As summer came to a close, so too did the window of opportunity to comment on the Government’s consultation regarding the future of the cybersecurity profession.
The consultation, which ran throughout July and August, is the Government’s first major step towards realizing ambitions set out in its 2016 National Cybersecurity Strategy – notably, to make the UK the safest place to be online or to grow a digital business.
The key consideration put forward is the creation of a new UK Cybersecurity Council (UKCSC). As an independent regulator, the council would be responsible for driving improvement in areas including skills, ethics, international best-practice and diversity – the argument being that the current arrangement of professional bodies isn’t capable of elevating cybersecurity to boardroom status.
But with so many bodies already operating in this space, will a new council create more headaches than it solves?
It’s worth noting that the government hasn’t yet committed to introducing a new body with full regulatory powers. But the role of encouraging best-practice, ethics and promoting skills.
While a new regulator could possibly consolidate a vast group of voices, I would argue it oversimplifies the issue.
The strengths of an industry-specific approach
The remit of cybersecurity professionals is growing on a daily basis thanks to the ever-evolving nature of digital technology and the threat landscape threat has grown alongside it.
Each threat targets different physical and digital assets, each with their own unique value, demanding a different level of response. Ensuring that businesses manage these threats is currently done by specific regulators like the Financial Conduct Authority (FCA) or the Solicitors Regulation Authority (SRA) which has its own confidentiality and integrity guidelines.
These bodies are often staffed by people who have experience working in the industry they govern – they understand the sector and the business impact on the organizations they regulate.
Bringing the responsibilities of these highly knowledgeable organizations under one roof runs the severe risk of undermining their security practices with an overly generalized one-size-fits-all approach. Rather than elevating practice, the best a single cyber regulator could offer would be a minimum standard of compliance based on the needs of the lowest common denominator.
The ones who know how data will be specifically used are the sector-specific bodies. A baseline set of security standards, set out by an all-encompassing regulator, would be inadequate for some and overbearing for others.
Take, for example, a food retailer being asked to maintain the same standards of access to their store as a jeweler. In contrast, the existing risk-based approach is surely more suitable with businesses taking appropriate measures in line with the value of their assets – be they large or small – and the types of threat most prevalent in their industry.
One of the key roles for regulators is to be responsible for those who fail to uphold standards. In bodies like the Payment Systems Regulator we already have the punitive functionality in place to enforce strong digital practice for specific data and asset security through fines.
We saw with the implementation of GDPR earlier this year that the stick can be a much stronger force than the carrot. It has influenced a cross-industry step-change that could hardly be imagined without the imminent threat of heavy fines. But GDPR gave teeth to an existing regulatory body, it didn’t create a new one.
Cybersecurity is driven be a need to protect assets from criminals and compliance with standards is usually necessary to demonstrate appropriate cyber defenses to other stakeholders. Adding in another layer of regulatory requirements may not add any immediate value but surely promoting more relevant standards with stronger deterrents through existing regulators would drive improvement faster than a new centralized body.
Alongside this, supporting the bodies that are already helping to improve standards and awareness is a more straightforward strategy.
Wish list
Although I have some strong reservations about the necessity of yet another regulator, there are certainly some areas of the consultation that would benefit industries as a whole.
A recent Tech Nation study found that more than 50% of the UK’s digital tech community see the shortage of highly skilled employees as a barrier to growing their business. A better definition of cybersecurity and a better understood set of career expectations for people working in that field would help manage some of the skills gap issues that exist.
A new industry body, should it be created, would ideally spend significant time curating new opportunities and infrastructure to incentivize businesses that invest in developing infosec skills within their organization.
If we are to improve the number of skilled workers in the UK tech industry, then we also need to be reaching out to new communities. Businesses often struggle to engage a younger audience and the presence of a more generalist cyber council could have a part to play in bridging the divide between industry and education.
Just like dealing with relevant cyber threats, the skills shortages facing businesses is also a sector-specific challenge. Whether it’s enforcing security best practice or providing the right education and training, we need to empower existing industry bodies not create new ones.