Business leaders are seemingly doing more towards closing the skills gap as the growing demand for cyberskills and a more socially mobile and diverse workforce increases. BAE Systems and the National Cyber Security Centre (NCSC) hosted a CyberFirst event in Manchester and their work to close the gap can be read in more detail here.
Industry experts offer their opinions on the subject.
Richard Meeus, Security Technology and Strategy Director, EMEA at Akamai: If you’re a cybersecurity professional, there’s never been a time where your skills have been more in demand. As companies are growing increasingly aware of the threats out there and the implications of what could happen if they get breached, the onus on having a top-notch team is getting higher on the agenda. While things are positive for those trying to find a role, the other side is less so with demand far outstripping supply. However, all is not lost and there are various strategies companies can put in place to reduce the skills gap facing the cybersecurity industry.
Firstly, companies need to take a fresh approach when it comes to attracting talent, particularly in relation to entry level positions. The cybersecurity industry tends to rely on mathematical skills, requires analysis of defences and someone who can think laterally when penetration testing and has the mindset to evaluate risk. Looking beyond those with formal qualifications, many new recruits that have these skills can develop the more technical aspects like coding, ethical hacking and analytics on the job.
As well as a fresh approach to who you target, how it’s done is just as important. Creating innovative methods to attract people into the process is vital. A great example is gamification and the work done by GCHQ’s codebreaking masterclass. Open to all ages, ethnicities and genders, it levelled the playing field for candidates creating an easy entry level for everyone and boosting the chance of generating a larger pool of raw talent – helping to increase diversity in the process.
Another tried and tested way to reduce the cyberskills gap is through apprenticeships. Through this method, fresh talent can study for the qualifications they require for full time employment, while learning the exact skills they’ll need with the company they’re working for. Additionally, apprentices don’t even need to attend university or college in person now and can do courses through online portals, leaving more time for on-the-job training.
Finally, it’s not just down to the industry to reduce the skills gap, the government has a big role to play too. From investment in education to specific initiatives, there are a number of ways it can help. Fortunately, it has been doing just that with an overall National Cyber Security Strategy launched in 2016 and the £20 million Cyber Schools Programme.
The UK has a long way to go to eventually plug the skills gap overall, but there are now lots of ways that we as an industry, along with the government’s help, can do that – ensuring the country is fighting fit in the battle against the cybercriminals for years to come.
Stephen Jones, Managing Director UK and Nordics, SANS Institute: We hear a lot about the shortage of staff in the cybersecurity industry, but in most countries the issue is more of a skills shortage than a headcount shortage. The good news is that we are beginning to see some organisations recognising the need to develop less experienced staff in security skills in order to help solve the skills gap, both to transition more general IT staff to security and to bring in new talent and help them develop the skills and experience needed to take on security roles. As such, we expect to see companies continuing to invest in both the detailed technical training required for security professionals to keep abreast of new techniques and threats, as well as more entry level cybersecurity courses.
Another major driver of security spending this year will be increasing the skills of cybersecurity staff around cloud services and supply chain security, since rapid shifts in globalisation, demographics, work styles and work sourcing are transforming the way companies manage their businesses.
Indeed, in a recent SANS survey on workforce transformation, 54% of respondents identified increased reliance on cloud-based applications and data as a leading challenge for them. Respondents told SANS that they’re supporting a number of initiatives to support workforce transformation, including a transition to cloud-hosted infrastructure (51%), increased use of collaboration tools (46%), a shift to Software-as-a-Service (32%) and adoption of the remote office and related capabilities (29%).
These shifts, including the widespread use of cloud and off-site networks, open up new vectors of risk and potential threats and attacks, that companies must keep on top of. Companies are also increasingly beginning to realise that focusing on supply chain security and third-party risk is key, as this is so often the cause of a breach. Ensuring that security staff are well trained in these areas is therefore of vital importance going forward.
Along with cloud and supply chain, encryption and SecureDevOps are also a focus for many companies, so we expect to continue to see interest in SANS training courses that cover these areas, increase.
