Tag Archives: skills gap

Local MP, James Morris, supports efforts to bridge the cyber skills gap.

**Press Release**

Midland based Cyber/Information Security Consultancy and members of the Malvern Cyber Security Cluster, Advent IM enjoyed some serious discussion of how to bridge the cyber security skills gap with James Morris, the MP for Halesowen and Rowley Regis MP.

 

James Morris MP (centre) with Mike Gillespie and Julia McCarron of Advent IM Ltd

James Morris MP (centre) with Mike Gillespie and Julia McCarron of Advent IM Ltd

Advent IM, the UKs leading independent holistic security consultancy welcomed local MP James Morris, to their office and training centre on 20th February.  During the visit, Mr Morris met with members of the team and the firm’s Directors, Julia McCarron and Mike Gillespie and they highlighted the ongoing cyber security skills gap that the UK is experiencing. Mr Morris acknowledged this as a topic he himself was very keen to address with the local college and that he was keen to be a part of the solution to entry level skill building and a career path for young people interested in starting a career in cyber security.

Advent IM Director, Mike Gillespie has discussed the cyber skills gap before he joined Cyber Skills Challenge CEO, Stephanie Daman in a discussion on BBC Radio4 on the topic last year and takes every opportunity to discuss it and raise awareness of the threat that a continuing gulf between UK security needs and the number of available professionals forms. He said, “The youngsters growing up now are using technology in an ever increasing array of ways. The Internet of Things connects people with their information in an unprecedented way, and the workplace and home or leisure increasingly play in the same space. It is vital we get the upcoming generation interested in cyber security, not only as a career path toward being a security professional, which is what the UK plc really needs, but also because security is becoming part of every employees life as their role in organisational security is increasingly acknowledged. We cannot afford to allow our approach to security to remain static; threat and risk to business is a dynamic landscape and we need to develop our talent to deal with this landscape in the same evolved and proactive way. Bringing young people into security via apprenticeships and helping them develop down this route is going to form a vital part of protecting UK plc in years to come.”

Advent IM is keen to explore options for bridging the skills gap in the local community and supporting Mr Morris in the challenge of developing education and training programs that will enable local youngsters become the cyber security experts of the future.

Issued:  23.02.15                             Ends                                     Ref: VIP-230215- Advent

NOTES TO EDITORS

About Advent IM

Advent IM is an independent specialist consultancy, focusing on holistic security management solutions for information, people and physical assets, across both the public and private sectors. Established in 2002, Advent IM is a centre of excellence for security services, promoting the benefits of best practice guidelines and standards and the need to address risk management to protect against potential threats. Mike Gillespie is MD of Advent IM, Director of Cyber Strategy and Research for The Security Institute and a member of the CSCSS Global Cyber Security Select Committee.
From its offices in the Midlands and London, its Consultants work nationwide and are members of the CESG Listed Advisor Scheme (CLAS), Institute of Information Security Professionals (IISP), The Security Institute (SyI), Business Continuity Institute and British Computer Society.

Consultants are also Lead Auditors for the International standard for information security management (ISO 27001) and business continuity management (ISO 22301), Practitioners of PRINCE2, a recognised project

Advertisements

Technical Security Skill Shortfall Means Heightened Risk Levels For Business

First published in Outsource Magazine September 12 2013

A report commissioned by IBM concluded that Technical Information Security Skills are in short supply and that this is creating vulnerability and risk in business. The research, carried out by Forrester Research Inc., revealed that even mature organisations are facing increased risk exposure due to difficulty sourcing and retaining Information Security talent.

Overall, 80% of Chief Information Security Officers are finding it difficult or very difficult to recruit technical security staff that met all their needs, according to the research. A range of issues are feeding this difficulty and the resulting concerns about rising risk levels include some very disturbing elements, as unfilled roles create anxiety. Only 8% of respondents said that they didn’t have a problem with security staffing issues.

The remaining 92% identified some key areas for concern that any business should be considering, regardless of whether or not they think they have security talent issue. Whilst the solution for many businesses has been to recruit further down the experience ladder, you can see from the kind of pinch points identified here, that this is not a sustainable solution. Whilst it may ‘fill a security role’ it is not filling the right one.

