When the UK Government released an advert suggesting a young ballerina’s next job could be in cyber — “she just doesn’t know it yet” — they probably didn’t predict the uproar it would cause. While the furore around the advert may have clouded its intended message, it did succeed in making people talk about the cyber security skills gap, where the need to take action is only becoming more urgent.
For many organisations, investing in cyber security historically meant buying digital tools. And there’s nothing intrinsically wrong with that approach: machine learning is often used to spot unusual or potentially malicious activity, automating some of the more labour-intensive tasks.
But investing in cyber security technology is only half the battle. “Cyber security needs to strike a balance between technology, process and people,” says Daisy McCartney, PwC’s cyber security culture and behaviour lead. “Often, we see clients buying new technology, but their people don't have the skills they need to get the best out of it.” Organisations need to invest in their people’s cyber skills to properly optimise their software. This will help them get maximum value from their existing cyber investments before they spend more cash on additional tech.
We recently surveyed 265 UK business and technology executives as part of a global study into cyber security strategy in 2021. 42% of UK organisations told us they plan to increase their cyber headcount in the next year, while many also agreed that new cyber security hires should possess more than just technical knowledge. While security intelligence (46%) and the ability to work with cloud solutions (40%) were cited as the most important skills for new employees, this was closely followed by communication (38%), project management (38%) and analytical skills (37%). This reflects the evolution of the industry, with cyber teams now required to work collaboratively with the rest of the business to develop a strategic, analytical approach to cyber security.
It’s not always easy for organisations to establish precisely what talent they need. There are lots of cyber security skills frameworks available, with some referencing over 600 different skills. To cut through the noise, our cyber security team worked through the three main frameworks and came up with a simplified view. “There’s a lot out there, and it’s already too complex,” explains Daisy. “We broke it down for the typical organisation, setting out the specific knowledge and skills that most cyber security teams will need.”
As a starting point, organisations should assess their aspirations for their cyber strategy. Next, they’ll need to carry out a skills maturity assessment, looking closely at the capability that already exists in their workforce and identifying key threats and risks. From there, it’s important to think how they can align their cyber strategy with their business objectives and build a target operating model that’s fit for purpose.
But it isn't just about setting up the right team with the right skills. Cyber threats are dynamic and attackers develop new techniques all the time, so skills can quickly become outdated. “Organisations need to keep up — and that's hard,” says Daisy. “They need to build and continually develop a cyber workforce that can keep pace with the evolving threat landscape and the attackers they face.”
Often, organisations don’t properly understand the people component of cyber attacks or they don’t give their workforce the support they need. “Is it a lack of knowledge that’s the problem? If it is, you may need to think about investing in better training,” suggests Daisy. “Or is it a problem with your security? Cyber security can be difficult and cumbersome, and it can affect people’s ability to do their day job. The secure way can’t just be the right way: it also needs to be the easiest way.”
There’s a common misconception that cyber attacks are successful because of human error. In reality, attackers consider the whole ecosystem; the human aspect is just one vulnerability they look to exploit. In response, organisations need to take an equally holistic view — considering technology, processes and people — if they are to defend themselves. They can’t just roll out an e-learn and expect results.
Organisations need to understand the root causes driving particular behaviour and ask themselves whether their culture encourages good security practices. If not, why not? And what can be done to encourage a more secure culture? Senior stakeholders have an important role to play here, through consistently role-modeling, incentivising and encouraging secure behaviour.
As attackers introduce workarounds for the defence tools organisations put in place, having a strong security culture is vital. As PwC cyber workforce specialist Holly Rostill neatly puts it: “An attacker is a human, so your defences need to be, too.”
Cyber security is about more than installing firewalls. It’s about helping your cyber team develop the skills they need to stay ahead of the attackers, while ensuring that everyone in your workforce — no matter what they do — has the secure behaviours, attitudes and beliefs they need to keep your organisation safe.