Cybersecurity muscle needs an ecosystem
Cybersecurity muscle needs an ecosystem
This article was first published in Business Times
IF there ever were a "Year of the Hacker", 2017 would have marked that watershed moment. Besides the more familiar malware attacks named WannaCry and NotPetya, attacks mounted on the US Central Intelligence Agency, the Bangladeshi Central Bank and Equifax also caught many cyber-professionals off-guard.
Rather ominously, the World Economic Forum (WEF)'s 2018 Global Risks Report published in January shows that cyber risks continue to be among the top five risks facing the global economy.
Aside from business disruption, reputational damage, intellectual property theft and data confidentiality breaches, the WEF opines that cyberattacks will result in an estimated US$8 trillion of financial losses by 2022.
Both businesses and governments alike are calling out for more cybersecurity solutions. By extension, we would also need more talented individuals joining the ranks of cybersecurity professionals.
The need for skilled cyber professionals has never been higher - recent reports show that globally, there will be 3.5 million unfilled cybersecurity jobs by 2021.
Single Accreditation Inadequate
As the cybersecurity profession is fairly new, there are still ongoing considerations as to what the best way forward would be to develop adequately equipped professionals.
For instance, one suggestion brought forward was for a single compulsory accreditation scheme for cybersecurity professionals. However, such a scheme might be counterproductive given the range and diversity of cybersecurity talent needed for the profession.
As it stands, the spectrum of professional cybersecurity certification has diverged over time to reflect these multiple pathways into the profession. For example: Ethical hackers/penetration testers might obtain the Offensive Security Certified Professional (OSCP) or CREST certifications.
Chief Information Security Officers (CISOs)/security managers might obtain the Certified Information Security Manager (CISM) or Certified Information Systems Security Professionals (CISSP) certification while IT security auditors would benefit from the Certified Information Systems Auditor (CISA) certification, and Certified Information Privacy Professional (CIPP) would be relevant to those focused on privacy and cyber laws.
Requiring this diverse group of cybersecurity professionals to follow a single accreditation scheme would ignore the differences in insights and skills needed to understand the constantly evolving cyber risks and attacks.
However, this pace of growth in professionals is now clearly inadequate, with the onslaught of cyberattacks appearing on the front page of the news almost weekly. Sometimes, on a daily basis.
Birth of a new profession
Professional certification and accreditation schemes can therefore expedite the growth of new professionals, and raise the competency levels of existing cyber professionals. On their part, professional associations can be a catalyst for achieving higher overall competence and quality of cyber professionals.
Over the long term, the objective would be to have the cybersecurity ecosystem evolve towards providing a well-rounded certification or accreditation scheme, comparable to the ones in other existing professions such as accounting and engineering.
Singapore's new Cybersecurity Act, which acknowledges the need for skilled professionals was therefore welcome. However, attracting talent into the profession in sufficient numbers remains a challenge.
Over the last 10 years, the cybersecurity profession as it is known today has emerged from a combination of IT security, IT audit and IT consultancy fields.
Professional associations such as the AISP, ISACA, ISC2 and SCS, have inspired a whole new generation of students, graduates and experienced IT professionals who have reskilled themselves to become pioneering cyber professionals in the industry.
What's increasingly apparent is that cybersecurity is not just an IT issue but a business issue involving the response of a company's operations and other functions to surviving an incident.
It therefore requires a multi-disciplinary approach to protecting our information assets.
Besides early detection of cyber incidents, and the ability to respond to and contain cyber-attacks, cyber professionals need to intimately understand how the various functions within a business need to respond to an incident.
To be effective, a cybersecurity professional therefore needs to understand a multitude of dimensions covering leadership & governance, human factors, risk management, business continuity & crisis management, technology & operations, and legal & compliance.
While the norm has been for cyber professionals to have a degree in the information sciences, cybersecurity is a diverse profession where business, IT, legal, and human behavioural sciences converge.
These different dimensions highlight the need for different skill sets and capabilities to take a more holistic approach in building cyber-ready organisations and industries.
Certification and accreditation is therefore a good option which promotes the development of a cybersecurity ecosystem. Taking an ecosystem approach will not only encourage the development of talent, but encourage the upskilling of existing professionals in a collaborative manner.
Member-based professional associations have therefore been well placed to take on this role, by:
- Outlining a common body of knowledge and establishing a baseline for aspiring cyber practitioners to achieve before they earn a cybersecurity-focused certification.
- Running tailored courses targeting both cyber and non-cyber practising professionals, educating them on wider topics pertinent to cybersecurity beyond just providing technical training.
- Encouraging the production of white papers, which promote thought-leadership as well as establishing forums for new ideas to be shared and analysed.
This community-based approach to professionalising cybersecurity talent should at its heart, promote collaboration in the community, and the exchange of views, insights and experience. It is hoped this will ultimately lead to the design of better cybersecurity controls and preparing for the inevitable cyber incident.
Most importantly, the professional associations have championed a moral and ethical code of conduct to ensure the overarching purpose of the cybersecurity profession is centred on upholding and defending society from the digital era's villains.
This is now therefore a call to arms for employers, governments and professional associations to come together to collaborate in the development of a multi-path, multi-dimensional accreditation-based career path for cybersecurity professionals.
It is one step towards evangelising the cybersecurity profession, building awareness of its purpose and stimulating interest among a younger generation of Singaporeans about this new, exciting and noble profession.
contributed by Daryl Pereira is Head of cybersecurity, KPMG in Singapore. Views expressed are his own.