A new look at the Cybersecurity Skills Market

DCMS to survey the cybersecurity labour market

DCMS has announced  “a second survey of UK businesses, public sector organisations and charities to help understand the UK cyber security labour market. The research will examine how organisations approach employing and training cyber security professionals, and understand the issues they face during this process”.  The result is likely to be rather more useful than last year’s unstructured survey of professional and academic opinion. I criticised the resultant report (in my review of the Initial Cybersecurity Skills Strategy) because the analysis failed to reflect the structure of UK business. It was therefore seriously flawed with regard to the likely scale and nature of demand.

This time “Businesses and public sector organisations across the UK have been selected at random from the Government’s Inter-Departmental Business Register. Charities have been selected from the Charity Commission database in England and Wales, the Office of the Scottish Charity Regulator, and the Charity Commission for Northern Ireland. Cyber sector businesses have been selected from a list compiled from various commercial business databases.

Ipsos MORI is inviting the senior person within these organisations, with the most knowledge or responsibility when it comes to cyber security to take part. In some organisations this might be a specific individual or Head of Department, while in other organisations it might be the business owner or one of the charity trustees.

The results will be interesting. In most cases the respondent will have little or no knowledge, nor will anyone else in the organisation. I therefore very much hope that the questions for the “senior person” include Where do you get your advice and guidance?” and “Who do you go to if you have a problem?”

Why it is so important to analyse demand by size and type of employer

A month ago I met the current Chief Executive of West London Business  and agreed to send him a copy of the draft report of the study into local demand for IT skills that I helped organise for West London TEC nearly 30 years ago. That was the first and (and perhaps the only) attempt to use “industry strength” market research to analyse the digital skills needs of local employers. The questions were added to the local labour market survey for which we had received funding to use a computer assisted telephone survey, with prompted and unprompted questions, to a structured (by size and sector) sample of 10% of all employers. The response rate was just over 50%. Most skills surveys, then and now, use unstructured samples and have response rates of under 2% (sometimes as low as .02%). In other words we had robust results in an area where almost none of the other data was statistically significant.

The survey found that most businesses used hardware and software regarded as obsolete by suppliers. Few had any full-time in-house IT support staff and most had received no professional training. More-over none of the publicly funded training programmes in the TEC portfolio were felt to be relevant to their needs. Those wanting skilled staff were happy to train their own, provided the TEC would help them identify recruits with the necessary aptitude and attitude. They would also have liked the TEC to create a list of reputable local organisations providing relevant modular short courses. The results were so far out of line with “accepted wisdom” that the implications, beyond the synopsis headline “The users have taken over the system”, were ignored. My draft report and recommendations were never published.

I suspect we have a similar situation today with regard to cybersecurity skills.

99.5% of businesses have no in-house digital, let alone cyber expertise

The UK has 1.4m businesses with fewer than 50 staff. Most use packaged and/or outsourced IT products, services and support. They have no-one with serious in-house IT, let alone cybersecurity, expertise. Only 42,000 have more than 50 staff and only those with more than 250 staff (7,500) are likely to have any in-house cybersecurity expertise, as opposed to knowing when they need to call in an “expert” for help because they cannot understand what is happening or how to respond. Almost none will know the training their staff might need. Few will know how to find a reputable supplier of security services who can met their needs at affordable cost.

The “answer” is almost certainly local access to services like those provided by the pilot shared skills incubator and SOC in Plymouth  and/or those local ICT support suppliers who have staff competent to the level of (for example) CompTIA Security + . The lack of such access helps explain the low take up of Cyber Essentials , even among those with 50 or more staff.

The good news is that earlier this year DCMS recognised the problem and provided modest funding  to help Bluescreen IT to package the Plymouth pilot for replication elsewhere and CompTIA for the Cyber Ready Programme to reach more diverse audiences (e.g. women returners).

And few cyber experts understand their Boards

At the other end of the spectrum we have the .01% of enterprise customers to whom most of the 370 exhibitors at InfoSec 2019 were seeking to sell AI and/or Cloud-based threat identification and behaviourial monitoring products and services. These are the customers large enough to employ in-house staff who understand the meaning of terms like maturity model. Such staff all agree the need to educate “the Board” because it does not “understand” and give them the authority/budgets to buy new products and services which will supposedly improve their technical ranking. Meanwhile most successful attacks involve insiders (whether malicious or ignorant) and failures in people processes: authorisation, authentication, monitoring, motivation, training etc.

It is now five years since I blogged on the views of the major financial services employers of the City of London on the security skills frameworks then being promoted. The world has changed but the communications gap has widened. “Cybersecurity” is now rated by more than half finance directors as among their top five risks  but the responses being considered globally require perspectives, priorities and skills well beyond those expected from cybersecurity professionals, whether in 2015 or 2019.

I used to lecture to current and would-be main board directors on risk reduction, recommending the use of the James Bond movie Skyfall  to get their colleagues attention, well before Edward Snowden  demonstrated the prescience of the basic plot.

Cyber is a subset of risk management

I would begin by putting by using the quote from a former Director of CESG which prefaces the seminal EURIM/DPA report on Security by Design: “The main benefit of investing in better security technology is to force the enemy to concentrate on corruptin your people instead of trying to break your systems“. I would also remind them of the need to check the recovery plans for fire, flood, power / communications outages and digititis .

