Cyber security has grown immensely as a discipline and transformed rapidly over the past few years. On one hand, the growth of organised criminal underground networks and motivated nation states has increased the sophistication of attacks. On the other, the adoption of cloud and mass remote working triggered by the pandemic means that organisations have a larger attack surface to defend.
Cyber security departments were already struggling due to the industry’s skills gap and recent changes have exacerbated this issue even further. In this blog, we will try to address the skills gap and how we, as an industry, can tackle it from three different angles – more upskilling, more diversity, and more automation.
Rethinking upskilling pathways
We strongly believe digital and technological literacy are essential skills today, similar to numerical literacy skills. Regardless of one’s career path, these competencies are key to function in an increasingly digital world. The education sector needs to do more in making technology learning an integral part of the curriculum and build foundational skills for the future workforce.
We also need to teach people how to protect themselves in the cyberspace and maintain good cyber hygiene starting from school itself. The industry can step in and partner with schools to make this possible. Our Global Cyber Day initiative is one such small step to help with this objective.
The next step is building cyber specific skills over that foundation. But academia cannot do that alone. Sandwich years are a good start for providing work experience but are not enough by themselves. We need close collaboration between academia and industry to keep curriculums relevant to business needs in such a dynamic profession.
And this is only the beginning. We need to follow this thread and continue building through graduate schemes, closer collaboration between the industry and the education sector, and training plans for entry level positions. After that, investing in continuing professional development, for both technical and non-technical skills, is the way to go. We’ve heard many people say they are almost afraid to train their staff as it will make them harder to retain. We understand the concern, but this kind of thinking is holding our profession back.
Moving the needle on diversity
We can also solve some of the industry’s talent issues by addressing its diversity. One way is to look beyond the traditional computer science degrees and be more accepting of people with diverse educational backgrounds.
We also need to ask ourselves how we can create lanes for those from underrepresented or less privileged communities. While the most obvious reason for doing this is a larger talent pool, another key reason is that bringing new ways of thinking and perspectives to problems often helps unlock solutions. We can look to initiatives like Black Codher and IT’s Her Future as examples to achieve this. And we have a long way to go.
According to Decrypting Diversity, the joint KPMG and National Cyber Security Centre report on inclusion and diversity in cyber security, nine percent of respondents were considering leaving their employer or the industry due to inclusion and diversity issues. We found it very worrying that an industry with a talent shortage is potentially driving people out over a lack of inclusion. The industry is waking up to the need for a focus on wellbeing and mental health; we also urgently need to add inclusion to this list.
Using automation for better outcomes
As the skills gap becomes more acute, maybe the answer isn’t just to bring in more people, but to use technology and automation, especially for repetitive tasks.
Here’s a real-life example from the security operations domain. Let’s say Company A has security analysts monitoring for security events. For even a simple alert, the analysts may need to log into multiple systems to investigate, triage, and if necessary, remediate the incident. Let’s assume this process takes two-three days to complete.
Company B, on the other hand, uses Security Orchestration, Automation and Response (SOAR) to automatically correlate information from various sources, present this to its analyst and allow the analyst to remediate the incident from a single platform in a day’s time. Company C goes a step further and has SOAR interact with other tools in the organisation to automatically remediate the incident, with minimal human intervention in just few minutes – although in practice few organisations have yet reached this level of maturity.
Assuming all three companies are following the same standard playbook, Company A needs more analysts than Company B or C for the same volume of alerts. Company A will also find it harder to retain these analysts. Who do you think has higher job satisfaction, the analysts who have to perform mundane information collection tasks, or the ones who can focus on analysing interesting incidents?
By leveraging technology and automation, the time saved by analysts on performing repetitive tasks can be spent on more productive aspects such as threat hunting, which brings down the risk in real terms, and upskilling themselves.
Automation does not need to be limited to cyber security activities to address the skills gap. Rhiannon Keen even gave an example in her blog on the future of skills of how increasing automation of accountancy roles could result in accountants reskilling as information security managers!l
The cyber security skills gap isn’t new and there are no easy fixes. Addressing it will require concerted effort and cooperation between industry, academia, and policy makers.
Let us bring in more talent by looking beyond the traditional channels for recruitment, improving diversity and inclusion, and promoting better mental health. Combined with a new upskilling framework and approach to automation, the industry can collectively help bridge the skills gap.
The role of cyber security leaders in organisations continues to evolve as they become enablers and facilitators. In our latest report – From enforcer to influencer – find out how they can meet the challenge to build trust and resilience.