British Prime Ministers always used to come from Harrow or Eton, while senior civil servants are traditionally Oxbridge-educated. But when it comes to the higher echelons of IT security in the UK, it seems you just can't move for people who got their training in the Royal Air Force.
Whether you look in banks or building societies, government establishments, retail or even the record industry, the chances are you'll meet people in senior roles who learned about security in the service of their country in the RAF. So what is it that created this unofficial network of people that some have jokingly dubbed 'The Rafia'?
SC Magazine got a chance to find out when Martin Smith, head of The Security Company in Bedfordshire (and a former squadron leader), offered to gather some of his old acquaintances together for a reunion lunch, and to discuss their early experiences. And so on 14 October, we all met up at Smith's offices for the first Rafia Lunch (complete with menu bearing the image of Marlon Brando in his role in The Godfather).
The former servicemen were soon explaining what it was about their RAF days that had equipped them for high office out in the commercial world.
Steve Jackman, now head of security risk for Barclays Bank, summed it up for many: "In the RAF, you have to make decisions quickly and I think that is appreciated in the commercial world. You also learn to talk to people at all levels, from senior officers, down to the clerks and the office cleaner," he said.
"The RAF required a great deal of pragmatism and, because IT security was new, a lot of negotiation and awareness, all of which gave a good grounding for developing in the profession."
Many of them were involved in determining the early IT security policies and procedures that the RAF initially developed for its own purposes, and then fed out to the other services. And, like Smith, most of them had been employed in the Provost arm of the RAF, a combined force covering police and counter-intelligence duties.
In the days before the Berlin Wall came down in 1989, most of the activity was directed against the Soviet Bloc and potential military espionage. And with the introduction of desktop computers and networks to handle information, the force needed to develop standards fast to manage computer security.
Several of those present played a large part in those early developments. Bill Mitchell, now head of IT security awareness at BAA, recalled: "With standalone desktop systems, we realised we needed to put security around them, and designed our own courses, which became Compusec 1 and 2."
Part of the challenge, as he discovered, was in convincing people they should treat computer data with the same care and respect as paper files. This was thrown into sharp relief when in 1991 an RAF officer lost a laptop containing the full battle plans for the first Gulf War.
Mitchell took part in the investigation, which ended happily when the culprit – a self-confessed "patriotic thief" – returned it. On another occasion, Mitchell investigated a senior officer who had left a PDA with masses of sensitive data on it in a plane when he was travelling. "It was an uphill struggle, but enjoyable," he recalled.
At the time, the RAF was following the Orange Book, the standard for trusted systems developed by the US Department of Defense. Smith and a team took charge of developing it for British use.
They had to make a lot of it up as they went along, he admits, and in 1988 he got a few people together for lunch at RAF Brampton to discuss the idea of creating some new standards. "The people who wrote BS7799 were at that lunch – such as David Lacey, who was then at Shell," he recalls. The meeting produced some of the ideas that he and others went on to develop for the introduction of computer networks and office automation. "We were turning the theoretical Orange Book into something that was not only operational, but also affordable," he said. "We were right there at the beginning, and much of the stuff we do today, I believe, comes from that work in the mid to late 80s. I don't think any of us at the time knew what was going on. We were just taking the process and procedures we'd had for decades for the written word and translating it to the electronic world."
Also on the team was Bill Pepper, now director of security risk management for CSC, who reckons the RAF prepared him and others well for the commercial world. "We got a breadth of experience, and in the culture of the RAF security was second-nature," he said. "The trouble is that many IT security people don't understand the broader issues."
Furthermore, IT security in the RAF continued to develop during the 90s, ahead of many of its commercial counterparts. According to Terry Cairns, who now heads physical security at Vodafone. "In the late 90s, there was a move away from strict risk avoidance towards risk management," he said. "Instead of having a set of procedures for each activity, as we'd had before, we switched to a matrix of threats and risks."
The skills he picked up transferred well to the commercial world, he says, and are appreciated by senior management. "We can explain the risks and manage costs much better," he said.
No wonder then that those sitting around the table had found senior posts in the police, Rolls-Royce, Cable & Wireless, Johnson Matthey, Barclays, Next, the NHS, BAe, Boeing, Prudential and UBS. But what about the future? Is the RAF still producing well-rounded people to fit into commercial roles?
"You have to remember," explained Mike McLaughlin, director of security for Rolls-Royce, "that in 1992, the RAF had around 120,000 people in it. The force is now down to 50,000."
Nevertheless, most of those present said that they would look favourably on applications from ex-RAF people for IT security roles. Indeed, some already had CVs of those on the point of leaving the force. It looks as if the Rafia will continue to exert an influence in IT security.
And they might need to book a larger room for next year's lunch. n