Last but by no means least, we are finally seeing more companies beginning to invest in security awareness training. In the past, too often organisations and their security teams have perceived employees as the weakest link, without investing in properly training them to recognise security threats. Instead companies have traditionally invested almost entirely in using technology to secure technology, ignoring the human side. What little training most organisations have done has been too technical and complex. Proper security awareness training requires simplifying security for people and reaching out to them in their terms. This is something that organisations are starting to do.
Sam Curry, Chief Security Officer, Cybereason: There is a natural maturation of security and moving along it can feel anything but natural. Maturing hurts and it can be prodded in part with regulations, suffering from an attack or increase of general awareness or even new security leadership. By-and-large, the most advanced private sector organisations from a security perspective are banks, but that doesn’t mean all of them have been through all the growing pains and reached a ‘mature’ level by any means. This can vary enormously by size, geography and individual history and idiosyncrasies.
Hospitals and healthcare are different. Though generally not as mature from a security perspective, they are often highly sensitive to privacy, which is in some ways a related discipline with a direct impact on and from security. Most hospitals are wrestling with changes in infrastructure and understanding how to improve security without impacting the mission. Regulations here have a history of maturing fast in the wake of the financial sector, often adopting whole cloth the language of earlier banking regulations and reapplying them.
Retail has had its own independent growing pains spurred on by the twin motivations of PCI DSS regulation and being the target of fraud. After banks beefed up security, the balloon bulged into other cash out mechanisms like online commerce and gift cards – the payment of choice for fraudsters. Retail is still lagging banks in some regards but is generally ahead of other sectors, at least among the largest providers with the most readily available forms of cash.
How ever you slice it, though, the bad guys still enjoy the advantages in cyber and win too often. The security journey is just that: a journey. It is not a destination. This is a discipline with an active, adaptive, intelligent opponent and while tools like Machine Learning and AI are in the advanced wave of most effective tools to help, the real strength of a cyber programme is its people. All companies should be making an investment now before the pain of an attack and breach is felt, in cyberskills and people. Cyber is here to stay because it’s just too easy for malicious actors from organised crime to nation-states to develop skills in offensive cyber — if you are a modern business, you are online; and if you are online, cyberskills and talent matter. Period.
Asma Zubair, Senior Manager, IAST Product Management at Synopsys: The cybersecurity skill shortage is a well known and persistent challenge and one with no simple solution in sight. At the same time, cyberattack volume, complexity and sophistication is increasing with each passing day. Interestingly, we are witnessing a wave of innovative ways in which organisations are working to solve the cybersecurity skill shortage in an effort to counter the growing number of cyberthreats.
Organisations are investing in automation to make up for the cyberskills shortage. We’re seeing that across the board in our customer base. Anything that can be automated is being automated to minimise the workload. This includes anything from filtering out spam and phishing emails to highly specialised software to test for software vulnerabilities. A new generation of software security tools are emerging that minimise the training and human expertise. Such tools heavily leverage Machine Learning to take a good deal of the workload off of employees. The rise of DevSecOps is supporting this automation trend, driving the need to do more with less, and faster.
With this pressure to deliver more with less, employees have little time to dedicate to training. To address this, software security products are beginning to involve contextual training and remediation guidance directly within the developer’s IDE.
Many organisations are working to develop processes and custom training programmes to recruit high-potential technical employees and train them as cybersecurity experts to perform highly-specialised jobs. Some of the best analysts and penetration testers I’ve had the opportunity to work with come from completely unrelated backgrounds. Some may not have a college degree or formal training aside from the custom on-the-job training they’ve received.
As CISOs are gaining prominence in the corporate world, we’re seeing their budgets and responsibilities grow as organisations continue to evolve. We’ve seen real-world scenarios in which CEOs are fired for cybersecurity lapses that have resulted in a breach. Due to this, we’re seeing a growing emphasis on training and the appointment of security champions to help mentor teams, ensuring security is accounted for in day-to-day operations. Many companies are even beginning to make cybersecurity training an MBO requirement.
Last but not least, crowdsourcing and services are additional strategies that organisations are investing in to bridge the cyberskills gap. For example, if your organisation is interested in network or application penetration testing but doesn’t have the resources, there are service providers you can engage. The concept of bug bounty programmes can also provide access to a pool of skilled talent.
