Computer Weekly Magazine March 2019:
With the increasing need for cyber security professionals, organisations are turning to new ways to address the skills gap facing the security sector
Academic qualifications, such as Cyber Security & Computer Forensics BSc (Hons) and Cyber Security MSc, provide cyber security professionals with the necessary knowledge for their career, but nothing compares to real-world experience when dealing with potential network threats.
There is a line in a Star Wars film: “I should think that you Jedi would have more respect for the difference between knowledge and wisdom.” This is just as true in cyber security, where experience is equally as important as qualifications.
“When you are in a disaster recovery situation, you do not want the new person trying out the wings,” says Bruce Beam, chief information officer at (ISC)².
Unfortunately, the number of cyber security positions outweighs the number of available cyber security professionals. The demand for cyber security professionals has outpaced supply in recent years, due to emerging threats and organisations increasing the amount of business they conduct online.
According to a study, the number of organisations that reported shortages in the cyber security skills of their staff has increased over the past four years. In 2014, approximately 23% of organisations indicated this was a challenge, but this has now risen to more than 50%. Much of this rise has been due to the increasing workload of cyber security teams.
Continuing professional development (CPD) has been used to ensure that skills remain relevant. However, some training is purely academic and offers little real-world experience. “It is not like training someone to be a welder and giving them the basic skillset,” says Beam.
In order to overcome this challenge, organisations are turning to various ways to provide their cyber security interns with the necessary experience to tackle the online threats facing organisations. One way has been through mentoring schemes, where organisations assign an intern to an experienced cyber security professional. Mentoring allows a company to preserve their staff’s experience against retirement and poaching, however a drawback is that it can inadvertently reinforce bias.
Simulated disaster management
Some organisations are turning to simulated disaster management scenarios in order to provide their staff with the experience they need. Just as fire drills are used to assess how personnel respond to a potential incident, simulating critical failures allows organisations to see how their staff respond to such events.
“I always go back to my military training and one of the things we learned was to train like you are going to fight, because you will fight like you train,” says Beam.
Simulations allow cyber security personnel to experience critical failures, without any risk to the actual network or company data. These simulations can vary from disaster recovery scenarios to white hat hackers probing a company’s network defences to see how their IT teams respond to the perceived threat.
“Too many organisations talk about disaster recovery, but never really test it and make sure it is working the way they think it is working,” says Colin Tankard, managing director of Digital Pathways.
Simulated disaster management provides a replica of an organisation’s network architecture, thus providing a real-world experience, thereby making responses second-nature.
This allows cyber security teams to use the security tools that they would use in a genuine situation and to experience the network setup and traffic. In order to be effective, disaster scenarios need to be accurately simulated, including advanced, evolving threats, targeted malware and ransomware.
A more complex version of simulated training is to use white hat hackers to probe the network defences to see how soon the cyber security team are aware and how they respond to the threat. “I have heard of white hat teams spying on organisations to see where they can get in,” says Tankard. “That has been very successful for companies as they have seen how their people are reacting.”
Read the full article in Computer Weekly here