The cyber security skills gap is troubling. teiss talked to three leading cyber professionals to get their insights into how it can be addressed.
The DCMS and Ipsos MORI report ‘Cyber security skills in the UK labour market 2021‘ has recently been published. teiss has thoughts from leading members of the security industry.
Since the previous reports in 2018 and 2020, the overall situation seems to have improved – there are fewer skills gaps, senior management seem to understand cyber security risks more, and more organisations are taking steps to understand and fix their training needs.
However, there’s still a long way to go – 50% of UK businesses still have a skills gap for basic cybersecurity skills; such as storing or transferring data, or setting up firewalls. Diversity is still a serious issue, with ethnic minorities and women each only filling 3% of senior cyber roles. And only 10% of businesses outside the cyber sector have provided cyber training for their wider staff. Interestingly, the impact of COVID on cyber security skills was limited – job postings dropped between March and April, but had bounced back to pre-pandemic levels by August.
Piers Wilson at Huntsman: communication and skills development
Piers Wilson, Head of Product Management at Huntsman Security, discusses how security teams can keep helping the wider organisation understand security; and how they can take the load off themselves to focus on the skills that really matter.
“While awareness of cybersecurity is increasing all the time the technological elements remain complex, and for many people – users, managers, IT admins, developers alike – there is still a gap in understanding. In many cases this comes down to the way people talk about, present and share information about cybersecurity risks.
Spreading the cyber message
The security industry needs to avoid complex terms and industry jargon that make it difficult to understand the implications of cyber security policy and the risks the organisation faces. The board and wider business can only make cybersecurity the priority it needs to be if they understand it.
“In addition cybersecurity processes and tools need to be focussed on outcomes that have wider meaning. So that the whole organisation, from the board to security teams, can understand cybersecurity posture at a glance – knowing what’s going well, and what needs to be addressed. This wider understanding of the state of cybersecurity defences and processes can help to grow cyber awareness and ensure it isn’t just an afterthought. These ways of measuring cybersecurity maturity also need to be expanded to any partners or suppliers a given organisation is working with, making it easier to decide whether the partners and suppliers are safe to work with or not. We’ve all become familiar with ‘COVID Secure’ policies over the past year, and in many ways businesses still need to become more ‘Cyber Secure’.
Focussing on the skills that matter
“Lastly, cybersecurity teams can never learn every single tool and technique they need to tackle today’s widening threat landscape. Teams should be looking to harness machine learning and AI to take the load off them by dealing with more simple attacks automatically, as well as investing time in emerging frameworks for threat classification and understanding like MITRE ATT&CK. This will allow them to spend more time dealing with more sophisticated attacks in a more competent way.”
Amanda Finch at the CIISec: Diversity, burnout and soft skills
Amanda Finch, CEO of the not-for-profit Chartered Institute of Information Security (CIISec) has shared her thoughts on some of the report’s findings across four key areas: diversity, recruitment, the softer skills cyber teams increasingly need, and the ultimate effect of burnout on cyber teams if these issues aren’t addressed.
Diversity in the security industry
“The fact that diversity is still a major problem is disappointing, but not altogether surprising. Our own recent survey of women in cybersecurity found that just under half feel unwelcome in a “boys only club”, and women made up only 10 percent of respondents to last year’s State of the Industry survey. It’s clear that the profession still has much work to do to embed diversity and inclusion within organisational cultures.
Doing this means reaching the next generations of cybersecurity experts. For instance, we need national education programmes, apprenticeships, and partnerships with schools and universities to encourage more young people from diverse backgrounds to consider cybersecurity as a career. When hiring for a role, organisations should take steps like simplifying job descriptions or extending deadlines to encourage more women and other minority groups to apply.
The pandemic has also created a unique opportunity to hire from a wider geographical area, due to the acceleration of the trend for remote working: something organisations should take advantage of to reach a more diverse pool of new hires. By embracing individuals of different genders, ages, class, education levels and experience, organisations can build stronger teams to defend against rising threats.”
Cyber stress equals burnout burnout
“Stress and burnout in the cybersecurity industry were a challenge even before COVID-19. CIISec’s last State of the Industry survey found that over half (54 percent) of cyber security professionals had either left a job due to overwork or burnout, or worked with someone who did. However, the issue has no doubt been made worse by the added pressures of remote working, as well as the rise in threats from opportunistic attackers looking to profit from the pandemic.
