This article was first published on SC Magazine
The skills gap is a growing concern for all those involved in cyber-security and was the topic of the recent parliamentary hearing by the Joint Committee on the National Security Strategy. The Joint Committee session was an important opportunity for industry to provide its views and underline the growing importance of cyber-security in Critical National Infrastructure. In particular, the introduction of the Network and Information Services Directive which will impose fines of up to £17 million or four percent of turnover, whichever is the greater, for inadequate cyber-security should be concentrating minds.
It is clear that a wide range of action is needed, from developing psychology skills, to creating excitement and engagement among children through similar initiatives such as PA Consulting's Raspberry Pi initiative and looking to the future and the promise of artificial intelligence.
Clarity is needed about what is meant by cyber skills.
It is estimated that around 90 percent of cyber-breaches occur because of human error, yet too much of the focus on cyber-security is about getting people with the right technical or programming skills. We also need people with the skills to understand the human factors that can be the weakest link in many organisations. Fraud resulting from social engineering emails gives attackers over four times the revenue of ransomware attacks, underlining the fact that effective cyber-defence needs people with a broad range of abilities in psychology and organisational cultures as much as technical skills.
Increasing the number of people with the right skills starts by creating excitement and engagement in children.
We need a national figurehead and role model for cyber, just as we have Brian Cox for science, backed up by work in schools to inspire children about the potential of cyber.
PA's Raspberry Pi initiative which this year involved Maggie Philbin and Rory Cellan-Jones, is a great example of how this can be done. This is a competition where children have to identify an industrial problem and solve it through programming and implementing a solution using Raspberry Pi. This gives children an insight into careers in digital technology, not just how to build a solution but how to implement it in a business using communications and business change skills. The Department for culture, media and sport (DCMS) is already doing great work in this area with Cyber First and Cyber Challenge, but more should be done, including securing greater involvement from industry and the media.
Managing the skills lag.
Whilst this work to inspire the next generation is vital, there will be a time lag before they join the workforce. To address this we need to help re-train existing staff or reintroduce people to the industry following a career break. Some of the very best cyber-professionals are those who have developed their cyber-skills alongside more general business experience. They know how to engage with the business to deliver changes in the ways in which we manage cyber in daily operations to make it more effective.
Learn from others.
There are several countries which are very successful at bringing people with cyber-skills into industry. They tend to embrace cyber as a positive development rather than viewing it as a threat. For example, Norway and Israel which have national service schemes, ‘cream off' the very best cyber-talent and use their skills for a period of time before they are placed into industry. Here in the UK we have a good programme of cyber-reservists but we should now look at how the development of these skills can lead to better career progression for them.
Industry should do more.
There have been some recent great initiatives where industry is playing a bigger part in dealing with challenges faced by the UK, such as tackling online child exploitation. PA has worked with an industry consortium on the WEPROTECT initiative which developed solutions by industry to protect children better. The initiative led by Baroness Shields, not only produced technical safeguards but practical ideas on how children could be given the skills and tools to protect themselves.
A similar initiative which looked at ways to increase wider cyber-skills across all ages would have significant benefits for the UK. This would not only protect younger children and people who are vulnerable online, but it could also lead to increased interest in following a career in cyber security.
Automating the mundane, skilling up for out of the ordinary.
The growing volume and diversity of cyber-attacks means that humans struggle to cope with defending against them. One option is to use Artificial Intelligence and machine learning technologies such as DarkTrace which are focused at automating the detection of anomalies across an organisation.
The growing sophistication of cyber-attacks is making mitigating them ever more complex. As a result, we need to continually improve our cyber-skills. The DCMS plan to consult on creating a single professional body for cyber will help with this. We also need to recognise that in order for skills to remain current, that the traditional career path of spending many years with one organisation is no longer relevant. What we need are cyber-professionals who have had a variety of career experience.
It is encouraging that Government and industry are increasingly working together to tackle this critical issue but there is much more to be done. The stakes are high and getting higher and we need action now to secure the right skills that will keep us secure.
Elliot Rose is head of cyber security at PA Consulting