Passing the baton on Cybersecurity Skills

This year will be the first time I visit Infosec with no agenda. Or to be more precise I will have a Community Safety rather than a Cybersecurity Skills Agenda. This has caused me to take a cool look at what has happened and what has not over the past decade. It has also caused me to consider what has changed over the past year as the pace of change has accelerated.

What has changed over the past couple of years

The main change has been the rise of the virtual CISO as all but the very largest users outsource their security operations. Unfortunately most of the providers target the 10,000 or so organisations who employ more than 250 staff. The other 1.5 million, who employ between 2 and 250 staff, are commonly left bereft of meaningful support, whether or not they are willing to pay. The Digital Policy Alliance recently held a meeting on the role of Cyber Insurance in setting the standards necessary for a business to be insurable, beginning with an externally assessed version of Cyber Essentials and a support contract. But far too few organisations are addressing this market. And who trains and updates technicians and professionals with the skills necessary? A recent ISSA survey (global but in practice mainly US) identified that training Virtual CISOs and maintaining their skills is a global need. But few employers help maintain the skills of those they have, let alone train new ones.

Who is addressing the skills standards  for Virtual CISOs to support large numbers of SMEs, other than Comptia?

Meanwhile, as the recent  Institute for Apprenticeship standards review identified, pen testing is not enough.

But who, other than ISACA, is looking at the skills standards to do holistic audits of security processes, including for applications which use ever more complex and vulnerable networks of IoT devices? We need to cross fertilise the work on intelligent weapons systems and integrated warfare systems with than on, for example, autonomous vehicles and mobile phones. Hence a new dimension on the way that the US – China electronics “arms race” has over-taken global co-operation.

Both CompTIA and ISACA helped the Cybersecurity Skills pilot, led by Bluescreen IT on the Plymouth University Science Park.

This showed the viability of a local Cybersecurity Skills partnership, using a shared skills incubator to bring together education and training programmes (from schools to post graduate) in providing work experience running a world class security operations centre with globally recognised qualifications as part of the apprenticeship programmes. The centre is coming up for its second anniversary. In February Bluescreen IT received funding from DCMS  to package its methodology for harnessing the skills of “over inquisitive” teenagers to enable others to replicate that success . Perhaps more important is that it has demonstrated the viability of an unsubsidised shared skills incubator providing virtual CISO services to the local community at affordable prices. Put this model alongside COMPTIA Cyber Ready and the growing market for boot camps and apprenticeships and there is the potential to transform the supply of the skills to secure the 99% of British businesses (employing half the private sector workforce) whose needs are left out of the current mainstream cybersecurity skills strategy. The 99% are not greatly helped by a central government strategy which subordinates their needs to those of GCHQ and MoD for cyberwarriors and of major consultancies to secure those businesses large enough to afford their fees. But we now have a viable alternative way forward.

This therefore seemed to be a good time to for me to retire (for the fourth time). On the morning of May 8th I met the team at the Open University who have taken over from me in co-ordinating the work of the Digital Policy Alliance skills group . The group’s portfolio includes the Cybersecurity Skills partnership. I very much hope that one result will be the replication of that approach wherever the Open University has a sufficient footprint. E-mail DPA  for details.

My new role brings a new perspective

My new role, as an independent member of the Lambeth Safer Neighbourhood Board, “convening” a pilot Community Safety Partnership, has given me a rather different perspective of the need. The closure of the last bank in West Norwood (population 34,000 and several hundred businesses) has brought home how little the banks, for example, appreciate that as they close branches (rural or urban) they are opening their customers, including small businesses and pensioners (who control half the nation’s disposable wealth) up to on-line fraud [herding the sheep on-line to be fleeced].

The latter need a human, not a help desk, to get them get back on-line. Meanwhile local law enforcement needs a lot more than a couple of skilled investigators per force. Hence the need for many more police forces to exploit the changes made in 2011 to enable security professionals to become police service volunteers, whether warranted as special constables or not.

