Europe, We Have a (Skills) Problem
If modern cyber security devolves into a battle of skill vs will, we will lose this war.
One of my favorite scenes in Apollo 13 is when NASA realizes the air in the Lunar Module (LM) is becoming toxic from CO2 saturation — after all, the LM was never designed to be a lifeboat for three people for an extended period of time. The carbon dioxide scrubbers on the command module take square cartridges, the ones on the LM are round. Mission controller, Gene Kranz, tasks his engineers, quite literally, with inventing a way to put a square peg in a round hole.
The engineers assemble and, after turfing out a box of what looks like junk, but is in fact the only materials Jim Lovell’s team of astronauts have to work with in orbit, one of them says:
“OK people listen up, the people upstairs handed us this one, and we gotta come through. We’ve got to find a way to make this, fit into the hole for this, using nothing but that.”
As history shows — they succeeded. It’s a brilliant story of human will and ingenuity in the face of otherwise certain doom.
But what would have happened that day, if — for all their effort — NASA didn’t have the necessary talent, or the skills in that room, to come up with a solution against the clock?
Skills shortage
I pose this question because our latest High Alert research — of 3,045 cybersecurity decision makers across France, Germany and the UK — reveals half (48 percent) of IT security leaders believe their teams have now fallen behind attackers when it comes to cyber skills.
Forty-six percent of respondents report their team is too busy to keep up with the necessary skill development, 45 percent say technological change is happening too quickly for them and their teams to adapt, and 48 percent say attackers now have ‘unprecedented’ resources and support, which is also due to aid from ‘bad actors’ such as organized crime gangs and state-sponsored hackers.
Our industry therefore faces the very real danger that, when a breach happens, the people in the situation room, unlike that handful of NASA engineers back in 1971, will simply not have the skills to deal with the challenge coming their way.
On Earth, as in space: A depleted crew cannot perform
“48 percent of IT security leaders believe their teams have now fallen behind attackers when it comes to cyber skills”
The reason the carbon dioxide levels in Apollo 13’s Lunar Module demanded such urgent action was because, had they continued to climb, the three people aboard would have begun to suffer from the beginnings of brain asphyxia, leading to blackouts and impaired judgement.
Right now the quality of decision making among Europe’s cyber security leaders is being similarly impaired by the industry’s ongoing skills and talent shortage. 78 percent report that they find themselves underestimating what’s required to properly deal with a cyber security threat or incident, 77 percent say they end up rushing when assessing a threat, and 69 percent of respondents admit to feeling responsible for a cyber security incident that could have been avoided.
In spite of these challenges, as we mentioned in our first Medium article in this series, the High Alert study also found cyber security pros are hugely motivated, and remain committed — 92 percent feel fully immersed in their work, even when it’s stressful. Ninety percent of them even say they thrive under pressure.
Yet human willpower is a finite resource, and teams running on this alone against an intelligent, attacking force with a superior skill set and greater resources, will, on a long enough timeline, inevitably fail.
Something has to change.
How to fix this problem
Just as the space race wasn’t won in a day — the skills gap is a chronic, systemic issue that will take years of persistence and long-term commitment to solve.
Given there’s currently a shortfall of 142,000 cyber security professionals across EMEA (according to (ISC)2), most companies are still going to struggle to find the right people to hire. As it’s a sellers’ market, firms must budget appropriately to hire new staff, and the board must also appreciate the difference between a general IT hire and specific cyber security recruitment.
The remaining focus must go on improving the skills of the current workforce. This means organizations need to invest budget in in-house or third-party education services — then ensure staff are given the time and space to learn.
A similarly rigorous, conscientious approach should be taken when scouring for talent. A recognition and celebration of diversity is not only ethical, it is common (and good business) sense.
In the shorter term it’s worth considering any technology, or new approaches to using it, which can provide an edge by saving staff time. This eases the workload, supports retention — and frees up more capacity for skills development.
Firstly, a process of rationalization can go a long way to reducing the complexity of cyber security estate. Consolidating it, or using a cyber security platform to integrate it, both improves security and reduces the time it takes to manage it manually.
Secondly, automation can help address the security skills gap at multiple levels. For example, an integrated security platform can correlate, cross-check and prioritize data across multiple security products — reducing the volume of alerts and highlighting those that really matter. Yet automation can also remove the more mundane, repetitive and low value tasks — enabling staff to focus on more rewarding, higher value work — which can only help firms in the fierce competition to attract, and keep, top talent.
When Gene Kranz was describing the standards that NASA demands of people who walk through the doors of Mission Control, he said: “We will never be found short in our knowledge and in our skills.” If our industry can put into practice the technology and resourcing strategy discussed in this piece, we’ll be one step closer to building security teams to be proud of.
Read High Alert Chapter One: Perfect Storm & Chapter Two: The Skills Shortage, here.
Check out the Security Response blog and follow Threat Intel on Twitter to keep up-to-date with the latest happenings in the world of threat intelligence and cyber security.
Like this story? Recommend it by hitting the heart button so others on Medium see it and follow Threat Intel on Medium for more great content.
