28 March 2014

Why is the UK suffering from a skills shortage when it comes to the expertise needed to fight cyber crime? RAHIEL NASIR finds out and looks at what’s being done about it.

Even as this article was being written, news emerged of yet another big name organisation that had suffered a massive IT security breach. This time it was supermarket chain Morrisons which said that payroll data for around 100,000 of its employees (most of its workforce) had been stolen and posted online. It’s suspected that the attack could be an inside job and the work of a lone hacktivist or disgruntled employee. But regardless of who the perpetrator is and what their motive was, one thing is for sure: this certainly won’t be the last cyber attack we’ll ever see.

Make no mistake, the growing problem of cyber crime threatens all of us and perhaps even the very fabric of society. More worryingly, Britain seems ill-equipped to fight it. Over the last few years, loud alarm bells have been sounding from government, industry and many others, warning about the UK’s skills shortage in cyber security experts, not just today but also for the future. So how did things get so bad?

False sense of security

Like many of the experts we spoke to, Suzanne Fribbins, risk specialist with the British Standards Institute, points out that IT networking has undergone a dramatic change over the last few years. “Ten years ago, most people did not have a mobile phone with internet access, tablets were not widely used, Facebook was in its infancy, and no one had even considered the concept of cloud computing. All of these things have changed the way we connect with the business network and also the way we communicate.There are fairly recent statistics suggesting that 90 per cent of the world’s data has been generated over the past two years alone (SINTEF research: Big Data – For Better or Worse), and there has been an acceleration of devices with ever-increasing functionality. With the constant technological evolution, the threat landscape has changed, leaving things that were once secure now no longer secure. Not surprisingly, it is a challenge to keep ahead of the range of increasingly sophisticated threats.”

Matt Middleton-Leal, regional director for UK and Ireland at CyberArk, supports this view, adding that the speed of change and sophistication of the attackers has caught organisations by surprise. “The fact of the matter is that too many still rely on traditional defences to protect their most valuable assets from attack. Businesses should assume that it is a question of when rather than if they will be targeted, and with this in mind, turn their attention to locking down all access to highly sensitive information and applications.”

Last year, the Institution of Engineering and Technology (IET) carried out a survey of 250 SMEs to gain insight into current cyber trends. Of the 250 firms questioned, only 14 per cent said cyber security threats were the highest priority and believed that they already had sufficient skills and resources in place to manage the threat.

It therefore seems as if businesses seem either lackadaisical about their cyber defences or are quite literally labouring under a false sense of security. According to Bill Walker, technical director and cyber security expert with IT training specialist QA, the real issue is that many organisations don’t recognise they have a cyber security problem that needs to be solved. “This often manifests itself in the statement ‘no one would want to gain access to our systems or data – we don’t have anything valuable’. Virtually every organisation has some intellectual property that could be valuable if stolen, or it could be compromised if such information got into the wrong hands.”

Thus, if organisations don’t think they have a problem with their security, they’re unlikely to actively recruit staff who specialise in cyber crime. Arguably, that’s probably one of the biggest reasons we now have a skills gap.

James Lyne, SANS Institute instructor and EMEA director, points out that another challenge is the relatively immature structure and ‘professionalisation’ in the industry. Many skilled people are either not truly recognised, or those who have great potential end up in other lines of work. “There are systematic problems that lead to this which are slowly being addressed, but not quickly enough,” he says.

BCS, The Chartered Institute for IT, agrees here. It adds that whilst a major component of cyber security is information assurance (IA) – an area which has seen much investment in training and education over the last two decades – not enough had been done in the universities to have common cyber security modules. Nor were there adequate schemes to ensure that cyber/IA professionals were recognised for their skills.

e-skills UK highlights yet more concerns. In April 2013, it published its Career Analysis into Cyber Security: New and Evolving Occupations study. Project director Nigel Payne says this revealed several worrying trends: “Firstly, the cyber security workforce is an aging one, with only seven per cent of professionals currently under 29. Secondly, there is a distinct lack of diversity, with just 10 per cent of those holding technical roles in the sector being women. Finally, it showed that the opportunities to enter the sector from general IT or non-IT roles have diminished over the last decade. Employers today are recruiting from the same small pool of seasoned professionals, which will limit growth and innovation in the sector in the long term.”

