The introduction of Chancellor Philip Hammond’s new £1.9bn UK Deter, Defend and Develop, cyber security strategy in November 2016 marked the overwhelming need for a social transformation in our country’s attitude towards cyber defence. When reflecting on the breaches of 2016, the urgency in achieving this becomes more prevalent; Britain needs to acquire the skills and capabilities to ensure that the country, industry and its assets are protected from malicious cyber threats and attacks. A sustainable stream of cyber security talent is essential in order to both achieve the strategy set out by the chancellor and to keep pace with the increasingly sophisticated cyber landscape. It will require initiatives to attract and train new talent as well as continue education for security professionals.
The 2016 Gartner CIO Agenda Report further exemplifies this and reveals that 66% of CIOs believe there is a scarcity of talent in cyber security.[1] Organisations in the cyber security space must take the lead in addressing this skills shortage, and quickly. It’s no secret attackers are on a streak with a record 1.6 million data breaches and cyber-attacks reported in 2016[2], and this is through both skilled tactics and insidious tactics such as attackers walking through the front door with stolen usernames and passwords. IT security teams are running the race to best protect their environments and users, and are attempting at doing so by implementing the latest and greatest technologies[3], but do they truly understanding how best to optimise security for tomorrows threat landscape?
Many of our IT security leaders began their careers in an era when threats looked very different than they do today. Technologies and solutions are constantly evolving, are extremely advanced, and to thoroughly understand them employees need regular training. However, trying to innovate to meet business needs and manage the rapidly changing world of IT – on a budget, no less – is very demanding. In fact, our recent survey of UK CISO’s found that 46% of companies admit to not improving security strategies due to budget constraints.[4] This makes trying to outmatch the wits of well-funded criminal gangs, or dedicated lone hackers, a Herculean task.
A huge part of the problem lies in the fact that there is the lack of emphasis on continuing education in IT. Compare that to other industries, where teachers, doctors, financial planners, scientists, and others are required to take classes and obtain certifications to keep their expertise on par with industry developments. The same hasn’t happened in IT. In fact, security certifications within IT departments are fairly uncommon and as a result staff are currently unable to deal with the constant stream of newly emerging cyber tactics of bad actors.
A lack of consistency from above on the importance of security could arguably be held responsible for this. Business leaders at the front lines of IT typically prioritise security, yet this cannot be said for the rest of the executive team. But not having a dedicated in-house cybersecurity expert or programme to educate and protect your network and sensitive data is the equivalent of not checking if your doors are locked at home, then hoping for the best.
Fortunately, some security providers are recognising this and offer ongoing training of the cybersecurity industry at large, such as SecureAuth University, a continuing education programme for customers, partners and employees. This equips IT security professionals with more knowledge and information of current methods used in cyberattacks, the value in threat services, how to recognise the early stages of a breach, and education on methods of layering adaptive authentication techniques. As well as help bridge the gap between themselves and other C-level executives that may not fully understand.
Although, adding fuel to the fire is the failure of the industry to capture the attention of today’s youth. Recent research by Kaspersky Labs has highlighted the true potential of the up and coming generation, whose online capabilities surpass that of any other. However, the report also reveals that under 25’s are more inclined to use their skills for fun or financial gain, rather than to fight cybercrime. Inspiring our tech savvy youth is key in order to plug the ever widening cyber skills gap.[5] Yet, how can we expect our young talent to develop a passion for a career in cyber security when the industry is failing to provide them with a clear path to find work, hone their skills and serve society? This lack of direction and guidance only exacerbates cybercrime instead of prevent it.
The announcement of new education programmes last year, marks the first steps by the government to channel the interests and skills of the younger generation. New institutions, such as the National College of Cybersecurity, which will be operated out of Bletchley Park, the site of secret code deciphering projects during World War II, have started to recognise the need to combat Britain’s depleting cyber security talent pool. The non-profit organisation set up by Ouafro, plans to teach cyber security skills to 16-19 year olds, in a sixth form approach with around 40% of the curriculum devoted to cyber security. However the government cannot achieve this alone. Businesses need to join the movement and work to make security careers more enticing for younger generations; offering attractive graduate schemes and entry level jobs, as well as invest in purposeful training programmes for new and current members of staff.
We are living in an era where we face ever sophisticating threats from all directions. It is essential that organisations break out of the mind-set that security expertise is a ‘nice to have’ rather than an essential investment. Ensuring that employees are fully skilled and nurturing a healthy pipe line of talent is the only way organisations can continue to thrive.
[1] https://www.gartner.com/imagesrv/cio/pdf/cio_agenda_insights_2016.pdf
[2] https://www.itgovernance.co.uk/blog/list-of-data-breaches-and-cyber-attacks-in-2016-1-6-billion-records-leaked/
[3] https://www.secureauth.com/company/newsroom/decision-makers-predict-passwordless-authentication
[4] Opinium survey conducted on the behalf of SecureAuth – 4 in 5 UK IT Decision Makers to Ditch Passwords Within Five Years
[5] http://www.prnewswire.com/news/kaspersky-lab