In the age of mass data breaches, nation state attacks, GDPR and ever tightening budgets, the demand for cyber security professionals is not going anywhere, and the requirements for business are getting more complex and numerous by the day.
The skills gap is still prominent, as pointed out by the research released by Indeed earlier this year. The research highlighted the UK as the country with the third highest number of cyber security job postings, but only a third of the number of candidates actively looking for cyber security positions.
With people looking for cyber security jobs covering just 31.6 per cent of the jobs advertised, the UK has the largest cyber security skills gap, apart from Israel.Hiring for the future is a difficult task in an industry that is in a constant state of flux. However, some trends do seem to be appearing on the horizon, although the skills of which to deliver these services are in short supply.
Cyber resilience is a term that encompasses the framework organisations will implement to ensure they can deal with, respond to and continue working in spite of cyber incidents within the business.
In order to deliver a robust framework, cyber resilience requires very high levels of partnering and collaboration, including external collaboration (with ISPs, intelligence agencies, industry groups, security analysts, customers and supply chains), and internal collaboration between teams.
Cyber resilience requires that organisations have the agility to prevent, detect and respond quickly and effectively, not just to incidents, but also to the consequences of the incidents. Businesses will require good governance, including leadership, devolved decision-making and appropriate escalation.
Plans, processes and able staff are required to ensure nimble IT and information security responses, such as the ability to increase capacity, or shut down, isolate or load balance systems.
Cyber literate public relations departments, with up-to-date and well-tested public relations policies, with key issues decided in advance (such as the organisational stance on issues, planned responses and media releases) will be needed to ensure the organisation is ready to respond quickly and effectively to an incident.
Crisis preparedness is crucial to a successful cyber resilience plan and organisations will need to be able to call upon the skills and expertise to rehearse realistic simulations to guarantee current plans are appropriate and proportionate.
These plans should include human relations responses, such as dealing with inappropriate use of social media, carelessness and criminal acts by insiders, the investigative and forensic capability of the business, to investigate and conclude on what happened and have the evidence to prove it, and the legal responses, to use the legal system to mitigate threats or actions such as knowing how to shut down attacking servers.
Cyber security experts with excellent soft-skills will be a valuable asset for any organisation, whether this is in-house knowledge or outsourced consultancy. Knowledge of key procedural and compliance standards, as well as technical knowledge to help implement sturdy controls and the ability to get internal teams to buy into security as a business enabler will be highly sought after.
Managed cyber security services
A lot of businesses do not have the head count or internal skills to run every aspect of a thorough cyber security program and are reaching out to industry for help. Without external help businesses are faced with using existing staff who may not have the breadth or depth of security expertise to enact a pragmatic and valuable cyber security program.
Implementing a cyber security program without the right people on board is a recipe for disaster. To deliver a successful cyber security program, businesses will require not only people with in-depth technical knowledge of the technology in place, but who also have a deep understanding of how the business works internally, project management, risk models, privacy issues and the current and predicted threat landscape.
Businesses require teams of people who have the ability to perform highly technical tasks, whilst being able to deliver the results in a concise and meaningful way to upper management and board members.
Cyber security awareness training
It is amazing to think that, even today, a lot of businesses are still rolling out the annual IT security training which staff attend and then promptly forget. This may get the tick in the box for some compliance standards, but this process does not produce demonstrable results in terms of increasing cyber security awareness amongst staff.
In 2018, the weakest part of the cyber security chain will still be ‘the human element’, and some businesses are starting to invest heavily in these staff members in order to help protect critical assets. Security awareness training needs to evolve as quickly as the technology itself, and be integrated into the day-to-day workflow of employees.
Having the skills to deliver meaningful, engaging and memorable material, whether that is via face-to-face training, online computer-based training or via simulated attacks (e.g. phishing exercises) will be invaluable in the future.
Cloud environments are beginning to reach a level of maturity and ubiquity that means it is inevitable that a major cyber security incident will happen to one of the major players, which will cause businesses to scramble for experts in cloud security.
The requirement won’t be for people who simply understand the difference between AWS s3 buckets and Azure blob storage, but those who really understand the technology and the inter-dependencies of the environments, and who can give pragmatic, real world solutions to the problems lurking around the corner.
Development of security guidelines, vendor selection policies, practical and pragmatic risk assessments, along with more traditional technical testing will be required for businesses to have a comfortable level of assurance their data is protected within cloud environments.
It is a cut throat world out there, and in the clamour for more rapid releases of products more and more businesses are investing in agile development teams. This may be through acquisition of smaller innovative start-ups or building internal teams; either way, these teams are working to the ‘Individuals and interactions over processes and tools’ and ‘working software over comprehensive documentation’ mantra, which usually sends a chill through any cyber security professional.
Businesses will require individuals with an understanding of the need for this form of development, the ability to be flexible and have the skills to interact with the development team to introduce security into the lifecycle without hindering the development and delivery process.
As we have discussed, the skills required for the future cannot be easily defined by the level of technological knowledge, but are rather more holistic as businesses will need guidance as well as expertise moving forward. The skills in demand over the coming years will be wide-ranging, and practitioners will need a broad array of soft skills to complement technical ability.
Unfortunately, a lot of these skills come with experience, so training the younger workforce (either through university study or apprenticeships) to think more broadly about the issues the modern world faces is critical to helping ensure that we can mitigate future unknown threats.
About the author
Mike McLaughlin MBCS GPEN OSCP CRT is Cyber Security Operations Manager at First Base Technologies, working with a team of talented ethical hackers to provide cyber security testing services for major corporate clients. For Mike information security is a vocation not just a job.
Having worked in the information security industry since 2006, he is passionate about security whether in the corporate arena or the personal home environment. He has appeared in several BBC Click productions and is a regular contributor to industry publications.