Awareness and concern over security against cyber threats is growing. It’s about much more than the risk of personal data being hacked into.
A hostile cyber attack is classed by the UK’s National Security Risk Assessment as a Tier 1 risk, putting it in the most serious category alongside international terrorism, an international military crisis and a major accident or natural hazard. The National Cyber Security Centre was set up in 2016 (as a branch of GCHQ), and later the same year the government confirmed a cyberstrategy budget of £1.9bn over five years.
And although there have been high-profile examples of cyber security breaches, including the ‘Wannacry’ ransomware attack on the NHS last year, the centre’s head Ciaran Martin recently said that the UK had been fortunate so far to avoid a so-called ‘category 1’ attack – an assault that could cripple critical infrastructure such as water or electricity supplies or financial services. He warned that it was a matter of “when, not if” such an attack occurred.
There is little wonder, then, that demand for cyber security specialists has grown dramatically in the past few years, as has demand for the services of companies seeking to hire their expertise.
A number of factors are underpinning this growth. Hugo Rosemont, director of security and resilience at ADS, the trade body of the aerospace, defence and security sector, said the that government’s characterisation of the seriousness of the cyber-threat is reflected in the priorities of ADS member companies’ clients.
In addition, the regulatory framework is about to change with the introduction of the EU General Data Protection Regulations and the Network Information Security Directive, which come into force in May, requiring companies to reassess their cyber strategies to make sure they comply.
“Whether they’re critical infrastructure operators or companies in the wider economy such as retailers on the high street, the regulatory landscape is shifting so that cyber becomes more prominent, and companies are investing in technology, but crucially also in their people, in order to protect themselves,” said Rosemont.
Jonathan Martin, department manager for cloud and security at recruitment agency Networkers, added: “Cyber threats are becoming more complex, organised, and larger scale, and as the world becomes more data driven and products and services more data led, the importance of protecting that data is becoming more significant, creating a bigger market for those able to offer protection and security.”
In industry, moves towards remote monitoring, the smart factory and the internet of things is adding to the complexity of networks, adding more potential weak spots or points of entry for an attack.
All this presents opportunities in particular for defence giants such as the UK’s BAE Systems, Italy’s Leonardo and the US’s L3 Technologies, said Martin. “They are used to dealing with the complex challenges of national security. They already have the experience and legacy.” They are taking a reputation for expertise, integrity and attention to detail gained on defence contracts into a more commercial world, to advise companies in finance, insurance, and healthcare, as well as in government – all typically characterised, said Martin, by large and disparate organisations with high data complexity and multiple points of entry.
Work for government organisations, Rosemont pointed out, includes support for law enforcement agencies in roles such as digital forensics and online investigation. Fraud, particularly cyber-fraud, is now the most common crime in England and Wales.
Alan Good, head of human resources for the security and information systems division of Leonardo’s UK subsidiary Leonardo MW, said the company works in three areas. First, with commercial customers in banking and in industry (including its own parent company); with government departments and agencies; and its largest customer of all: NATO. “We provide protective monitoring for all of NATO across Europe, one of the biggest secure systems in the world,” he said.
A range of skills is in demand, with broadly three groups of people being recruited. On the technology side there is a need for people with skills in providing protective monitoring of clients’ servers and systems. In Leonardo parlance, they are known as security event analysts.
A second group is network and systems engineers, specialists in the architecture, design, build and implementation of systems and secure operations centres for clients. Companies such as Leonardo both create operations centres and then provide monitoring on behalf of the client, or build centres for the client themselves to run their own protective monitoring.
Third are cyber security consultants, who go into organisations to provide advice and support with regard to information assurance or risk management. Martin describes this as more policy and governance based.
“They are going into organisations and looking at things from an information governance perspective,” he said, in order to identify vulnerabilities on the process and policy side – including making sure that organisations have effective staff training and consistent ways of monitoring what people are doing with the data that they have access to. This role requires governance and risk management skills rather than detailed IT knowledge.
“If you think about some of the more recent well-known hacks and data losses, a lot of those came about through human error or organisations not having the processes to ensure resilience against breaches,” said Martin.
ADS’s Rosemont cautioned against seeing cybersecurity as mainly a technology issue. “What you quickly learn is that any company’s cybersecurity approach has to be underpinned by strong governance.”
He also stressed the importance of training: “Educators have a role to play in cyber security. This is as much a people business as it is technology in many respects,” said Rosemont.
He added that another important role is that of people who can act as an interface between a company’s IT staff and its directors. “The board has an absolutely crucial role to play in cybersecurity, whether it’s taking decisions to invest or being at the heart of a response to an incident. Often board members won’t be technically minded on the finer points of cybersecurity technology and an important skill is to be able to interface between the information security or IT department and senior executives.”
A range of levels of experience are required. Consultants who go into firms to advise on their cyber security and information assurance needs will have been steeped in cyber security for many years.
For a typical security event analyst job advertised by Leonardo, an “in-depth knowledge gained from both experience and qualifications in the cyber defence arena” is called for.
Conversely, a systems engineer job description focuses more on IT infrastructure skills, with “an awareness of cybersecurity capabilities”, while “experience of working within secure environments” is considered “advantageous”.
For systems analysts and the like, Martin pointed out that their IT skills should be coupled with an inquiring mind. “They should have the mentality of thinking about where threats might come from,” he said, “and be active in identifying where systems might be vulnerable. A lot of the work is about problem-solving and asking questions, not just doing the day job.”
For those working on the information security or risk management side, up to mid-management roles, staff might be recruited who don’t necessarily have extensive information security experience but have transferable skills, for example, of compliance in other forms, such as introducing a new standard in their organisation.
A skills shortage is a cause for concern. One estimate is that there will be a shortfall of 1.8 million cyber security professionals worldwide by 2022; companies are experiencing difficulties in retaining staff, with some reporting the need to offer salaries above what would be considered the market rate.
Against this background there are good prospects for graduates and apprentices, provided candidates can demonstrate logical thinking and problem-solving skills. Leonardo was one of the first companies to offer a cyber apprenticeship (in partnership with South Gloucestershire and Stroud college) and took on its first intake in September last year, with another to follow this year. It looks for students “who excel at GCSE or A-level in IT-related subjects”.
ADS is promoting the sector as an attractive career for young people, while the National Cyber Security Centre’s Cyber First initiative, and the Cybersecurity Challenge UK, offers a series of competitions, courses, and other initiatives designed to inspire more people to become cyber security professionals.
According to the latest ADS Security Outlook report, cyber security accounted for more than a third of UK exports in the sector in 2016, with a total value of £1.5bn. There appears to be little prospect of any imminent let-up in demand for people with skills in this area.