Bridging the cyber security skills gap
October 2016 | FEATURE | RISK MANAGEMENT
Financier Worldwide Magazine
As cyber criminals and cyber terrorists become more resolute and sophisticated in their techniques, companies and regulators continue to bolster cyber protection.
In recent years, many high profile organisations have fallen victim to cyber crime, especially those that have invested inadequately in security. “The level of awareness of cyber security needs and associated risk is probably higher than it has ever been, but for most organisations it is still at far too theoretical or generic a level,” says Kit Burden, a partner and global co-head of technology sector at DLA Piper. “In other words, organisations are far more aware than before that the threat of cyber intrusion exists and that ‘bad things can happen’ if an attack occurs, but they remain insufficiently aware of what their own position is, either in terms of their key areas of vulnerability or the degree of targeting that they are likely to be receiving. In other words, it is a bit like the technological version of cancer – we know it is out there, we know it is really serious, but somehow we hope or believe that it will never happen to us.”
There is a dawning realisation that the financial, reputational and legal risks inherent in neglecting cyber security are very real. Companies today hold more critical information than ever before, including an abundance of customer and employee data. All companies are vulnerable to attack – according to statistics released by Symantec, 43 percent of the global attacks logged during 2015 were against small companies. Consequently, the cost, from a financial and reputational standpoint, of suffering a breach cannot be underestimated. Furthermore, recent statistics from The Ponemon Institute, in its most recent report, ‘Cost of Data Breach Study: Global Analysis’, suggest that the average consolidated total cost of a data breach has increased from $3.8m to $4m in recent years. The average cost incurred for each lost or stolen record containing sensitive and confidential information increased from $154 to $158 year on year.
Given the cost implications of a data breach, companies are starting to understand that if they have not already been breached, they may be next. Research from Otka shows that almost two-thirds of businesses now think their systems will be hit by a data breach if their technology is not updated in the next 12 months.
Until recently, there was a general belief that cyber breaches only happen to other companies; however, many companies are re-evaluating the nature of cyber crime and the measures needed to counteract it. Whereas previously cyber protection was viewed purely as an IT issue, it is more frequently appearing near the top of the corporate agenda. Although more organisations are focusing on strengthening their cyber security software and systems, this is not always where their weakest links can be found.
The people problem
The cyber security skills gap is a divisive issue. Some commentators believe there are simply not enough people working in the industry, while others say the problem lies in the lack of skills possessed by people already working in the industry. In a recent report by Intel Security in partnership with the Center for Strategic and International Studies (CSIS), ‘Hacking the Skills Shortage: a study of the international shortage in cyber security skills’, 82 percent of companies surveyed declared a shortage of cyber security skills in their organisation.
This sizable skills gap is supported elsewhere. According to a 2015 Frost and Sullivan survey, 62 percent of the 14,000 respondents believed that their companies had too few cyber security personnel. The report also suggested that the information security sector is likely to have a workforce shortfall of 1.5 million within five years. Furthermore, companies that lack experienced cyber security staff are poorly positioned when it comes to responding to an attack. One in five organisations in both the public and private sectors admitted that their ability to respond to an attack and repair the damage incurred could take eight days and eight weeks. Around 45 percent of those companies cited a lack of qualified staff as the main reason behind their slow response time.
This skills shortfall is also a major concern in terms of how companies rely on their workforce and their relationship with technology. As Dr Bob Nowill, chairman of Cyber Security Challenge, notes, businesses rely on the technological capabilities of their staff more and more, especially as there is an increasing dependency on technology in the workplace. “This is the same in all organisations, whether it is in the financial services sector or healthcare,” he says. “As well as this, the skills which are demanded vary, from cyber security to IT support staff. There are a range of roles that require digital knowledge, and businesses are increasingly struggling to fill them.”
A notable feature of the cyber skills deficiency is that the issue appears to be widespread, with no particular sectors standing out. However, for Mr Burden, the financial services industry is perhaps better insulated when it comes to cyber protection. “There is most definitely a gap in terms of resourcing – at least in terms of organisations and individuals who have the skill sets and experience to genuinely make a difference, as opposed to those who are simply jumping on the bandwagon. That said, financial services entities are at least toward the front of the queue in terms of types of organisations that have realised the scale of the risk, and have taken steps to try to address it. Their skills shortage is therefore – if anything – likely to be less acute than for other sectors.”