  • external threats not understood or discovered (27%)
  • deadlines not met/projects taking longer to complete (27%)
  • a growing gap between threat and controls (24%)
  • technical control systems not fully effective (this is anti-malware and such like) (22%)
  • technical risks not identified (20%)
  • technical control systems not implemented (20%)
  • technical risks are unresolved (20%)
  • security road map is unclear (20%)
  • internal technical security audits are not undertaken (20%)
  • Process-based controls (e.g., segregation of duties, privilege review) are poorly defined, dated, or inefficient (18%)
  • concern that Security architecture is complied with (17%)
  • It has prevented adoption of new technology (e.g., cloud, BYOD) NB. Given some of the concerns we have seen in the list so far, this is probably a blessing. (16%)
  • External technical security audits are not undertaken (e.g., at service suppliers, supply chain)  (15%)
  • It has prevented business agility and/or growth (13%)
  • Security architecture is poorly defined (13%)

istock_000012299872medium.jpgThese result show us that not only that there is an increased risk to business from the skill shortage but that the kind of risk business is facing is not simply about architecture and cyber threat but also about the prevention of growth and agility. These are positive contributions that security can make and their inclusion as potential risks show a willingness to move security out of the cost column and into the investment column, but again this is being thwarted by the skill shortage. This may reveal itself in a lack of confidence in moving certain functions or activities to The Cloud or perhaps not instituting Bring Your Own Device (BYOD). Whilst it is better not to do these things if you do not know if they are within your organisation’s Risk Appetite, if you do not know what that Appetite is and there is no one sufficiently knowledgeable and skilled to be able to ascertain this and then mitigate the risk if appropriate, then an organisation may be disadvantaged. This might mean it becomes a less appealing choice for potential new and highly skilled employees for other parts of the organisation, who perhaps demand BYOD as standard along with the flexibility it brings.

Commercially, robust security and resilience is becoming a must have and increasingly organisations are being asked to demonstrate and prove themselves in these areas. Businesses that have worked with Her Majesty’s Government and the Public Sector will be familiar with their extensive security requirements for instance, but others are now finding that if they want to grow their business, the onus is on them to be able to prove their security credentials. This pressure is coming from larger organisations not just public bodies, as they realise how important it is for their supply chain to be resilient. Again this is a real stumbling block if you simply do not have the in-house skills to handle a project like ISO27001 certification or compliance. So the risks that are immediately apparent in terms of what might happen to a business without the appropriate level of security skill are actually more convoluted than they first appear.

A perception of security as a business enabler is one that many security professionals have tried to promote for a long time and the idea of growing a business within its Risk Appetite is common sense. For too long the perception of Security has been that Security will just say no to innovation, change and anything even vaguely risky-sounding. It is disappointing to think that just as the paradigm looks ripe to shift (in the right direction) that it is being stymied by a lack of high level skills. All of these challenges presuppose the organisation has the budget to be able to employ the skilled person they need.

Physical Security like manned guarding has been on the outsource list for many years, Information Security has not always been viewed the same way.  Depending on the level of challenge, size of organisation and actual (not perceived) threat and risk, there may be a viable alternative to a full time senior technical security person, through outsourcing. Perhaps if the challenge is to get through a particular project then the high level skillset may only be required at certain times, not constantly. If there is a tipping point at which the need for the skills is justified commercially this may come a lot sooner if there is an opportunity of filling the gap without actually having to finance an FTE with all of the cost that entails. Given the difficulty in sourcing the high level skills, the best talent is following the money, leaving many organisations in an uncertain security vacuum.  Outsourcing may be the solution on either a project or buy as you need type basis. It may provide a much more cost effective solution to a convoluted set of challenges that are not showing any sign of going away or simplifying. It may also mean a level of skill and experience far in excess of that which may have been within budget for an FTE.

Of course, making sure you are certain of your partner in any outsourcing endeavour is vital and due diligence on potential suppliers is vital. As a rough guide here are some questions you should be asking.

  • Does my partner understand my organisation and its business drivers and growth imperatives?
  • Can they provide qualifications, certifications, track record, references, case studies and a cultural fit?
  • Are they flexible enough for my needs? Are they able to flex up and down as required or am I going to be rigidly contracted to a number of days per month?
  • Do we have specialist or generalist needs?
  • Do we want access to an expert individual or a team of experts?
  • Do we want Strategy, Policy, Risk skills?
  • Do we want our partner to be capable of working successfully with C-level stakeholders or at the ‘coalface’ or both?