It’s been a challenging year with the global Covid-19 pandemic bringing both good and bad outcomes in business. Along with working from home, redundancies, furloughed workers, reduced hours, uncertainties around future employment, technology replacing jobs and business closures, we’ve seen much needed resets and innovations. And, as each new government rule has been put in place to keep us safe, physically isolated from one another and in lockdown, it’s moved more of us online – shopping, working and learning – so we can economically function, socially interact, and maintain a sense of normality.
When it comes to the skills gap and women in cybersecurity, I’m regularly approached by journalists who ask me what the root problem is, what more we can do, who’s doing a good job, and whether this year’s pandemic has actually made things better or worse.
Here’s my answer.
#1. Awareness and interest in cybersecurity is up
Thanks to media attention due to hacks and data breaches plus campaigns and initiatives run by governments, tech giants, system integrators, cybersecurity consultancies and product vendors, more people than ever are interested in cybersecurity. Individuals want to understand how to protect their identities, bank accounts, and personal data. Business owners want to understand how to protect their assets. And prospective cybersecurity employees want to understand how to get into a dynamic, lucrative, mission-led industry, so they can develop a future-proofed career.
By presenting a good case for pursuing a career in cybersecurity, the good news is, interest is up. Where I live in the UK, programmes like CyberFirst, which has been developed by the National Cyber Security Centre (NCSC), are highly effective. Targeting young people from the ages of 11 to 17, CyberFirst offers a broad range of activities: a comprehensive bursary scheme to financially support undergraduates through university and a degree apprenticeship scheme; a girls' only competition, and thousands of free places on CyberFirst courses at UK universities and colleges.
The CyberFirst Girls Competition, which was set up to get more gender diversity in cybersecurity, deserves special attention. By providing a fun but challenging environment, more than 24,000 girls have entered the competition since starting 4-years ago, and a new generation of young women are now considering a career in cybersecurity.
But this isn’t all. There are many cybersecurity companies that partner with CyberFirst, like Cygenta. Supporting Gloucestershire schools with all sorts of cybersecurity sessions and activities, they run pro bono initiatives to help young people understand the human, technical and physical elements of cybersecurity, and how they can be part of the industry. With this approach, they reach thousands of students every year. For example, in December 2020, they ran a cybersecurity writing competition called CyberVibe with local school students and had over 600 entries. The competition asked 10 to 18-year old what cybersecurity meant to them.
Dr Jessica Barker, a co-founder of Cygenta said the answers showed an exceptional grasp of cybersecurity at the individual, family, organisational and national level. Additionally, how encouraging it was to see that the majority of competition winners were girls!
Other notable initiatives include:
- The Cyber Security Challenge, which was established in 2010 to ensure a thriving and inclusive pipeline of talent;
- The newly formed UK Cyber Security Council which serves to champion the cybersecurity profession across the UK, provide broad representation for the industry, accelerate awareness and promote excellence in the profession: and
- TechTalent Academy, which offers a suite of programmes from data to software to cyber for women and underrepresented groups looking to get into tech, plus a regional Hacking Lab for school and college students (aged between 16-19) which has been designed to get them interested in a career in cybersecurity.
#2. The cybersecurity skills gap is “technically” reducing
Media reports regularly tell us that we have a skills shortage with around 4 million jobs remaining unfilled. Additionally, that mid-market and large enterprise businesses struggle the most, with no significant improvement around time-to-hire from last year. However, new reports from (ISC)2 and PWC have disclosed that the huge global shortfall in cybersecurity professionals has actually dropped due to more people joining the industry and pandemic-related uncertainties on the demand side.
Having interviewed 3,700 industry respondents from around the world to better understand the current challenges facing the sector, (ISC)2‘s 2020 Cybersecurity Workforce Study has revealed that 700,000 extra professionals – that’s a quarter more than last year’s workforce estimate – have actually joined the cybersecurity workforce.
Although appearing promising news, (ISC)2‘s report calls for caution as numerous worrying factors have emerged – most notably job losses, salary reductions and hourly cutbacks – all due to the COVID-19 pandemic and security budgets being hit.
The situation is concerning as cybersecurity has never been more important than it is now. In a world of remote working and digital transformation, cyberattacks and compliance failures are on the increase. A perfect cyber pandemic storm is forming, and threat actors have an opportunity.
#3. This year’s predominant attack vectors and cybercrime trends
Phishing attacks have continued to be the most prevalent attack vector as fraudsters have sought new ways to exploit our lives – both personally and professionally – any way they can. Infosecurity Magazine reported that The UK’s HMRC detected a 73% rise in email phishing attacks in the six months that the COVID-19 pandemic struck the country, and F5 said they found phishing incidents rose by a staggering 220% compared to the yearly average during the height of global pandemic fears.