Oliver Pinson-Roxburgh, Co-founder, Bulletproof: One of the effective ways in which companies can invest in upskilling their workforce in terms of cybersecurity and security awareness is to simulate a breach, which will highlight the weaknesses in the organisation’s security posture and get employees to reflect on the reason behind the practices they are required to adhere to.
We conducted one such initiative with a large supermarket brand, where as part of the simulated breach, pen testers were authorised to try to physically make their way into the organisation’s restricted areas. There, they checked employees’ desks looking for passwords written on post-it notes, unlocked machines and other potential vulnerabilities, all while filming the process. The video footage was then used for training purposes, so that staff were prepared for the eventuality of a real hack, in circumstances they could recognise.
Obviously, organisations opting for this type of training would need to consider the issue of naming and shaming, which can be circumvented by blurring employees’ faces that figure in the footage.
Another way in which many organisations opt to upskill their IT security function is to safely deploy malware to test their incident response plan, identify weaknesses and train professionals to the eventuality of a real-life attack. When we run these exercises, we design malwares that will target the organisation’s servers just like a real threat actor would. Security teams are not informed about when the exercise will take place and in most circumstances the training exercise will require some form of remediation.
Training and upskilling can also involve a fun element – where the workforce is not as tech/security-minded, exercises that involve entertainers, group tasks and games can help present the subject in an amusing and memorable way.
One such example is a training exercise that we ran at an NHS trust where a magician would stop employees and perform tricks to raise awareness around cyber-risk and the most common threats they may encounter in their day to day. He performed a ‘reverse pickpocket’, where he’d leave a business card in people’s handbags to demonstrate how easy it would be for an attacker to get their hands-on personal information, as well as other tricks to exemplify cybercriminals’ techniques, the importance of choosing unique passwords and tips on how to do that. Phishing simulations we ran before and after the exercise revealed that this method is particularly effective at reducing the likelihood that an employee would click on a malicious link, demonstrating increased security awareness.
Overall, the most important thing that organisations should bear in mind when choosing a training programme is to make activities as relevant to the workforce as possible. It is essential not to give simple exercises/questionnaires to IT professionals and not to overwhelm other employees with trainings that are excessively technical. Ultimately, humans are the first and the last line of defence, so structured, effective security training is a key component of any successful cybersecurity strategy.
Dr Aleksandar Valjarevic, Head of Solutions Architecture, Help AG: It is typically the scale and nature of business of organisations that determines whether they have a genuine need and/or capability to establish dedicated cybersecurity teams. Today, it is mainly the largest of organisations with pressing cybersecurity needs – such as large banks and government entities – that are making this investment. For the majority of businesses however, it makes more sense to focus on setting up the right information security governance and working with the right partners on the selection, deployment and operation of cybersecurity solutions and specialised services.
There are clear benefits to engaging with qualified external partners – for one, today, every second vendor claims to have an end-to-end cybersecurity platform. In reality, these vendors tend to excel in certain technology areas and fall short in others. Finding the right balance between the security platform approach and best of breed point solutions is the key. It is here where the expertise of external partners is needed to identify the right mix of technologies and implement and configure them in an optimised manner, so that the organisation can have effective protection.
Organisations looking to address their cybersecurity skills gap can greatly benefit from the services model. This addresses the above-mentioned challenge of selecting and integrating the best point products as with services, it is the SLAs and technical proficiency of the provider that take precedence over the technologies themselves (although underlying technology is of course still an important aspect). Clients therefore no longer have to worry about the solutions that are deployed, and instead can focus on identifying and engaging with the right service providers.
The future of cybersecurity therefore will be services-led. In five years from now, security will mainly be delivered as a service. While there is a definite market inclination towards the services model, organisations must still maintain a basic level of internal technical expertise. This is important to not only ensure better engagements and management of SLAs with external partners, but also to enable smooth internal operations, such as bridging the divide between GRC (Governance, Risk and Compliance) and cybersecurity teams.
Finally, no cybersecurity strategy would be complete without an organisation-wide awareness programme. Humans remain the weakest link in the information security chain which is why we see cybercriminals focusing so heavily on social engineering and other attacks which exploit human behaviour. Modern awareness programmes must not only focus on training, but also testing such that user actions are fed back into the security controls. So, for example, if a user clicks a malicious link, a new set of policies and permission must be applied to prevent the reoccurrence of such a threat.