Thankfully, the cyber skills gap is a topic receiving a growing amount of attention, and given the urgency of the situation, rightly so. It also features heavily in the UK government’s recent national cyber strategy, published at the end of last year. However, the shortfall of skilled workers in the industry remains critical, with the (ISC)2’s most recent Cybersecurity Workforce Study finding it is 65% below what it needs to be.
It’s a problem requiring both long and short-term solutions, and these are at the heart of the raison d’etre of (ISC)2, a professional association specializing in training and certifications for cybersecurity professionals.
Recently, Infosecurity met with the association’s CEO Clar Rosso at (ISC)2’s office in Mayfair, in the heart of London, UK, to discuss tackling the cyber skills gap in addition to other pertinent topics in the field, including the impact of the Russia-Ukraine conflict on the cyber-threat landscape.
Boosting the Talent Pipeline
Rosso, who was appointed to her current post in October 2021, outlined several new initiatives the (ISC)2 is taking to boost the pipeline of skilled workers in the industry. One of these is its Entry-Level Cybersecurity Certification, “which will help demonstrate that an individual has an aptitude for moving into a cybersecurity career.” Rosso revealed that the certification’s exam is being piloted and a full launch is planned this summer.
In conjunction with the new certification, (ISC)2 is working with employers to help ensure entry-level cybersecurity professionals are able to work independently in paid roles as soon as possible. This is an attempt to deal with the ‘chicken and the egg’ situation that permeates the sector – whereby employers generally only employ those who already have significant work experience. “They want them to come into the profession fully experienced, and that’s a problem – where are they going to get that experience?” explained Rosso.
(ISC)2’s entry-level certification is part of a broader initiative to make it easier for youngsters to develop their technical skills or for those working in other industries to retrain in cybersecurity. Developing these alternative routes into the sector will undoubtedly be critical in closing the skills gap, and Rosso has observed some positive recent signs in this direction. She noted that new recruitment practices are starting to take hold in many organizations, whereby a greater emphasis is being placed on soft skills, such as problem solving and communication, above technical qualifications. For example, she observed that recruiters increasingly attend cybersecurity competitions to watch the participants in action. “They don’t focus on interviewing them; they watch and see whether they’re demonstrating those kinds of non-technical skills – analytical thinking, problem-solving and ability to communicate – and hire them based on that alone,” said Rosso.
Rosso herself came into the sector through an unorthodox route – following a lengthy career in accounting and finance. Despite the lack of technical knowledge, she quickly found significant similarities between the two sectors, particularly in areas like risk management and compliance. This experience and perspective are likely to prove invaluable as the relatively young cybersecurity industry matures. This includes how it is regulated, which is an area of focus for the recently formed UK Cyber Security Council. For instance, “the model used to govern accountancy in the UK would be one to think about if we do move forward with chartering individuals in cybersecurity,” stated Rosso.
Keeping Certifications Relevant
To help improve her technical skills and knowledge, Rosso is currently undertaking (ISC)2’s renowned Certified Information Systems Security Professional (CISSP). At a time when the relevance of certifications in the sector is increasingly being questioned, Rosso argued that qualifications like CISSP continue to play a significant role by providing “an extra level of confidence” to employers about an individual’s capabilities following their earlier education pathway.
Nevertheless, Rosso said (ISC)2’s approach to certifications is evolving to ensure it remains relevant. This includes marrying qualifications together more with other educational pathways such as university degrees “so they’re not looked at as separate paths but as complementary things.” She pointed out that certifications are already embedded in many relevant university courses in the US, and this is an area now being actively explored in the UK, particularly with the new entry-level certification.
Another essential means of closing the cyber skills gap is making the sector more diverse in areas like neuro, ethnicity and gender. This is also vital in improving the quality of the cybersecurity profession, as “the more diverse teams you have, the better they are at solving problems.”
Rosso acknowledges that lack of diversity is a particular issue at (ISC)2, where only around 9% of its members are women. This is despite the accreditation body estimating that females make up 22-24% of the global cyber workforce, a figure which, while improving, remains too low in itself. She believes the even lower female representation in industry associations like (ISC)2 could be due to not seeing enough people who look like them in those organizations and attending their events. Indeed, Rosso admitted she was taken aback by the lack of female attendees at the (ISC)2 Secure London conference last month. “You have to have a programmed effort so that when new people are coming into the organizations, they can connect with others and feel welcome,” she noted.
“You have to have a programmed effort so that when new people are coming into the organizations, they can connect with others and feel welcome”
Cyber Implications of Russia-Ukraine
One topic that simply has to be mentioned at the moment is the ongoing Russia-Ukraine conflict, and this context, its implications for the global cyber-threat landscape. One observation made by Rosso is that certain cyber-threats emanating from the crisis may not be public knowledge due to intelligence services withholding the information for security reasons. Therefore, she believes that government agencies need to be more forthcoming with providing such information in the future. “That creates a huge risk for businesses, and at some point, we need to talk about that,” outlined Rosso. “Just like the government wants businesses to report breaches, the government needs to help businesses understand their risks.”
(ISC)2 also recently surveyed its members about their biggest concerns relating to Russia’s invasion of Ukraine, producing some interesting findings. The biggest fear outlined by participants was the immediate threat to critical infrastructure and essential supply chains, which could potentially put lives at risk throughout the world. This was followed by a lack of preparedness to combat attacks on critical services and data loss/ability to do business.
Rosso found the next three concerns listed by the respondents especially noteworthy. In fourth place was precedent, with cybersecurity professionals predicting that cyber warfare tactics will become the global norm, affecting all types of organizations. “I think there is agreement that this is going to become the global norm, and we’re going to have to figure out how we deal with it,” she stated.
In fifth was opportunism, with a number of cybersecurity professionals foreseeing cyber-criminals using the attention placed on the conflict to sneak through attacks undetected. The final and “most sobering” concern was not to lose sight of the human cost of the conflict, remembering that the real damage of the war is not being caused by cyber-attacks but by weapons. A respondent from Ukraine summed up this sentiment: “Right now all our services are under physical attack, so cyber-attacks in comparison with physical [destruction] of our infrastructure and people [takes] second place.”
The discussion concluded with Rosso revealing what she believes is the sector’s biggest challenge over the coming years. Perhaps unsurprisingly, this focuses on the human element, addressing the human-technology tension. She believes many people see technology alone as the “magic pill” to cyber-threats, which is a dangerous mindset to have. “Technology is only going to be as good as the people using it or the people providing input into it,” she emphasized. “So the solution involves technology but it also involves people.”
The importance of focusing on people, despite the technical nature of cybersecurity, was a constant theme of Infosecurity’s conversation with Rosso. This is something industry professionals should not lose sight of as we prepare for an era of unparalleled technical advances, such as artificial intelligence and quantum. Such technologies will only be a force for good with the right personnel and skillsets at the helm.