Squaring up to the cyber skills shortfall
With Brexit threatening to exacerbate a shortage of cyber security talent, CEO of Immersive Labs James Hadley outlines why UK companies must plan ahead...
If there is one thing we can be certain about when it comes to Brexit, it’s that nothing is certain. This uncertainty is of great concern to UK businesses, with many understandably worried about what the future might hold.
The impact that leaving the European Union might have on the movement of cyber security professionals, for example, has the potential to widen an already significant skills gap. Today, there is not enough new talent coming in to defend UK businesses. This is particularly alarming given the rate at which cyber attacks are occurring – and the consequences of Brexit may only serve to make matters worse.
The damage that can be inflicted on businesses is illustrated in the high-profile attacks and data breaches that now make the news on a regular basis. The UK clearly can’t afford for the security skills gap to grow any wider. In the absence of new recruits, businesses must improve the skills of their existing talent to defend against the growing risk of cyber attack.
More threats, less talent
The volume and frequency of cyber attacks are on the rise. One report found the number of businesses reporting cyber incidents rose from 45 to 61% between 2018 and 2019. Elsewhere, it was revealed that UK businesses faced an average of around 146,000 attempted attacks between April and June 2019; that equates to about one every 50 seconds.
Such attacks can do considerable damage to an organisation’s operations, its reputation, and its bottom line. Defending against this damage requires a skilled cyber security team. But the cyber security industry is experiencing a global skills shortage.
A recent survey showed that Europe is likely to face a skills gap of 350,000 by 2022, while between 20 to 30% of cyber security vacancies in the UK are currently unfilled. Brexit is expected to exacerbate this situation. According to a different survey, around half of British businesses believe the country is at risk of a “brain drain”, and approximately 60% of London-based companies are worried that they will lose access to digital talent in particular when the UK eventually leaves the EU.
Faced with a rising number of threats and the prospect of an ever–widening skills gap, business leaders must therefore capitalise on – and develop – the skills of their current cyber security team. This requires them to look towards better training, delivered to a broader range
Creativity rather than classrooms
Successful criminals are, by necessity, opportunists. Determined to bypass latest security solutions, they must constantly devise and deploy ever more creative threat tactics. If security professionals are to have any hope of keeping up with these innovative techniques, it is essential that they are given the opportunity to continuously hone and update their skills.
However, traditional methods of cyber security training may not be entirely effective. High-performing cyber security professionals generally like to learn as they go. Their highly inquisitive nature means they have little interest in studying theory and referring to past case studies. They would much rather get their hands dirty, taking things apart in order to see how they work.
But, the training of security teams is based on legacy teaching methods and yesterday’s threats. In fact, the basic principles have changed little since the first antivirus solutions were built in the 1990s, at a time when hacking was low on the list of priorities for CEOs.
The majority of training courses still tend to be in the classroom, passing on information through passive listen and learn techniques. Only available every six months or so, the content of these courses is already out of date at the point of delivery.
Clearly, this approach is far from adequate for meeting the challenges of a constantly evolving threat landscape. Rather than this largely prescriptive style of teaching, that tends not to sit well with its intended audience, an organisation’s security team will derive far more value from a mixture of self–learning and creative thinking.
Indeed, cyber security professionals would benefit from the opportunity to test out their creativity in “real world” situations. Scenarios based on genuine threats will give them a sandbox in which to play, where they can build their skills without the risk of harm to their organisation. Then, should a similar situation arise in the future, they will be far better equipped to deal with it.
Before they can develop their cyber security team’s skills, however, organisations need to know just where that development is needed.
Mapping out your cyber capabilities
Visualising its employees’ current cyber capabilities can provide the insight an organisation needs to better plan skills development. A “cyber capability score”, for example, compiled from all the data available on a particular employee, and mapped against globally recognised frameworks, will provide a CISO (Chief Information Security Officer) with an instant overview of that employee’s strengths and weaknesses.
Widely used by threat hunters and defenders to help recognise different types of threats, the MITRE ATT&CK framework, for example, is a comprehensive, structured matrix of techniques, tactics and procedures used in real cyber attacks. By comparing it against a corresponding matrix of relevant skills and competencies, CISOs are able to see, at a glance, where their organisation’s strengths lie, and where it lacks human expertise.
Drilling down from supporting an organisation’s overall security posture to supporting its employees’ cyber capability scores, the framework can also enable CISOs to quickly identify those individuals whose skills make them ideal to respond to particular incidents, while also helping to highlight those whose skills require further development.
The threat landscape is continually evolving, with criminals developing new means of attack and refining existing techniques. Organisations must therefore ensure their security teams are aware of the latest threats as they emerge, and that they’re equipped with the skills they need to combat them.
Using traditional classroom assessments to measure this readiness is unreliable though, as they will typically be out of date even before they have been carried out. For cyber capability scores to work as a viable alternative, they must be based on the latest threat intelligence. Not only will this help ensure a security team is armed with the latest skills, but it will provide CISOs with a crucial understanding of that team’s capabilities, its readiness and ability to protect their business against cyber threats, and any areas in which that business may be vulnerable to attack.
What’s more, by using real-time intelligence feeds of the latest attack techniques, technological vulnerabilities, and criminal psychology, security teams can be equipped with the necessary skills within hours of a new threat emerging, rather than weeks or months.
The future is uncertain. At the time of writing we don’t know when (or even if) the UK will leave the EU, much less what effect this will have on British businesses. What we do know, however, is that these businesses are facing a double-edged sword – while the risk of cyber attacks continue to grow, the number of skilled security professionals seems unlikely to rise any time soon. And it’s possible that Brexit might see this number plummet.
If businesses are unable to recruit new talent, they must instead look to assess and develop the skills of their current security teams, using relevant training methods informed by real-time threat intelligence to ensure they are equipped for the threats of today and of the future. Whatever it might hold.