Cyber Resilience

Let’s not wait for a crisis to close the cyber skills gap

05 August 2020 | Scott Nursten

If Covid-19 has highlighted anything, it is the full value of digital technologies.


Remote working is no longer an experiment for some businesses, it is a requirement for all. The benefits are crystal clear: reduced travel and its positive effects of lower costs and cleaner air; more focused and productive teams; the convenience of unified comms.

Rishi Sunak recognised the importance of tech when he allocated more than £5 billion of investment into Britain’s digital infrastructure. Technology is central to tomorrow’s business models but that means cyber security stands alongside, centre stage.

Yet as companies rush to implement digital working platforms, the skills gap in cyber security has become glaringly obvious.

Only a day after Sunak’s announcement, the Department for Digital, Culture, Media & Sport (DCMS) released a report stating that 48% of businesses are struggling with a basic lack of technical, incident response and governance skills to manage cyber security.

Every day, story after story hits the press about cyber-attacks. No business is too large or too small to be a victim, not even in the not-for-profit sector. If you have data, you’re a target.

Are hackers smarter than everyone else? In the main - no. Pretty much anyone can become a ‘script kiddie’ in a day or two, using obvious Google searches. Cyber security is where the true brains are needed.


Do we even need to ask why hacking is popular?

Hacking is popular because it’s easy and it pays. We have a cyber skills gap in business and even technical people can be notoriously bad with basic cyber hygiene like good password management and timeous patching.

Hackers don’t need high IQs to be successful, and it doesn’t take a genius to notice that a huge number of businesses are leaving themselves open to attack.

So lucrative has cybercrime become that, according to various sources, it could be the world’s third largest economy by 2021.  

Walmart is America’s biggest earning business. It generated $514 billion last year. Cybercrime earns 12 times that. As Marc Wilczek said in his recent article on Dark Reading, ‘in terms of earnings, cybercrime puts even Tesla, Facebook, Microsoft, Apple, Amazon and Walmart to shame.’

Skilled cyber security professionals are clearly sorely needed across the business world. Basic market dynamics dictates that where there is demand, there should be supply. So why is this not the case for cyber?

Fault has been laid at the door of the academic world and a lack of structured learning. I disagree with this. Here’s why.


The triple layer problem with cyber


1. Hacking is easy. Cyber security is not.

Breaking stuff is much easier than fixing stuff. A hacker is like the joker who gets a kick out of tripping people up: easy. Cleaning up the mess they leave behind is far more complicated. After all, anyone can push someone over. But it takes a doctor to fix a broken leg.


2. Cybercrime does pay

The rewards for a successful spear phishing attack can be millions of dollars. It might take some research and patience, but criminals only have to pull off one successful attack to net multiple years of salary for a security expert.


3. Cybersecurity needs to move faster than ever

Cyber is probably the fastest changing environment on the planet. Any course created to teach what’s happening now is in danger of being out of date before it’s launched.

There is a fourth problem, but it deserves a section all to itself because it is massive and that is, the world is the cyber attacker’s oyster.


Everything is stacked in favour of the cyber attacker

Many people might think of the dark web as the home of the cybercriminal. But there are plenty of places on the legitimate web where hackers hang out in plain sight every day.

For white hatters, interaction with hackers is invaluable, because they need to know about emerging threats. Talking to a hacker is perfectly legal. It’s not even illegal to have viruses stored on your computer. In fact, anyone can download the most extreme malware easily for ‘testing purposes’.

Despite cyber insurance policies and cyber task forces existing across the world, cybercrime is extraordinarily difficult to police. How do you get to the bottom of a hack? Thousands of machines are often used in a single attack. If a machine has been ‘rooted’ the owner often doesn’t know they’ve been hacked.

Once an attack has occurred, it’s already too late in many cases to do anything about it. The only productive course of action for the cyber security pro is to create sophisticated defense systems, rather than chase cyber ghosts down digital rabbit holes.


Mindset is a major obstacle for Gen Z

The flip side of everything being stacked in favour of the cybercriminal is that there is little incentive for a script kiddie today to take the virtuous path.