Meanwhile the failure of major players to act on evidence of criminal abuse using their social media and on-line marketing networks, means that a growing proportion of society (particularly those whose children, elderly relatives or vulnerable neighbours have been victimised) strongly supports holding them to account in ways that may, or may not, be rational – but will certainly destroy shareholder value.

I therefore intend to remain active in campaigning for effective change to meet the needs of users, while leaving those younger than me to do the heavy lifting of making it happen in ways that enable responsible suppliers to develop more sustainable and ethical business models.

Time has, however, run out.

Trust in the cyber security industry has been eroded by the failure to remove decades old vulnerabilities because they are still being used in the three track (AI, Big Data and Cyber) and three way (United States, China and Organised Crime) arms race.  There are, of course, other players but result leaves the rest of us (from children and vulnerable adults through SMEs to big business and the critical national infrastructure) unnecessarily open to on-line abuse, attack, fraud and harm.

The focus on “awareness”, without credible action plans, is increasingly counterproductive.

Back in 2008  I had the task of doing the warm up act for Lord Errol as opening speaker for an event on the use of encryption to better secure the on-line world . The fashion of the day was for Privacy Enhancing Technologies. I referred to the industry promoting e-immodium (when the need was to identify the causes of data diarrhoea) and PETS (privacy enhancing technologies) when the need was for bloodhounds and wolf packs to hunt down those causing the mayhem.

Having failed to secure action it is time to pass the baton to those who I hope will do rather better.

But the world is changing.

On the afternoon of May 8th I attended the third annual Global Cybersecurity Alliance  briefing in the Mansion House. I am a big fan of their approach, using the proceeds of crime to remove common vulnerabilities. We learned, inter alia, of their new small firms tool kit  to help the 99% improve their security. We also had a very interesting briefing on how Intel has carried its end-point security offerings to the next level  . What a pity our Computer Science and engineering graduates are still not routinely educated to use the hardware security facilities that have been embedded in most common chip sets for over twenty years. One might even call it criminal negligence – akin to the attitudes of those who place adult rights to privacy above children’s rights to be protected and block the use of anonymised age checking.

Afterwards I learned of Cybersmart  which automates the process of compliance with Cyber Essentials. On May 9th I sat in on a global webinar with the President of ISSA on their latest survey on cybersecurity skills and careers. One of the key priorities of respondents was the need for access to training to keep up with the tools now available to remove vulnerabilities, automate response and dramatically improve security. This is particularly so since many more businesses, especially in the US, are now protected by a virtual CISO than have one in-house.

Or is it?

That week I read the Europol press cover  for the latest success of an NCTFA  led international investigation. We had press cover for the discovery of one of the tools  used by intelligence agencies (and others) to spy on supposedly secure social media communications. We had a bout of publicity for the vulnerability of the submarine cables that carry the Internet . I first blogged on this in 2008  . Readers should, however, be aware that their local internet connection is more vulnerable and that regulatory pressures for duct sharing with BT mean it will remain so.

City centres and business parks need multiple routing to meet critical infrastructure standards. Building these will run into the construction skills shortages that I highlighted at the end of last year. I am pleased to say the DPA sub group created in February to address the problem is now under way, chaired by the CEO of the Highways Electrical Association, and has identified the points of leverage that need to be addressed. I plan to blog separately on this, which is also part of the skills partnerships portfolio for the main DPA Skills Group.

Meanwhile Ofcom is talking about setting up a group to forecast future trends so that it can regulate them. This is the very approach that was rejected when its predecessor, Oftel, was created – because it would constrain the future. Instead Ofcom should be looking at how to handle the long overdue job of regulating telecoms as a critical infrastructure utility – with multiple inter-operable routings and mutual hot standby between competitors, maintained by technicians whose competence is individually accredited.

Time to move on

Anyway time for me to move on and leave it to others to make the on-line world a safer, more secure and resilient place as I spend more time off-line – where life is safer … or is it?

The whole of society increasingly depends on the industry living up to customer expectations, not best efforts and blame avoidance. I therefore have a vested interest in ensuring that the next generation make less of hash of skills policy that the current one.