Much has been said about the information security industry being short of skills. Businesses and their security teams are now facing adversaries that are well funded, better resourced, organised and experts in their own areas of cyber-crime. This is compounded by the growing array of devices connected to corporate networks and a huge expansion in the number of places and ways data is stored, transferred, processed and accessed.
This massive diversification and expansion in the scale of threats has been matched by the levelling up of the legal and regulatory pressures with the likes of GDPR, PCI-DSS standards and the European NIS directive; as well as their equivalents further afield from NIST in the US, for example.
Finally, there is society's unrelenting and increasing reliance on technology, whether it is for banking, shopping, healthcare and entertainment, or the use of devices and services that make our lives easier from smart phones and cloud storage to home automation and connected cars.
The need for security skills and knowledge
Protecting all this in a way that satisfies the objectives of individual businesses, complies with laws and regulations and meets customer and user expectations, as well as shortcomings, is inherently difficult. One of the challenges is the number of stakeholders that don't have security as a primary skill set, which can make systems and processes incredibly fragile.
This can range from a business manager who doesn't understand operational risks or a developer who doesn't realise how vulnerable a piece of code is, to a user who chooses poor passwords or likely to click on a suspect link.
But it is not fair to criticise. These people are not experts in security or understand how systems are attacked. Security teams in any organisation need to recognise that ‘good security' comes through a combination of policy, training, processes, technical controls and boundary fences, awareness, prevention and monitoring. And when the inevitable happens, the need to have the ability to respond and clean up the mess.
This combination of sophisticated attacks, new legal, technical, business and social challenges, and the sheer mountain of work to be done, is what has led us to the security skills shortage.
To respond, we need:
1. More broadly-skilled cyber-security practitioners
2. More specialists with skills in areas such as risk, control or prevention, detection and response
3. An increase in security performance and awareness among end users
4. Standards and metrics to define and measure skills and expertise for recruitment
Finding more security people
Creating a larger pool of people working in security involves several things. To get younger people in through traditional educational routes means having a greater focus on STEM subjects as well as specific IT and security in the school curricula. Success here starts in school, builds through college years and on into university at undergraduate and masters levels.
Work is already going on in this space, from the UK Cyber Security Challenge, wider STEM initiatives, the launch of the Qufaro specialist college and the continuing recognition, availability and popularity of university programmes in cyber-security. There is a growth in bachelors and masters level courses and modules, including CESG recognised university courses, and within the research and PhD domain.
But getting more people into cyber also means encouraging those in other areas to migrate their skills to help drive cyber-security delivery and innovation. It is important to recognise that there are valuable skills and experience within other disciplines and already within our own organisations that are transferable. There is a wealth of talent already within the work place that could be quickly harnessed and upskilled through training to help meet the skills shortage that we face. These include experienced, technical personnel who can leverage their IT, architecture and operations experience; but also communication, media and PR experts who can improve communications, as well as managers with HR, legal and team building skills.
Technology and technology risk, touches everyone. The most deeply entrenched technical cyber-security experts will achieve more as part of a broader, more experienced, cross-disciplined team, than they will locked in a server room or operations centre with like-minded individuals.
Having more specialists
Cyber-security is a ‘broad church' when it comes to skills. As well as the technical, managerial and business focused elements, there are experts in awareness, policy, incident response, penetration testing, architecture, reverse engineering, legal and operations. But what the cyber-security industry must be careful to avoid is ending up with too many specialists or a large number of generalists.
The most valuable people are those who have a good spread of knowledge and awareness but also have a particular skill in a defined area.
Figure 1: The ideal T person has good awareness and knowledge along with specialist skills.
It is a bit like saying the NHS needs more doctors. What we mean is that the NHS doesn't just need more GPs, oncologists or cardio-thoracic specialists – it needs more of all types. That's why the T-shaped professional is so important. Doctors don't train as specialists initially, they build the breadth of knowledge and then specialise.
The blame game
Everyone has a part to play in cyber-security and people, more broadly, need better skills to understand and help mitigate the risks.
It has been fashionable to blame management for not giving security the priority or recognition it deserves or to blame users for choosing weak passwords, clicking on suspicious links or divulging bank details and personal information.
It is also easy to condemn commercial/procurement teams for weakening security requirements in contracts; systems architects for designing systems that are at risk; or programmers for writing code to a spec that didn't mention security.
The reality is that for these people, cyber-security isn't what they do for a living and don't think like an attacker, fraudster, security tester or a code reviewer. Hence, for these people, we need to educate, monitor, steer and coach good cyber security.
Define and implement standards
Finally, it is important that there are standards, guidance and trustworthy ways of assessing and recognising knowledge. A recognised expert should have a level of skill that can be defined, measured, trusted and verified. How do the skill levels - aware, practicing, expert - translate into knowledge, qualifications and experience and what does that skill level equip a person to know about, understand or do?
The IISP Skills Framework is widely accepted as the de-facto standard for measuring the knowledge, experience and competency of information security and assurance professionals. First introduced in 2006 and developed by world-renowned academics and security experts in collaboration with industry, government and universities, the IISP Skills Framework is used by the UK Government to underpin its Certified Professional Scheme and by organisations to develop and benchmark their own in-house capabilities.
This has been followed by the recent publication of the IISP Knowledge Framework giving access to a wide-ranging ‘body of knowledge', with links to detailed resources and information. So, for example, the field of penetration testing links to specialist organisations providing examinations and accreditations such as CREST.
When it comes to cyber-security, the message is ‘more and better'. We need more people and better people. While cyber-security skills are in short supply, there will be a skew in the recruitment, retention and salaries and a barrier to investing by companies who cannot afford, attract, retain or properly structure their security teams. Things won't change overnight, but as the industry matures, diversifies and becomes more professional, the problems will be addressed.
Contributed by Piers Wilson, director of the Institute of Information Security Professionals (IISP)
*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media or Haymarket Media.