The issue of cyber security is increasingly at the forefront of many organisations’ minds, with key questions being whether we're behind the curve in cyber security expertise, if we're fostering the right specialisms or if we even know which specific skills we need to be talking about?

A recent report from the BBC stated that ISIS is planning to unleash a number of deadly cyber-attacks against UK targets and has put the issue of cyber security at the forefront of many organisations’ minds. As a result many have begun to question if we are behind the curve in cyber security expertise, and if we recognise the organisational challenges? The phrase ‘cyber security skills’ is so broad as to be unhelpful. Do we know what specific skills we’re talking about; which specialisms we need to foster?

I had the opportunity to debate this very topic with cyber security peers at the Information Assurance 2015 (IA15) event in London. Addressing the cyber security skills balance requires more than just evaluating a number of specialisms, with organisations needing to address a number of key challenges:

1. Raising awareness of the risk: If an organisation is unaware of the level of risk they face to their systems or data from malicious cyber-attack, they are unlikely to invest in or employ the right people to protect them from those risks.

• Designing in security: Low awareness and expertise also causes inevitable procurement issues. An organisation cannot be considered an ‘intelligent customer’ if it does not fully understand its cyber security requirements. Off the shelf systems offered by many vendors may sound secure, but often key security features of those systems are not chosen for a number of reasons including lack of awareness, they cost too much or they don’t easily integrate with an organisation’s existing systems. 

• Culture: In order to be effective, security should be everyone’s responsibility. Developing awareness across every part of an organisation is a key skills challenge. Once a year online learning and testing is insufficient.
  
  
  We could learn much from how health and safety compliant cultures are fostered effectively in organisations across the UK. These include company policies on the use of equipment or facilities, the sharing of ‘safety moments’ at all meetings, and an awareness that failing to comply with agreed practices is frowned upon. Safety competence approaches can inform how we deal with security education, training and experience. 
  
  
  Importantly, this culture needs to be driven and embraced at board level to be effective and pervasive. Research shows that some boards are not familiar with vulnerabilities in their industrial control systems and have therefore provided inadequate resources to address the issues. This is typically as a result of no, or low, perceived risk thanks to a lack of reporting, both internal and external, or staff governance. 

• Usability: Although security is an organisational skills issue, those organisations don’t always make it easy for their staff. Many have a habit of making security difficult for legitimate users. Users don’t like to circumvent security, but poorly considered ‘more secure’ approaches will typically fail leading to less secure activities. A prime example would be adopting polices that enforce impractical password solutions causing users to end up writing those complex passwords down. New guidance on usable security policies has been issued by GCHQ  and I would recommend all organisations review these.

• Understand the competing requirements: Usability and IT objectives are often in conflict with control systems and safety. Restricting services could prevent safety-related actions taking place. For example, you cannot afford to enforce a complex password log-on in order to implement a safe shutdown in the event of an incident. The approach for objectives that meet organisational goals requires greater collaboration from skilled specialists across different domains - IT, OT and safety - by forming multidisciplinary teams to look at security. 

• Understanding the opportunities and risks of the internet of things (IoT): The speed of development within the Internet of Things is staggering, particularly across industry, and many view it as the fourth industrial revolution. However, by its very nature the IoT creates cyber security vulnerabilities in devices that IT specialists would not normally have considered before, such as cameras, building control systems or white goods. As effective cyber-attacks find backdoors through otherwise secure systems, expertise in fully evaluating the many and varied vulnerabilities across all devices that connect with an organisation’s network is essential.

In order to be effective an organisation’s cyber security needs to evolve. Security as a project is not an effective defence against a sophisticated enemy that is constantly developing their methodologies and looking for the next vulnerability to be exploited. It’s a journey. Learning from the mistakes of the past, like Heartbleed that redefine vulnerability and risk overnight are key. So is developing and maintaining the right balance of skills – within the IT team and across the organisation as a whole - to effectively address an organisation’s specific security risks and requirements.