Cyber security is a fascinating, challenging career – and it can pay handsomely. But it’s difficult. It is the tech equivalent of becoming a doctor. It requires patience, an analytical mind, technological creativity and a hunger to learn.

Ubiquitous screens, the endless scroll and the new opiate of the masses, social media, have created a different kind of human mindset. In many ways, personal technology has brought incredible positives - but it also has a well-documented dark side.

The endless scroll is addictive. Any parent of teenagers will appreciate how difficult it is to prise a smart phone out of their hands; how the screen is king, how the instant gratification it brings has created a generation of youngsters with diminishing patience.

Hacking can be learned fast. Becoming a security professional takes time and effort to learn. If we are going to close the cyber skills gap at any rate close to keeping up with the cybercriminals, we have to create a way of appealing to Gen Z brains and keeping them engaged.

Social media does not only present issues for children, of course. As adults, we have also learned to favour convenience and pleasure over all else.

This is creating a massive problem when it comes to instilling the importance of cyber security in business protocols. Online consumerism has encouraged us all to value instant service, instant access, instant results.

The good news is that the latest cyber security technologies are evolving to appease this mindset. So, if you don't trust your teams to follow protocol, you can deploy tech that makes it very difficult to stray.


Will it take a cybercrime pandemic to wake us up?

Covid-19 has been atrocious on so many levels. It has also brought out the best in humanity. Is a similar crisis, then, what we need to sort out our attitude to cyber?

According to Independent IT-Security Institute, AV-Test, 350,000 new pieces of malware are created every day. If we continue to coast, without taking steps to tackle cybercrime properly, we are going to sleepwalk into a digital pandemic every bit as serious for our corporate networks as the coronavirus has been for our nations.

But perhaps that is what we need. There are some brilliant young minds out there, capable of becoming incredible cyber security professionals. History shows us that necessity is the mother of all invention, that a need to improve the human experience has driven us to build bridges, railways, the Internet.

Perhaps we are all just too comfortable and we need a cyber disaster to wake us up to the true magnitude of this problem. The world was not prepared for Covid-19 and its potential reach was underestimated by many powerful bodies. We are similarly blind to the potential disaster that could be unleashed by a cyber crisis.


Education, experience or mindset?

As a cyber security professional of over twenty-five years, I have done my fair share of courses. I am not anti-education: on the contrary. I just don’t believe education alone is enough to fill the skills gap.

I said at the start of the article that cyber was a three-layered problem. I also believe it requires a three-layered solution of education, experience and mindset.

The NCSC has recently updated its list of accredited cyber courses. But offering university degrees to potential cyber security professionals as the main route to the right side of history is a gamble.

Attackers don’t study at university. They are all self-taught and eager to break the system. If they are successful, the rewards are substantial.

It’s going to be a tough call, selling a security course that could easily be outdated by the time the student graduates, for a debt of £50k or more. Particularly when they can only hope to earn around £100k per year after several years’ experience.

If young people want to learn about cyber security, they can do so at any age. Free online learning platforms already exist that offer professional courses. If lack of education was the only obstacle to entry, why are these courses not oversubscribed?

If a kid is interested in cyber and coding, chances are, they will explore the shadier areas of the web first. In his book, Drive, Daniel Pink detailed our three main drivers for anything we do beyond basic survival: autonomy, mastery and purpose. We must tap into these areas of young minds to encourage them into cyber.

Government initiatives such as Cyber Discovery, Cyber First and Cyber Security Challenge UK encourage young talent to enter code-cracking competitions and learn the basics of cyber security, generating a hunger to learn. I believe this approach is along the right track.

However, we shouldn’t always be looking to the Government or education systems for the answer. Experiential initiatives, such as apprenticeships with tech leaders or GCHQ, are also valuable.

My main concern is that these already exist and yet so does the skills gap. The only thing we haven’t really addressed is mindset. Until people are either engaged enough – or shocked enough – by the importance of security, I’m afraid the attackers will continue to outnumber the good guys.