Building a cyber security super team
Tom Mullen, O2’s Head of cyber security, considers the global growth in cybercrime and the skills shortage that is affecting every business The cybercrime epidemic Cybercrime is big business. And it’s growing rapidly, becoming a threat to every organisation regardless of size, industry, or geographical location. According to Accenture’s Cost of Cyber Crime Study, the average cost of an IT security breach to a business was US$11.7m in 2017. That is a 23 percent increase on 2016, and it is expected to rise more rapidly year on year. In 2017 we saw WannaCry, the biggest ransomware outbreak in history, infect millions of devices across 150 countries and impact fundamental infrastructure and services, including the NHS. We are also seeing how data is becoming an even more appealing target for cyber criminals, with huge data breaches at a number of large organisations including Facebook. Cybercrime affects us all. The UK’s government’s own commissioned research, the Cyber Security Breaches Survey, found that two-thirds (65%) of medium and large UK organisations had identified a security breach in the previous twelve months. With new threats appearing daily and with criminals continually evolving their techniques, organisations require specialist skills in order to keep up. The skills issue Alongside the growth of cybersecurity threats there is a growing cybersecurity skills shortage. Last year cybersecurity specialists McAfee published Hacking the skills shortage, a research paper based on interviews with 775 IT and cybersecurity decision-makers. It revealed that 82% of respondents reported a shortage of cybersecurity skills and, of these, 71% believed that the shortage was doing their business direct and measurable damage. Most worrying of all, there could be as many as two million cybersecurity positions unfilled by the end of 2019. In PricewaterhouseCoopers’ (PwC) 21st Annual Global CEO Survey, Cyber threatsand Availability of key skillsboth made the top five threats to their organisation’s growth prospects. The bottom line is that good people are becoming harder to find and hiring is becoming more expensive. So what steps can we take to address these problems?
- Be prepared to revise your recruitment procedures
There are several issues here. Firstly, it’s important to recognise that cyber security is fundamentally a business issue. It involves everyone throughout an organisation. So it’s very important to embed responsibility for security into all of your current roles, and ensure that security training and development is rolled out across the organisation. Secondly, if we accept that many cybersecurity roles require an understanding and focus on business, we may discover that the skills we are looking for are broadly similar to others in the organisation. In my view, too many organisations regard cybersecurity as a series of technical roles, and may recruit unsuitable candidates as a result. For entry level roles, it’s worth at least questioning the extent to which you need to recruit people who will ‘fit in’ to the organisation. Many cybersecurity roles require someone who can work alone, focusing on the smallest detail, sometimes for hours on end at inconvenient times day and night. You might need to fit the organisation around the person, rather than fit the person into the organisation. Recognise the people with the focus, flexibility and analytical skills to do what a good security analyst needs to be able to do, whether or not they are security specialists. It’s important to review your shortlisting procedures for IT security roles regularly, and recognise also that the best candidate can be right under your nose.
- Recruit from within
Given how important an understanding of the organisation and the business is for cyber security personnel, it’s essential to nurture internal talent. There are two established ways to do this:
- A skill often lacking in cybersecurity specialists is the ability to speak the language of other teams within the business. Developing someone from within the business who has a keen interest in security may be the answer. Training and developing someone in the systems and analytical approach to solving issues will be more than compensated by their knowledge and understanding of the way your business operates. The benefits can be tremendous, helping to refine security policy as well as potentially providing insight into other ways the IT team can improve the service it delivers.
- Being ready to promote or develop a junior employee to a more senior role. They will have a good grounding in the way the organisation operates and the threats it is likely to face. And it leaves you with the slightly easier task of recruiting a new entry level candidate. Good people are worth holding on to, and a feeling of being valued cannot be underestimated.
At O2 we have an internal training resource called Skills Pathways, which provides cyber security, network security and a broad range of other training for anyone in the organisation, free of charge, and regardless of their current role.
- Focus on retention
For experienced and skilled security employees, the next attractive and lucrative opportunity can be just around the corner. It’s a simple issue of supply and demand, so we all need to focus on retention. Those of us with responsibility for security must do all we can to keep our best people on board. The good news is that it is rarely just an issue of money, and at O2 we have identified that our own people rate flexible working arrangements, training programs and career progression more highly. You can read more about our own retention strategy here. Ann Pickering, Chief of Staff at O2, wrote a post recently about the benefits and incentives that matter, and how we use them at O2. You can read her post here. Highlighting that diversifying the workforce can also bring significant advantages.
Cyber security is an industry where women, in particular, are greatly under-represented, with only one in ten being female. Yet in my experience different perspectives can help with communication strategies that appeal to more people across an organisation. The National Cyber Security Centre (NCSC) is one of several organisations attempting to address the problem, launching this year’s CyberFirst Girls Competition. At the start of 2018, more than 8,000 Year 8 girls completed a series of cyber challenges, with a Grand Final event held at Lancaster House in March. It demonstrated very clearly the enthusiasm and talent that girls have for the problem-solving skills needed to excel at cyber security. Women are by no means the only group under-represented in cyber security. I have found that appointing candidates from a range of cultures, religions and nationalities breaks down the attitude of ‘this is the way we have always done this’ and enables the organisation to look at the cyber security from a wider perspective. I would certainly recommend that all workforce enhancement efforts should aim to create a broader, more diverse pool of cybersecurity talent.
- Outsource where practical
At O2, we know we can help organisations with their security needs. As part of the Telefónica Group, we’re at the forefront in cybersecurity research and development and we are supported by a global security network. Our Cyber Security services start with CAS(T) accredited networks, as well as solutions from leading security vendors that we can package in to managed services, providing you with bespoke insight and minimising the risk from cyber threats. We help you to understand the risks and threats that are specific to your organisation. Who might want to harm your organisation, or gain access to your information? Why? And what are the most likely ways your security will be attacked? Contact us today to organise a cyber security threat assessment that provides a 3rd party perspective to how well your organisation is protected. You can find out more about ways we can help here. What are your experiences of cyber security recruitment? I’d love to hear from you. You can connect with me on LinkedIn.