Dealing with cyber crime is a serious and difficult undertaking even for well trained staff. The fact that many organisations lack an understanding of cyber security issues could have serious consequences. According to Professor Liz Bacon at the University of Greenwich, organisations should strive to ensure that their staff members are provided with regular training sessions aimed at fighting a general ignorance of cyber threats, eliminating bad habits that staff members may have picked up along the way, and keeping them abreast of the latest developments in the cyber space.
“I think the state of cyber security awareness is generally very poor in both the workforce and in the general population,” explains Professor Bacon. “Most people are now aware of the spam emails promising to transfer money to them, but cyber crime is now much more sophisticated and most organisations tend to focus on the technical aspects of cyber security, often locking systems down so much that people are driven to find insecure workarounds. Organisations need to do much more to regularly educate their entire workforce on cyber security, especially as the distinction between home and work computing continues to blur. This must include an understanding of social engineering and how information people share freely with the world, for example on social media, can be used against them,” she adds.
Education, education, education
There is an increasing sentiment among cyber security professionals that efforts should be made to foster greater ties between the cyber security community and universities. Although there will be no overnight fix to the cyber security skills gap, organisations can begin to redress the balance through greater cooperation. “There is no silver bullet when it comes to tackling the skills gap, however attention must be given to the education system,” says Dr Nowill. “We have to make sure that we are doing everything possible to teach students of all ages the relevant skills that they currently need and will need in the future. With this knowledge they can seamlessly progress from school, college or university into a career where they have all the required capabilities to go straight into a role in cyber where their skills can be used and immediately make a positive impact.”
But the dislocated and highly specialised nature of the cyber industry may act as a barrier to closing the skills gap. There are many possible positions and career paths within the tech industry, and many areas of further specialisation. The tech industry is awash with different platforms, interests and niches, and it can be difficult to attract and retain students and employees to fill certain areas. By engaging with academic institutions, tech businesses can aid the process, raising the profile of cyber security issues and career paths among students, and helping to build a talent pipeline in the long run. This is also helpful given that many people find themselves working in the cyber security industry by accident rather than design.
The current state of the cyber security industry and the speed at which cyber criminals evolve means time is short. “Action needs to be taken now if we are going to plug the skills gap,” urges Dr Nowill. “The digital skills crisis cannot be ignored, and if we want businesses, students and the economy to succeed, we must do all we can to make sure they have everything needed to do so. Through education and training, we can start to fill the skills gap and ensure that Britain is producing a workforce that has all the technological abilities that organisations require.”
The rapidly changing world of cyber crime and cyber security requires companies to be flexible and yet robust at the same time. As cyber criminals continue to develop new ways of breaching defences, companies must remain vigilant in order to protect their assets. As much as possible, they must be prepared for everything cyber criminals throw at them. For many companies, new technological developments can play a crucial role in helping to plug cyber skills gaps, as Mr Burden points out. “Automation and early stage artificial intelligence will likely make significant inroads. Already we are seeing marketing by software companies claiming that their software packages can automate much of the cyber security process,” he says. Intelligent security automation, for example, can help organisations collect data on cyber attacks and develop better metrics to identify threats.
In the meantime, the current skills gap makes companies vulnerable. “There are many predictions from a variety of credible sources about the shortage of cyber security skills going forward, and while estimates of shortfalls vary, the overarching message is clear – the situation will get worse,” notes Professor Bacon. “Organisations need to focus on bringing new blood into the profession and stop the endless poaching cycle. They also need to do more to encourage women to enter the profession and provide a work culture that encourages them to remain in the industry. If there were as many women as men in cyber security, there would not be a skills shortage.”
Encouraging more women into cyber-related education and industries is a must, given their absence from these areas; however, the process should form part of a more holistic approach to tackling the cyber skills deficit. It is the duty of companies and educators to recruit more warriors in the fight against cyber crime, and provide them with the right weapons to make a difference.
© Financier Worldwide