I would then rank the top six cyber-related risks (mix of probability and seriousness) as:

1. lost business because of cumbersome/intrusive security,
2. competitors using your IPR (unpatented research, customer/personnel data etc.) against you,
3. insiders (over-ambitious, malicious, disaffected or loyal but untrained),
4. contractors (IT, security, compliance, cleaners, support),
5. regulators demanding data they cannot safeguard,
6. organized and targeted attackers.

My action plan would have three main points.

1. Threat assessment and risk reduction strategies (e.g. data minimisation and access control to reduce attack surfaces)
2. Insurance backed security policies and incident response plans (with third party audit of regular exercises)
3. Active co-operation with law enforcement (to deter attackers)

Co-operation with law enforcement is critical

My conclusion would be that at least 10% of the security budget should be allocated to active co-operation with law enforcement.

This should include:

  1. support (and training) for the organisation’s staff and contractors to serve as expert volunteers (whether or not warranted as specialist constables) to help staff emergency response and investigation teams
  2. contributions to the funding of full time officers and support staff to provide independent governance and to handle co-operation with other law enforcement agencies and police forces around the world, not just within the UK or EU.

The EURIM-IPPR Study into “Partnership Policing for the Information Society” identified that the police would never have more than a fraction of the resources necessary to bring law and order to the on-line world. Today the situation is worse. On-line crime and abuse are soaring because they are almost risk -free for the criminals.

Enterprise customers divide into

  • those who allow themselves to be punch bags, hoping their evolving defences are good enough to prevent serious damage and
  • those who retaliate (from on-line gaming companies and Hollywood film studios to the supporters of the NCFTA programmes)

Those who retaliate commonly use the services of organisations like Brandshield  to protect their brands or organisations like Duff and Phelps  and the forensics teams of global accountants and law firms to sue all who do not help them identify and persecute (if not necessarily prosecute) the attackers and thus complement the work of law enforcement.

The topic of asset recovery  appears, however, taboo among most groups of cybersecurity professionals.

They commonly take the view that retaliation would merely antagonise the attackers and lead to worse problems. This may be correct in the short term. Longer term, however, criminals find it safer and more cost effective to attack those who do not retaliate. Those with a reputation for effective retaliation tend to get left alone. That gives as double reward as their competitors suffer. Effective retaliation requires co-operation with insurers, the internet supply chain and law enforcement, using a mix of civil and criminal law.

It also requires investigation skills that go beyond most definitions of “cybersecurity”.

The need for joined up policy

The last Labour Government was unable to bring the tribes of Whitehall together to agree a joined-up approach, led by Home Office, to implement the recommendation of the EURIM – IPPR reports. It briefly looked as though the coalition Government might make progress, with the launch of Fighting Fraud Together  This was followed by two breakfast meetings which brought together the City and Security communities at board level (several hundred decision takers in the main hall of the Chartered Accountants). But political attention was diverted to surveillance and cyberwarfare. Progress petered out.

The current Lord Mayor of London has hosted some very impressive meetings for the Global Cyber Alliance , led by the New York District Attorney and the City of London Police. The alliance uses the proceeds of crime to help remove some of the vulnerabilities that facilitate impersonation. DCMS has yet to exploit the opportunity to use such co-operation to add a low-cost multiplier to its own efforts, e.g. by making the use of such free tools and training in how to use them, mandatory on all the digital programmes it supports.

Responsbility for the coordinating cybersecurity and digital policy may now sit with DCMS instead of Cabinet Office but the decision squares for action remain spread across Home Office, Ministry of Justice, BEIS, FCO (for GCHQ), MoD and DfE. Meanwhile most of the practical experience and expertise sits with those who want their customers to buy, sell, play and learn on-line – not just in the UK but globally.

If the UK is to make a success of Brexit and become a globally trusted and trustworthy location for on-line activity we need the DCMS to lead a much larger review, leading to co-operation akin to that announced, but not subsequently delivered, at the launch of Fighting Fraud Together.

20,000 Degree-Level Police Apprenticeships should be the catalyst for change

I have now handed my portfolio of skills projects, including those on cybersecurity, to a team at the Open University. I hope they will provide a focus for providing local access to world class skills, including use of the cyber-components of the 20,000 policing apprenticeships recently announced (*) by the Prime Minister to transform the UK cyberskills scene – and make the UK the most dangerous place for cybercriminals to go on-line.

Of course policing goes well beyond cyber. But it is now estimated that 80% of crime now has a digital element, if only because of the conversations, selfies and location information on the mobile phones of the criminals. A consequence is that the justice system is drowning in data, most irrelevant other than to confuse judge and jury and enable the guilty to go free. Hence the need to address the cyberskills for justice and deterrence , not just those for cyberwarfare, protection and surveillance.  And the more widespread those skills, the more dangerous the on-line world will become for criminals not just potential victims.

(*) I know that was not quite what was announced, but locally delivered police apprenticeships using OU-like delivery mechanisms to enable common standards are the only realistic way of achieved the headline objective.