day could unfold like this:

08:20 (We work flexible hours, but like a few of my colleagues, I enjoy starting quite early.) Arrive, get a cuppa, have a chat and boot up the PC. So far, like any other day in any other office. Check emails. There'll probably be a few of these as I've been working from home without access to Outlook. (We can sometimes work from home, provided it's not classified work. The policy document I'd been drafting wasn't).

As it happens, there's nothing urgent or complicated, and I fire off my replies, then do the 'housework': transferring the file I was working on yesterday from my laptop to the PC. I check it over, make a few changes, then email it out to my colleagues and other interested parties across CESG. This is all part of the peer review process, and it's typical of our shared, consultative approach. The policies we develop provide advice and guidance on IA right across the UK's public sector, so it has to be 'fit for purpose'. Once it's gone, I keep half an eye on Outlook, waiting for the initial feedback. There's a lot of experience and expertise out there, and I await comments with some trepidation.

10:15 I get a call from an IA consultant working for one of the many government departments, who's unsure whether a recent change in IA policy affects his team and needs advice. The person who produced and 'owns' this particular policy area works part-time (we're good on flexibility) and isn't in today, but as I'm familiar with the issues I'm happy to talk it through.

Ten minutes later, I've grabbed a coffee and am heading to a briefing on the newly-created IA Career Stream. This is one of around 18 career streams in GCHQ that are a central element of the department's drive for greater professionalism. I learn that the 'IA Policy Developer' is now a recognised role within the career stream, which should assist me in my career development.

11:35 Meeting over, back at my desk. More emails, more requests for information or advice, and a couple of queries from colleagues, but nothing - yet - on that draft policy. It's early days.

12:15 Lunch. I could go to one of the cafes or restaurants in building (if you haven't seen it, you should. Award-winning, huge, complete with bank, gym and eating facilities, you'd be forgiven thinking it's a small town, which in a way, I guess it is), but I feel like eating at my desk and doing a little catching up on the internet.  Browse the latest news on Afghanistan and Iraq, something we're encouraged and almost expected to do, and check out a couple of IA-related sites.

12:50 Still awaiting response to my last policy document, so begin planning out my next. Policy is always changing and responding to new circumstances or priorities, so we're always working on new drafts and papers. Some can take a long time, others are pushed through more quickly. But each has to go through a due process of thought, research and consultation. I really enjoy the detail, and seeing it all take shape from loose thoughts to a robust, practical document. I'm just getting into it when I have to stop.

13:30 Attend our monthly policy developers' meeting. This is a good opportunity to  discuss how wider developments within CESG - such as the new resource allocation and prioritisation system - will affect us, and for us to brief colleagues on what we're working on and receive some feedback. Colleagues from other areas of CESG and another IA agency also attend, making this a useful knowledge-sharing event.

15:05 Back to check those emails. Still nothing. No surprise, really. We're all busy. I have a meeting with a colleague to plan the workshop we're running at the next IT Security Officers' Forum. This is intended to assist ITSO's understand and implement a recent IA policy change, but we need to plan the event carefully if we're to avoid causing confusion. Such workshops and presentations aren't uncommon, and will take some careful planning and preparation over the next few weeks.

15.50 Talking ITSOF, has reminded me that I'm visiting a government department in London next week, so I book my rail tickets.

15:55 Back to my next policy document. The more I read and think about it, the more I get into it. It's beginning to take shape and I even begin making notes on screen - the first step to actually beginning a draft. Not quite like starting writing a novel, I know, but there's something of that sense of excitement. Does that sound odd?

16:25 A final check of my email and at last the comments are beginning to come in. Some short and general, some more specific and detailed. Overall, it's good initial feedback with some really useful comments. Tomorrow I'll begin collating them all and reviewing what I've done. And so the cycle continues. Speaking of which, it's time to cycle home - all part of the green initiative.

2. Working as an evaluator

To use a metaphor, I'm a kind of gamekeeper, helping protect the government’s IT estate from all the hackers and hostile forces who want to get in and poach information.