Some security experts are warning that the UK is facing a gap of about 15 years where there will continue to be a significant skills crisis. Citing a 2013 National Audit Office report, Raj Samani, McAfee’s EMEA CTO, says that the number of people training for a career in cyber security has not kept pace with the growth of the internet. “I recently experienced this first hand. I was asked to present at a university and was introduced to someone from a very prestigious firm who was telling me that they had 150 open vacancies for cyber security professionals. This is an organisation that is a household name, and one that is more than capable of paying competitive salaries. That experience really brought home the nature of the shortage. Incidentally, another attendee at the event was a small vendor that had over 11 positions open for in excess of six months.”

Securing the future

So what’s the answer? David Garfield,MD of cyber security at BAE Systems Applied Intelligence, doesn’t necessarily agree that organisations have been apathetic. He says there is now a greater awareness on boards that cyber security is a corporate risk, but adds that the key challenge for them is identifying what to do to address it. “There is a communications disconnect between the executives and the non-executives, and the IT departments and the CIOs, because they all speak in different languages.”

CyberArk’s Middleton-Leal concurs. He says security is no longer just the concern of IT teams and that strategies need to be incorporated into broader corporate initiatives: “CEOs should be educated in non-technical terms to understand what is at stake and what is required. (They can then) allocate the appropriate and necessary investment to proactive security measures in order to keep pace with the current threat level.”

Security vendor Lancope advises organisations to treat security as a business continuity problem. “They are not in the business to catch crooks, they are leveraging IT to enable the growth of the business,” says CTO Tim Keanini. “Incident response for instance should not be an IT security thing; it is a business continuity issue that spans cross departmental coordination. Legal, PR, external law enforcement – all of these roles are important when you get hacked and a certain readiness is not optional, it is required.”

He goes on to point out that while everyone needn’t be a security expert, the success of any large complex system lies in the coordination and communication of multiple disciplines all working in harmony towards a goal (even if that goal may be horizontal in nature).

While all that could help address what CyberArk said was the “current threat level”, what about the future of cyber security given today’s skills shortages? Clearly, dealing with the cyber threat needs a concerted effort by all concerned. The SANS Institute’s Lyne says: “We need to simultaneously work to encourage and recognise the talented individuals that already exist (through internships, training and competitions or challenges) and also develop new talent.

“Alongside longer term initiatives like embedding better IT skills development and security in to our curriculums at all ages, we also need to act now and take advantage of those who have casually developed an interest, or who have studied but can’t find the right entrance to the industry.”

e-Skills UK recommends a combination of things. Firstly, Payne says the teaching and careers advice young people receive in schools must showcase the opportunities available in cyber security in an “exciting and inspiring” way. Secondly, there should be the provision of new entry routes into the sector which give professionals the skills cyber security employers are looking for. “Finally, we must make it easier for both employers and individuals to find relevant, high-quality training. This will help general IT professionals enter the profession, and give both them and current security practitioners a clear progression route.”

e-Skills is playing a big part in helping to make all this a reality. In mid-March, the government announced that schoolchildren as young as 11 will get cyber security lessons as part of plans outlined in the Cyber Security Skills: Business Perspectives and Government’s Next Steps report. e-Skills will be involved in delivering a number of projects. These include: Key Stage 3 learning materials and training for teachers (delivered in partnership with Naace, the ICT in education association); employer-led cyber security higher and advanced level apprenticeship schemes; and a cyber security internship programme to enable students gain the work experience demanded by employers.

There will also be support, through the Higher Education Academy, for universities that develop innovative proposals to improve cyber security teaching. For example, incorporating professional qualifications into degrees, getting businesses involved in course design, as well as embedding cyber security into software engineering and computing degrees.

Other initiatives that e-Skills has been involved with include the employer-backed Cyber Academy that was launched in 2012. As part of this, it developed a computing curriculum programme with input from BP, BT, CREST, Fujitsu, PwC and QinetiQ which includes content on cyber security for Key Stage 4 pupils. This has already been taken up by more than 360 schools, and similar resources for Key Stage 5 will be available from this September.

It is also working with the industry to offer paid internships from summer 2014, supporting cyber security apprenticeships with employers such as Atos, BT, Cassidian (now known as Airbus Defence and Space), CREST, IBM and QinetiQ, and developing employer-backed degrees.