By using carefully crafted messages or increasingly deep-fake technologies to create fake video and audio recordings that either look like they’re from trusted brands, government agencies or leaders, fraudsters are exploiting pandemic-themed activities and needs (like health care, learning and jobs) and preying on our “hot states” and human vulnerability.
In fact, 95% of security breaches originate from human error, and according to research by Oslo-based app security company Promon, two-thirds of the UK’s newly-remote workforce have said they’ve not been given any cybersecurity training from their employers during the past 12 months.
According to a recent global study by Accenture, there’s a direct correlation between the speed with which organisations find security breaches and those that provide solid cybersecurity training. Organisations who delivered effective cybersecurity training found 52% of security breaches in under 24-hours, compared with only 32% for the rest.
Another popular form of cyberattack that’s risen in frequency, sophistication and severity this year is ransomware. According to Internet security company, Sonic Wall, it’s surged globally by 40%, and although impacting businesses of all sizes and in all sectors, one of the most prominent attacks was that of the multinational GPS and fitness company Garmin, followed by remorseless attacks on public sector services like hospitals, schools and universities.
A report by IT security company Sophos, revealed how organisations are never the same after being hit by ransomware. Aside from lost business, downtime, reputational impact and loss of confidence in those responsible for their organisation’s breach, the report detailed how more than one-third (35%) of ransomware victims said that recruiting and retaining skilled IT security professionals was their single biggest cybersecurity challenge, compared with just 19% of those who hadn’t been hit.
Supply chain attacks are up too and fresh in our minds is December’s SolarWinds breach where threat actors gained access to governments and numerous public and private organisations around the world via trojanized updates to its Orion IT monitoring and management software. With more than 300,000 customers, the attack highlights the vulnerability of infiltrating a major vendor's supply chain.
Worryingly, with an attack strategy to move ‘upstream’ and covertly infect key software supply chains, there’s been a 430% year-on-year increase in attacks targeting open source components directly. Open source environments rely on trust, and because it’s hard to determine who’s a good or bad threat actor trust based attacks are bound to be increasingly exploited. This is troublesome, as today, 90% of components in an application are open source and 11% of those are known to contain vulnerabilities.
#4. Investment in cybersecurity tools and solutions
As fast as online behaviours during the pandemic have adapted, so have cybercriminals’ and their means to exploit these changes. But according to a report by PWC, over half (56%) of the leaders they surveyed believed their organisations were at risk due to cybersecurity staff shortages.
To offset skilled and readily accessible cybersecurity practitioners and avoid common HR roadblocks, delays or inefficiencies, many cybersecurity leaders have chosen an easier and more controllable path – they’ve increased their investments in cybersecurity tools and solutions.
It makes sense, especially as AI and machine learning advance. However, according to a study by IBM, over investing in cybersecurity tools to compensate for limited skills or understaffing can actually hurt corporate defences.
Companies that use more than 50 cybersecurity tools scored 8% lower in their ability to mitigate threats, and 7% lower in their defensive capabilities compared to other enterprises employing fewer toolsets. And although companies that have invested in cybersecurity tools have increased by 18% in the past 5-years, many of them have reported they’re 13% less effective at containing active threats.
Clearly, investments in tools and solutions are still important, but the pandemic has revealed how important an investment in people is.
#5. Top ranking executives must understand the relevance of cybersecurity
Building on the information I’ve shared, when Tanium surveyed over 1,000 CXOs from enterprise and government organisations, across the USA, UK, France and Germany, in June 2020, and asked them how COVID-19 was affecting them, 90% of the respondents said they’d experienced increases in cyberattacks due to the pandemic. 93% also said they’d had to delay key cybersecurity projects in order to work on the transition to remote work, forced by the pandemic. Furthermore, 98% reported they’d experienced security challenges within the first 2-months. For example, 43% found patching remote workers’ personal devices difficult and 26% admitted to complexly side-lining this vital best practice.
According to ServiceNow, the leading digital workflow company making work, work better for people and their 2019 study, 'Costs and Consequences of Gaps in Vulnerability Response,' patching was delayed an average of 12-days due to data silos and poor organisational coordination and 60% of breaches could have been prevented by patching and updating software!
Whether it’s during a crisis such as a pandemic or not, when major plans are changed, cybersecurity leaders must get through to top level executives and explain to them what they need and why it matters. They must see the world through their eyes and work on influencing their decisions. Using the Board of Directors as an example, their main concerns are revenue and risk, so a good cybersecurity leader must learn to speak the board’s language and translate what effective cybersecurity means in their terms. So many boards and top ranking executives are operating under a false sense of security.
Equally, top level executives must forge better relations with their cybersecurity leaders and become more cybersecurity astute. They must become more proactive and see the cybersecurity team as a strategic part of the business, aligning goals together. As cybersecurity is central to an organisation's wellbeing the buck really does stop with them.