It probably sounds melodramatic and overblown, but it's very real. The systems we’re protecting are mission-critical, and the threats we're facing are ever-changing and absolutely at the cutting-edge of technology.

To really enjoy the work, you need a blend of interests and skills. First and foremost, you've got to know a lot about a lot: cryptography, network security, threat modelling, hacking tools and techniques, software engineering, the list goes on. Second, you have to be able to think like a 'poacher' so you’re not caught totally unawares. Thirdly, you need good attention to detail. While some of the threats are quite crude, many are subtle and can require lengthy and painstaking analysis, which can be time-consuming, but also a great development experience.

And finally, there’s the 'commercial' side of things such as risk assessment and the ability to weigh security against business need. It’s not for everyone, but if you’re a specialist in security, this is the real front-line.

My main area of work has been in mobile security, helping government customers work with classified data on the move and at home. It’s work that requires a big technology stack: everything from disk encryption to server configuration.

I've not done everything - but I've looked at a wide range of products, from network and disk encrypters to Blackberry. I’ve been doing this job for a couple of years now, and am still finding new things to grasp.

It's a wide and evolving field, so you’re always likely to face new platforms or technologies. It's important that you enjoy learning. For example, I've been on projects involving police radios and e-passports which I knew next to nothing about, which was a quick learning curve for me.

Then again, it broadened my skills, and taught me that this isn't just a narrow technology role. It's important to understand what your customers are trying to accomplish, and find the best way to enable them to achieve it. That often means thinking on your feet – and sometimes having the courage to admit you don’t know all the answers.

Training helps, of course. When I first joined CESG, I had around three months formal development, and I've done around six more weeks so far this year - in such areas as programming, network and operating systems, windows internals and reverse engineering. That doesn’t count the 'on the job training' working alongside more experienced colleagues.

Downsides? Yes, there are some. CESG is part of a big government organisation, and that can sometimes have issues with communication and speed of response. The very nature of the work can be hugely stretching, and it’s sometimes hard to tell how well you're doing: our work's largely preventative, so we rarely know when we’ve prevented a threat.

On the other hand, we always know when we haven't! 

Money wise, I could certainly earn more elsewhere, but weighed up against all this there's the flexibility, the people, the potential and the exposure: I've been to the US twice, and went to a hacker conference in Berlin last Christmas. Most of all though, the appeal lies in developing skills I don't think I’d acquire elsewhere. It certainly opens up a lot of options within the department.

As they say, gamekeepers also make good poachers!

3. Working in intrusion

I joined CESG straight out of university and started my career in the intrusion detection research team within Network Defence.

This team works with many other agencies, at home and abroad, to help keep HM government communications and IT systems safe from hackers and other threats. The frequency and complexity of attacks is increasing, as is their focus.

For example, we're encountering attempts to penetrate specific networks or applications, so our intrusion detection systems and techniques have to be state-of-the-art by necessity. My team achieves these through cutting-edge research and by using our discoveries to help develop new solutions and services.

Before starting, I hadn't really had much experience with electronic attack or malware. And certainly not on such a scale, or with such potentially damaging outcomes. Much of my time is spent analysing threats to central government networks and IT systems, which includes such areas as examining the latest zero-days or reverse-engineering malware to discover its intent.

This work is technically challenging and very much hands-on. I also spend time working with CESG's analysts, understanding their needs and developing new software tools. It would be great if we could simply buy these as 'off-the-shelf' commercial solutions, but most times we can’t - and so it's a case of adaptation and invention.

To begin with, the amount of stuff I had to get to grips with was huge and daunting, but the organisation - and my team - is extremely supportive. I benefited greatly from working closely with others and sharing their experience, while the formal training has been outstanding.

CESG is totally committed to keeping its people fully up to date with technology, and since joining I've been on numerous courses and attended several of the big security conferences and conventions all over the world, all designed to keep me that one step ahead.

People out there are trying to outwit us, and we’re trying to outwit them, so the work is fast-moving, and infinite in variety and challenge - quite literally.

Knowing that what I’m doing is making a real difference to the security of the UK is also hugely rewarding.