Blog post -
Technical Viewpoint: Cyber resilience skills: please mind the gap
The scale of the gap
Cyber security has evolved into a complex profession with various sub specialisms. The supply of talent to meet these needs has not generally kept pace with demand.
In response to this, there have been significant endeavours over the last ten years to drive talent into these roles.
These endeavours include skills frameworks, such as the Chartered Institute of Information Security (CIISec) Skills Framework, Australian Signals Directorate Cyber Skills Framework, European Cyber Skills Framework, and the Canadian Centre for Cyber Security Role-Based Framework.
A number of professional industry bodies have also been instrumental in driving talent forward, including the Chartered Institute of Information Security (CIISec), Australian Information Security Association and the National Cybersecurity Society.
As well as this, a range of engagement, training and upskilling initiatives have encouraged greater engagement with the profession from a younger age. This includes the UK Cyber Discovery programme, CyberFirst UK, the Youth Cyber Exploration Programme, Singapore, as well as the Cyber Assembly, Singapore.
A global glance
Despite these initiatives and measurable strides being made, the estimated skills gaps continue to be significant.
According to research from the UK government, 48% of businesses in the UK have a basic skills gap, 30% of businesses in the UK have an advanced skills gap, and 27% of businesses in the UK have a gap with regards to incident response.
Outside of the UK, 80% of German businesses surveyed in 2020 said they had a skills gap, and 15% said they would have cyber roles which would go unfulfilled. As well as this, (ISC)2 estimated 561,000 cyber security jobs in Europe would go unfilled, and in the USA there is currently a shortfall of 3.12 million cyber security professionals.
INTERNAL SKILLS MAINTENANCE IS NOT ALWAYS ECONOMICAL
Indeed, NCC Group’s own research has shown that of those who planned to outsource elements of their cyber security in the next 12 months, 43% said that this was being driven by return on investment. This suggests that organisations recognise the importance of validating cyber security spend, but they are not confident that they have the skills or resources to do so in-house.
NICHE SKILLS NEED NURTURE AND INVESTMENT
If we start to look at the very niche roles which exist in cyber, it is no surprise that people with the relevant skills are in short supply. Those that excel are often driven by a mixture of intellect and wider aptitude, commitment to lifelong learning and discovery, and have an intrinsic interest in the subject. But there is also the continued development and investment in maintaining and developing these expert practitioners that non-specialist organisations often wrestle with.
Good reverse engineers to analyse malware, great intrusion analysts and incident responders, amazing quantitative analysts who also understand cyber security, sublime DevSecOps people through to those information security risk managements who can tell you the most impactful 5% of things to do. The scarcity of these people, high expectations around personal development, and a market demand which outstrips supply presents unique challenges around talent attraction and retention.
A SPECTRUM OF CYBER SKILLS AND KNOWLEDGE
As society becomes ever more technologically dependent, it has been recognised for up to nearly two decades that cyber skills need to permeate all professions – from medicine to law to engineering and everything else in between.
Cyber skills in organisational leaders
Similarly, the importance of security skills across organisational leadership is now recognised – from non-executive directors, the chief executive officer and chairperson, through to the operational board. This has led to various educational institutions offering MBAs in cyber security, including the likes of Rutgers.
Baseline skills for all
A baseline set of cyber skills in all facets is increasingly important, both competitively and operationally to allow organisations to function in an agile manner with confidence. All employees in an organisation have a role to play in ensuring its cyber resilience. These employees are our eyes and ears, as well as the first and the last line of defence. A baseline needs to be set across an organisation to ensure that every single employee has the knowledge to keep this first line of defence up. However, for them to work effectively, culture is an important facet.
Culture of resilience
Organisations and their operations are complex systems. The book Drift into Failure talks about how organisations that empower people to speak up, challenge and have delegated authority are, in real-world terms, the most resilient from a safety perspective. This insight has significant application to the cyber resilience world.
CYBER SKILLS AND A BUSINESS ENABLER
NCC Group’s research showed that there is evidence that internal skills shortages are holding organisations back, with 71% of decision makers reporting that they are ‘not confident’ about improving or evolving their organisation’s cyber security preparedness.
In an increasingly global yet hostile world in which we navigate a state of ‘unpeace’, cyber skills are a business enabler. Cyber resilience allows organisations to move at pace with confidence and take advantage of the opportunities presented.
How so? Well, if you are an organisation that has experienced rapid digital transformation and haven’t been held back by cyber resilience fears, it’s clear that you are best placed to adopt new technologies to further your competitive edge in a cost-effective manner.
However, if you are an organisation drowning in a sea of technical debt and legacy systems, or wilting under the weight of unpatched vulnerabilities or suffering sleepless nights on whether a breach will be detected to and responded to effectively, one sees the very real-world impact of the skills and capacity shortage.
A cyber resilient business supported by skilled staff, be they internal or supplier-based, is a confident one. These businesses will often have a capability and agility edge over one which is just about hanging on. This is the true enabler that skills and capability bring to the organisation, its operations and its business.
When it comes to cyber resilience, people are three things:
- The leaders and direction setters
- The first and last line of cyber resilience
- Our capability
However, for them to be effective and the organisation to be confident and resilient, the right culture must be created, where investment is directed towards providing training and developing of cyber skills. Only by doing so can organisations expect to operate in a manner which catches the advantage from technology in an ever-hostile world.
For this reason, some organisations may look to outsource key cyber security functions, especially those who struggle to attract and retain the very specialist skills needed.
Insight Space – People
This Executive Analysis is part of our latest edition of Insight Space which tackles the importance of people when it comes to ensuring an organisation is truly resilient.
We’ve put together technical and executive insights, case studies and practical advice focusing on how organisations can manage their people risk.
Find out more here.