On 9 November 2022, I attended an online webinar that was entitled: the real reason for the cyber skills shortage. The webinar was a part of larger event facilitated by CREST International that was about access to cyber security.
The event was presented by Matt Lawrence, Head of Defensive Security from an organisation called JUMPSEC. What follows is a set of notes that I’ve made during the session, which have been roughly edited together.
This blog can be viewed alongside other OU blogs that relate to the subject of cyber security.
The real reason for the cyber skills shortage
A point I noted down was that the “skills shortage cannot be solved by bringing more people into the industry. Instead, we have to work smarter and treat current industry professionals better”. Cyber security seeing significant expansion, which means that many organisations are feeling the strain. This expression of concern was reflected in a slide that contained the words “the root of the problem is not the availability of incoming candidates, but the ability to retain skilled and experienced employees”.
Some striking numbers were shared: the cyber security workforce shrank by 65k people and 1 in 3 cyber security professionals looking to change their role; clearly this is highly unsustainable. (I should add that I don’t know about the source of these numbers). Further comments were made, such as unhealthy working environments, and the unsustainability of operating models which relies on manual analysis of security events and alerts, and organisations going through acquisitions, which puts strain on security controls.
An earlier point that was mentioned that is worth emphasising was that no certification programme is a substitute of hands-on experience.
How do we deal with the skills shortage? I noted down the words: “sustainability is key; compromise is inevitable.” I also noted down “we can’t predict timing and severity” of attacks and events. Professionals “must prepare for the worst, and be ready”.
How are cyber threats evolving? There were interesting points about ransomware, the practical inadequacy of cyber insurance, gaps of existing control gaps, or lapsing of expected controls. There will always be mistakes: users will accidentally respond to phising emails and there can be inadvertent lapses in permissions; the basics can go wrong. Put another way, “it is the fundamentals that really matter; this goes for organisations and people”. Significantly, applying more technology isn’t necessarily a solution: “before you invest in new security technology, are you making best use of what you already have”. Matt shared a compelling metaphor: don’t make your cyber security haystack bigger by getting more tech.
Paraphrasing some key points about challenges: responders (to cyber events) may have little or no network visibility, and not be able to respond due to a lack of preparations and too may assumptions. Within an organisation there may be “technical debt”, which is a metaphor I have not heard before. Technical debt (Wikipedia), essentially, means shortcuts. In terms of cyber security, this might mean that services might being adequately patched, or infrastructure might be misconfigured. From an organisational perspective, different employees may have misaligned expectations, there may be few checks and balances, and little understanding of threat and available attack paths.
A further slide summarised some of these challenges that were emphasised in the webinar. Some key points include: cyber security operating models may lead to monitoring approaches that are not fit for purpose, and this may lead to the focus on cyber products (which is a technical fix), which may then in turn lead to other issues, such as a potential lack of accountability.
How do we deal with all this? There are, of course, no immediate or simple answer. A set of principles were shared, which appear to share knowledge and experience.
- Augment people with technology. Don’t consider fancy solutions
- Be pragmatic and detect what matters (most relevant to the organisation).
- Respond on the front foot. Planning, what are the opportunities to respond.
- Avoid dependency to enable progress. A security provider is only as good as the organisation they are protecting.
- Be visible and transparent. Evidence of services performing as intended.
- Be flexible and adaptive.
- Embed continuous improvement. Small steps are better than big leaps.
I learnt quite a few things through this seminar, and it certainly got me thinking.
Over the last few years, partly due to lots of changes within the OU, I’ve started to become fascinated about organisations, particularly in terms of how they are structured and how they work. The most important element within any organisation is, of course, people. When it comes to cyber security people are, in my view, the most important element. It is people who respond to cyber security incidents, and it is people who setup and maintain controls.
Some of the points mentioned within the webinar reminded me of previous study of a module that goes by the code M889 Information and Data Security. This module has become M811 Information security, which helps students to think about controls, checks, and balances. This subject can also be found within the OU’s undergraduate cyber security named degree, within the module TM311 Information Security.
A big acknowledgement goes to the webinar speaker, Matt. I don’t know Matt; I’ve never met him. I also have no connection with either CREST International, who facilitated a series of workshops and events during the day. The really interesting topics highlighted here comes from the event. Where possible, I’ve tried to quote directly. Apologies for any misrepresentations or getting the wrong end of any sticks.
Finally, I found out about this event through an email that was circulated to the school. I have no idea who sent it, so I have no idea who to thank. So, whoever you are, thanks for sending it through!