The vendor response

CyberArk believes that while perimeter based protection plays an important role as a first line of defence, it is simply not up to the job when faced with highly advanced and targeted attacks. Instead, it advocates a layered approach to security. “We help to educate organisations around the threat posed by unmanaged privileged access, allowing them to manage and monitor all privileged access in real-time, with the option to intervene if necessary” says Middleton-Leal. “This not only eases the auditing process, but also crucially defends the heart of the enterprise against the threat from within as well as from external attackers looking for a ‘window of opportunity’.”

McAfee has been working with Queen’s University Belfast to offer internships for MSc students, and has also been providing input into the course content to ensure the skills taught are those sought by industry.

In addition, in 2013 it signed a five-year collaborative partnership with The Bletchley Park Trust and will sponsor an international Cyber Security Exhibition and Computer Learning Zone that features workshops to engage, inspire and educate visitors about the ever-evolving cyber threat.

“Just as cyber criminals innovate, so do the good guys – and not only in terms of technology,” says Samani. “Also, as an industry we are working closer in terms of standards and information sharing. This extends to collaboration across the public and private sectors, such as the Cybersecurity Information Sharing Partnership (CISP) which was launched to help government and industry share information and intelligence on cyber security threats.”

CISP is expanding and aims to double its membership to 500 by the end of 2014. This is a “significant and positive” development for staying ahead in the fight against cyber crime, according to BAE SystemsApplied Intelligence. “Traditionally, governments and industry have taken a largely sectoral approach,” says Garfield. “Where the CISP is unique is that it exploits the commonalities between different sectors to share knowledge and raise threat intelligence maturity. Consequently, it allows a wider range of companies to benefit from the cyber knowledge it shares.

“Information sharing with industry is a key priority for UK government. Now the activity has been catalysed, it will be vital that it gains critical mass in terms of scale and is seen as a core element of a holistic cyber response that offers an appropriate level of protection for UK companies.”

Applied Intelligence is contributing here by using behavioural analytics to look not just at what is happening today but to piece together activities over time that, when joined up, look dubious. “We are looking for suspicious behaviours because attackers are constantly changing their approach,” says Garfield. “While the technology is vital, we also need a human mind to understand what is happening.”

“With the constant technological evolution, the threat landscape has changed, leaving things that were once secure now no longer secure.”

Suzanne Fribbins, Risk specialist, British Standards Institute

Can the ‘good guys’ win?

Of course, the same technologies and intelligence being leveraged by the ‘good guys’ is also largely available to the cyber thieves. And while they also share the same scarcity of expert resources as the industry does, Lancope says it is becoming easier for them to find talent. “Advanced criminals knew that leveraging IT for their business was important for growth and some would therefore recruit young hackers for this activity,” says Keanini. “Now things are much different. Today, with expert hackers selling their capabilities on the dark markets, any criminal with some cryptocurrency in hand can buy the capabilities they need to enter the cyber crime market place. They can piece together exploits, watering hole websites, DDoS attacks, custom malware, evasion techniques, until they get it just right. Heck, they can just buy the credentials for some executive and not even trigger any security events at all.”

So what chance do we have? QA reckons that at the end of the day, infosec experts will probably always be one step behind the hackers. While the cyber criminals are constantly innovating in the ways that they go about their business, security companies and professionals are often just reacting to the latest method that they discover. “After all, a virus scanner can only react to a known signature, so a zero-day attack can compromise these until an emergency update is released,” says Walker.

He adds that the amount of effort you put into securing systems and data has to be looked at in the context of what you are protecting yourself against – i.e. it needs to be proportional. “You lock your door when you leave home and no doubt ensure all the windows are closed. So why don’t you put in armoured doors and have bars on all your windows? Because you have done a risk assessment (although you never probably realised this as such) and have applied a proportionate response.

“So when you find a spate of threats in your area you step up your security appropriately, and in some parts of the world you would want steel doors and bars on the windows and a gated community. The same goes with your systems. Know what you have, know the likelihood of loss, know the consequences of a loss, and know what to do if it happens. When you explain to the board, shareholders, customers and partners that you had not prepared for the major cyber attack you have just had, it’s probably time to clear your desk and collect your P45 on the way out.”

So essentially it’s all about due diligence, best practices, being proactive, and engaging and educating all parties. Ultimately, it’s also all about protecting UK plc’s bottom line, according to Universities and Science Minister David Willetts. Speaking in March, he said countries that can manage cyber security risks will have a clear competitive advantage: “By ensuring cyber security is integral to education at all ages, we will help equip the UK with the professional and technical skills we need for long-term economic growth.”