#6. Leadership is the secret sauce for cyber risk reduction
This year has called for remarkable leadership as the pandemic has taken a toll on those in the industry. Practitioners know it’s a pressurised, high challenge environment that’s often at odds with the business as it sees risk everywhere and is accountable for it. They know that typically, its leaders have small teams, small budgets and average tenures last less than 22-months. Furthermore, that it sits within Technology rather than Business which can cause a conflict of interest as often there isn’t a clear separation between cybersecurity and technology budgets. And to make things worse, it’s typically viewed as a cost rather than an enabler to the business which plays out in budgets, creating a ceiling in salary bands for roles, less loyalty and employee churn.
Cybersecurity is an incredible profession but as our world changes, so must we.
And this means better leadership which includes managing stress and burnout. According to the latest figures (prior to the pandemic), 65% of SOC professionals say stress (which could be caused by alert fatigue) has caused them to think about quitting their jobs. For those leading cybersecurity teams, 91% of CISOs say they suffer from moderate or high stress; 60% rarely disconnect from their work; 88% work more than 40-hours per week and 27% work up to 60-hours with 1 in 5 being available 24x7. Additionally, 17% are turning to medication or alcohol to help them deal with the stress they’re facing.
Cybersecurity demands performance – clear and effective thinking around risk reduction. However, operating in burnout conditions doesn’t enable this. It just results in mistakes, misjudgements and errors being made. Leaders who are creating high performing teams know this and work to continually improve. They educate themselves, invest in coaches, develop more emotional intelligence and are proactive. They also operate with something called “High Challenge and High Support,” and they have these in powerful and equal combination.
High Challenge and High Support is where there are high expectations of what can be achieved and where your team members are actively being enabled to grow, develop and meet the challenges. This is important during periods of change because successful change doesn’t happen by itself – it has to be led, consolidated and sustained. Leading in environments of High Challenge and High Support equips teams to secure their own success and operate with responsible initiative and energy rather than being dependent.
The combination of challenge and support has to be equal, as too much of one or the other will lead to a state where you and your team members aren’t achieving their full potential. For example, too much support will make teams dependant on you and resistant to change. Too much challenge will mean leaders are simply pushing teams, burning them out, or teaching leadership traits that don’t deliver high performance and invariable become culture. And, when the team falls short of being high performing, risk seeps in.
#7. Diversity leads to better decision-making in cybersecurity
Keeping an organisation safe from cyberattacks, data breaches and compliance failures relies on teams that can make competent decisions based on cyber risk and often under pressure.
According to a study that examined 588 decisions made by 184 teams in 2-years, decision-making is the most important thing managers and executives do at work. It accounts for 95% of business performance and teams make better decisions than individuals 66% of the time. Furthermore, decisions get better as diversity increases. For example, gender-diverse teams make superior decisions 73% of the time. When there is diversity of both gender and age, decision making improves 80%. And when there is diversity of age, gender and geographic backgrounds that percentage climbs by 8%.
So given this knowledge, now it’s time to take action. Here’s a summary of things you can implement.
Summary of Action Points
- Contact the Cyber Security Challenge, CyberFirst and the UK Cyber Security Council (or similar initiatives in your country) to find out how you can support them. This could be via sponsorship or volunteering.
- If you’ve got entry level cybersecurity positions to fill or know they’ll be coming up soon, contact TechTalent Academy. They have qualified and capable graduates, from women to individuals from underrepresented groups, who are looking for work placements right now.
- Understand your team’s competencies, skill sets and career development ambitions. Recognise their achievements, develop them, show compassion and ensure they are supported and feel taken care of. Emotionally intelligent leaders and their teams are thriving now as they’re united, working hard, and committed to the success of the company and each other.
- Invest in yourself as a leader through training, coaching and mentoring programmes like the ones I offer or can recommend. When you take care of your employees and provide them with a High Challenge and High Support environment, they’ll feel psychologically safe, exceed, and do right by you.
- To get top level executives more up to speed on cybersecurity, access the UK’s NCSC board toolkit or engage with a supplier who can assist.
- To determine which open source libraries can be trusted, use code-signing certificates and track internal open source library code, recording library releases and any problems. Engage with a competent cybersecurity organisation to do this and help you strategically plan, implement and manage further cybersecurity measures.
- If you don’t have adequate resources such as cybersecurity technologies, processes and specialists with relevant expertise, outsource your cybersecurity requirements to expert companies where they can build you a cyber resilient infrastructure, help you keep up to date and train up existing staff.
Now I want to hear from you…
- What trends have I missed off? Tell me what you’ve noticed from 2020.
And remember, if you need to recruit new entry level cybersecurity hires, please drop me a message or contact TechTalent Academy.