To combat this, there needs to be an emphasis on understanding the psychology of security teams. What is making them stressed? What will reduce that stress? How can we reward them for their work? Organisations that can answer these questions stand a better chance of cultivating a security team that can operate effectively despite pressures. Security teams and wider organisations must also collaborate more with HR departments. Proper communication will help organisations understand the pressures security teams face, helping to build empathy and patience between both parties. Additionally, where necessary, HR can step in to provide support or even approve time off for stress if required. All of this will be key to building a happy, rested security team that will continue to defend against threats to the best of their abilities.”
Issues with recruitment
“Cybersecurity recruitment is in need of an overhaul, with communication between recruiters and organisations currently poor. The fact is, challenges in recruitment come from all sides – from organisations being unclear or over demanding and recruiters not understanding the roles, to a lack of confidence or skills from applicants. Rather than pointing the finger, we need a collaborative approach to addressing these issues. One example is unrealistic and intimidating job descriptions which over-exaggerate the skills and experience needed for a role. Considering that women only apply for roles they are 100% qualified for, whilst men will apply if they meet 60% of the qualifications, this approach may be alienating women and other minority groups.
Communicating the fundamentals of a position – who the organisation wants to hire, what skillset is actually needed, what training applicants can receive – is crucial, as is providing accurate job descriptions. It is also vital to give HR and recruitment staff a greater voice. This could be through welcoming them to speak at cybersecurity events, sit on panels, or join webinars. This way, HR and recruiters can join the conversation, and make sure the whole organisation understands exactly what it needs.”
“Awareness of cybersecurity does appear to be growing, with budgets increasing and DCMS finding it has been a record year for the industry. However, awareness is not the same as understanding – which this most recent report indicates is still very much lacking. If organisations do not truly understand cybersecurity, and that it is a crucial part of business strategy that directly impacts key business outcomes, then they cannot build a strategy that has security at its heart. This is a major hurdle for the industry to overcome, and doing so needs to be a priority. Communication and education will be key.
If security teams are going to align with the wider organisations, then they must be able to understand and properly communicate business risk; including levels of risk, what risks are and aren’t acceptable, and how best to mitigate them. They will have to coach employees to reduce, recognise and react to threats; including staging mock attacks to make the risks clear. Executing this properly demands more than just technical skills; security teams also need the “soft skills” necessary to teach, manage and communicate with their co-workers at all levels. Recognising these skills, and either training the right people or hiring them in, is an essential part of 21st-century security best practice.”
Charlotte Davis at Insight: user awareness and diversity
Additionally, Charlotte Davis, Cyber Security Practice Lead for UK & EMEA, Insight, discusses how organisations must prioritise user awareness training and encourage greater diversity into the industry, if there’s any chance of closing the widening skills gap.
“It’s reassuring and positive for the industry as a whole to see evidence that progress has been made in terms of core cyber security skills and resource development within the UK, but it is evident on a daily basis that there is still work to be done to bridge the widening skills gaps. User awareness training at all levels is still one of the most cost-effective and successful ways of creating a first line of defence, so this should continue to be a priority for all organisations. Threat actors consist of a broad spectrum and have become increasingly creative, for example, in the growth of reliance 5G due to remote working: siloed training in one area alone will not be sufficient to maintain pace with these threats.
Instead, employees need to be educated about all risks – especially those which can be easily avoided by questioning all unusual activity and seeking validation before, for example, clicking on any unexpected links from an unknown sender. The most successful cyber-attacks we see are still the result of internal action or behaviour. For example, socially engineered phishing attacks or oversights that leave sensitive data unprotected have a much more attractive return on investment than a brute force attack. Regular training has to maintain skills and ensure that cyber risk and awareness is always front of mind.
I am seeing increasing and tangible evidence of diversity and recognition of the value of diversity (gender, neuro and cultural) within the cyber security sector and I think that more than any other sector today, there is a broad understanding that without true diversity we will expose blind-spots within our critical thinking capabilities. To think like any attacker we need to have value and consider experience and expertise from all perspectives.
It shouldn’t be any harder to train employees remotely compared to using in-office training and awareness programs. Organisations are only as strong as their weakest link from a security posture perspective so, from front line employees up to more senior cloud security experts, every organisation should invest in ongoing and regular cyber security training for all employees. This includes formal certifications such as the (ISC)² CCSP training for cloud computing security risks and mitigation strategies to ensure that any gaps within a provider based multi or hybrid cloud scenario security profile are visible, understood and solutions designed to adapt to organisational change indefinitely.”
Main image courtesy of iStockPhoto.com