This article has been edited by SPRITE+ Research Associate Dmitry Dereshev, with written responses and edits from Professor of Systems Security Siraj Ahmed Shaikh.
Today the spotlight is on Siraj Ahmed Shaikh – Professor of Systems Security at the Institute of Future Transport and Cities (IFTC) at Coventry University. He is the Interim Director of Research for IFTC, and also leads the Systems Security Group involved in automotive and transport security. Some of Siraj's latest work includes:
Siraj presented at TEDx Coventry University back in 2016.
How would you describe your job to a 12-year-old?
I help build things that should work the way we expect them to work. I work with systems security, the security of things that are connected, like vehicles or ships. I want to discover new ways of making sure that the systems work securely, as you would expect them to.
Could you describe what you do during a typical workday?
It is a traditional academic role with a mix of teaching, training, and research. Sometimes I have to zoom into a very technical discussion to make sure that a PhD student’s methodology is correct, and their experiments are correct. And then, in the same day I would have very high-level management meetings where we are taking a helicopter view – it is much more managerial or operational. It is quite a mixed environment in that sense.
The University wants you to take more responsibilities, wants you to manage more. But I enjoy the science. It is not easy to do, but I carry on with my science as well.
Could you describe a challenging project that you’ve recently worked on?
Our particular focus is to help industry have secure methods and tools to assess risks, and then to test and verify systems that we are helping them build.
Our focus is on the automotive industry, where we work with manufacturers, or people who provide consultancy, advisory and assurance as a service. They would be driven by compliance to certain standards that mandate a level of rigour in the design, a level of risk assessment for those systems and so on. The standards are not necessarily legal, but they are recommended by the industry or the scientific community when it comes to designing secure systems, and we help automotive industry with that. We are working with maritime industry as well, this is fast developing.
Things we are particularly looking at are: how do we model threats? How do we represent threats to these systems? We propose a certain modelling framework, and we contribute to building and extending that framework. We also look at testing. Testing is something of an assurance technique that is very widely used in automotive industry, and we are helping build that testing capability. This allows companies to demonstrate new techniques to securing technology. Here is a link to a current example. This is a project that we are involved in working with Southampton University, and working with a couple of industry partners, to look at how we use very low-level analytics on chip to help secure the automotive industry.
What training/experience did you have at the start of your career?
I had a very traditional start to my academic career, having an undergrad degree (Computing at Northumbria), a postgraduate (Computer Networks at Middlesex), and then a PhD (Computer Science at Gloucestershire).
I am a big believer in continuing professional development as well. I make sure to take some training courses, working on learning new ideas, new concepts, new tools. A couple of years ago, I did a training at the MIT Sloan School of Management in the US, where we were looking at driving strategic innovation.
Doing research is one thing, but trying to make sure that companies and whole industries benefit from it, is a whole different activity. I am very interested in trying to understand how to commercialise my research, how to achieve more impact. I think this is where that training programme was very useful.
How did you get into your current role?
The journey to Professor is built on a number of typical ingredients: working on research projects, working with industry partners, writing papers, working with PhD students, building teams, and trying to address some key scientific problems that are worthy of addressing. The key thing is to take leadership in a certain field. This is important for any research leader.
For me, it has been the automotive interest. During the last 5-6 years the automotive cybersecurity has become quite a challenge. And we at the university have decided that this is an area that we need to take seriously. We want to work with automotive industry, we want to work with industries that are aligned or related to this or interested in resolving this. We want to work with the whole ecosystem to make sure that the transport of the future is secure.
Once you understand the bigger picture, and once you understand where the different parts of the ecosystem fit, you have a choice whether you want to take that challenge on. That is what I did 4-5 years ago. We decided that we want to build a group that does this. Now we have around 6-7 researchers full-time, with around 10 PhD students. We are trying to recruit more PhD students and trying to grow the group slowly. We are on a journey.
What do you wish you'd known when you started your career?
I wish I'd known that science is a lifestyle choice, not just a career. When you are on a journey of science and technology, you begin to adapt to it, not just professionally, but it affects all your life.
The one thing that has definitely changed for me is an obsession with truth, an obsession with making sure that whatever factual, detailed information I am getting from anything that I do, whether I am shopping, or reading a book, I am making sure that people are using the right means and methods to arrive at a truthful understanding. That is the journey of science really, you are trying to discover insights and principles underpinning our technology, our world.
I have been working on it for over 20 years now, it informs your mindset, and then everything that you do begins to feel like that. Many times I am doing things for leisure, and then I would be interested in what was the academic rigour that was applied to that, even if it is not my job.
What would you recommend to people who want to follow in your footsteps?
I would recommend that they do a couple of things. One is that they get clarity on the problem that they want to address as quickly as possible. The second thing is, then they commit themselves entirely and fully to solving that problem and understanding the scientific method. I have benefited from trying to understand the challenge and then addressing that challenge very clearly.
I think good scientists, including people that I learned from and I admire, take on a problem and they go some way to addressing it. I would call that a fulfilling career, a career where you feel accomplished.
How would one know that the problem they want to tackle is good?
That in itself is a challenge. I think you need to appreciate the problem from a number of different points of view. For example, going back to my problem, you might have heard that some cars which have keyless remote entry suffer from lots of thefts – people steal them. And they come up with technology-driven ways to steal them. That is a problem that should be solved because the industry does not want thefts. But the police is very interested too.
To me, it may be a technical problem, a flaw in the cryptosystem that was implemented or whatever. But to the police it is not just the crime of theft. Criminals steal cars to commit other crimes: it could be violent crimes, it could be drug-related crimes – all kinds of things. So, the police is very interested in addressing that.
Working in a lab, I would not necessarily appreciate that, if I did not talk to those stakeholders, and understand that this is an important problem, not just because we should have correct cryptosystems, but also because it affects people's lives and undermines trust, it facilitates more crime. That's how you begin to understand the problem.
Then you begin to think about not just the technical security, but, for example, that it could contribute towards undermining trust in these new technologies on vehicles, if you do not secure them well enough. So it is all about understanding the wider picture and then realising whether this is a problem you want to address.
Talk to as many other people as possible who might also benefit from solving that issue. Who are stakeholders in that problem?
What troubles did you have progressing through your career?
Many times you would apply for a new job or a project, or submit a paper, and then it will get rejected. I think that is something that you really need to accept. Having a healthy attitude is very important. Early on, I had to accept that. Some people get very disappointed or very concerned, they just cannot handle rejection or failure. I think this is something you really need in this lifestyle and career – you really need to overcome and build around this. It was very key for me.
Very early on I decided that there is no such thing as a failure. Every time a reviewer comes back to you, you have to be grateful because they have spent time looking at your work. It does not matter what assessment they have come to. Even if 10% or 20% of it is honest and driven purely in the interest of science, then you need to be grateful for that. I think that has been very important, because at every stage in your career, if you enjoy what you do, you are likely to excel in it. And if you excel in it at that stage, you are likely to progress on to the next stage.
I have been able to win some grants, lose some grants, publish some papers, not being able to publish some other work, but making sure that we take a healthy approach, and build a team of people.
I think building teams is very important. I think it should be a compulsory requirement almost, for people who progress through their careers to help people who are earlier in that trajectory. I used to be an assistant professor once. Now I am helping other assistant professors and PhD students. This is very important to build a team.
Where you have learned a few things, you need to pass on those skills and knowledge, and that attitude to others. I have been very fortunate to have some very good, smart colleagues work with me. And I have learned from them and benefited from them. It is a team sport, and a number of things come together to help your career. You progress.
What one stereotype would like to dispel about your job or industry?
I think we need to dispel a picture that science is not relevant. But it is not just an external stereotype, it is something that scientists also need to work on. And make sure that even if they are working in the labs, they need to open the windows at least, so people can see them, and the scientists can also see outside as to what is troubling people.
The coronavirus situation is a perfect example. Once this virus has struck us, we have all been working with scientists hand in hand. And scientists also need to work with people to understand the less technical aspects of this virus. How are people managing to work at home? How is their mental health? How are people reacting in situations of panic? How do you make sure that you get accurate information? What cultural, social, and lifestyle changes will come out of this in the longer term. People care about all of those things.
The message to the outer world is that people need to understand science and that science needs to inform policy, inform practice. Otherwise we end up in a dangerous situation, where we may not recover from some of these big problems. The coronavirus situation is one example.
How would you describe your research or business interest in relation to SPRITE+?
I am interested because a lot of the community are people that I know of, and a lot of the themes and problems that SPRITE+ members are working on are areas of interest to me. I am a strong believer in the community-driven efforts. Anything I can do to help or take part in would be of interest.
How do you hope to benefit from working with SPRITE+ network?
I have a number of early career colleagues who might be interested to take part in any of the events, workshops or training that SPRITE+ may organise. They would benefit from more multidisciplinary research and training in research methodology.
I am interested in how we can train people in social science research methods, and in multidisciplinary methods. We get a lot of people who are computer scientists or engineers, we cover a lot of technical ground, but what I would welcome is people who are more interested in looking at non-STEM areas and their research methods. People from economics, business schools, social sciences, policy, international relations, linguistics – how could they come together and address these problems? That kind of training would be very useful.
Which of the SPRITE+ Challenge Themes can you relate to from the job role that you do? How does it impact your role?
Digital Vulnerabilities, for sure. A lot of my work in the automotive security area would sit there very nicely.
Also, Digital Technologies, Power and Control. I think that is important as well, but not so much in terms of power and control, but in terms of decision making, and perception. We are working with colleagues at Reading and UCL, and with the National Cyber Security Centre to look at corporate board level decision making around cybersecurity. Particularly we are looking at their cyber risk perception. This is a project where we bring together people who understand decision making in the corporate world, looking at board level decision making and then looking at more technical kinds of risk, threat, and incident response. How ready are they for cybersecurity and effective cybersecurity decision making? That is a project which is very interesting, and I think would align very well with Digital Technologies, Power and Control.
Call for Events is now open! We're supporting Members and Expert Fellows to lead activities that explore aspects of TIPS in the Digital Economy. We will help to organise the activity with up to £5,000 to cover the associated costs.