Cyber Profession – By Peter Daniel, Security Consultant, Advent IM
News and information from the Advent IM team.
News and information from the Advent IM team.
What makes a Cyber Security Professional? As an employer looking to hire an individual with the right skillset or promote an internal into the position, what qualifications or experiences spring to mind? Asking these questions, a decade ago would find job listings pandering for CLAS Consultants. Even more recently, CCP SIRA became the de facto standard for those wanting to engage in public sector consultancy. Despite this, both of these have diminished over time, with Governmental organisations, and to a lesser extent the private sector, querying what they are in search of.
Time and time again, there is a concentration on the technical element of the role, and the increasing reliance of businesses to keep abreast with any advancements, only helps to compound the issue. From telephony, emails, web chat instant messaging, social media, and video communication platforms, an organisation must be seen to be available at a moment’s notice. As such, ensuring that availability is a common problem, as well as a risk that all organisations take should a particular individual or group become disgruntled with their business practices. Naturally, and in reference to a ‘cyber-attack’, you would be correct to assume that the Cyber Security team should have a say in any defensive measures that are put in place to prevent such an occurrence. However, and if I chuck out a few examples, would you argue that a Cyber professional’s role should be to configure and maintain the rulesets of a firewall solution? How about the onboarding and monitoring of a SIEM tool? Perhaps to even go so far as to hardwire a CCTV surveillance system for those more comfortable with the physical, more tangible space?
The increasingly upward trend of Cyber Professionals holding knowledge and experience with IT security controls is all well and good, but what happens to the Cyber Professionals that wouldn’t consider themselves as technically minded (and yes, we do exist)? In that case, is there an expectation that they are to buck the trend, maybe going to complete a Master’s/Bachelor’s in Computer Science and becoming versed in all things Cloud? Alternatively, is there an argument for a push for the non-techies to move into more training and auditing roles rather than consultancy as a whole? Regardless, for technical and non-technical professionals alike, this doesn’t address the issue of needing to continually chase the moving target of technology, in and of itself. In acknowledgement of this then, how are we ever going to make up for the skills shortage that’s prevalent within the profession?
Recently, I read an excerpt of an interview conducted by Computer Weekly with Claudia Natanson, chair of the new UK Cyber Security Council. Within it, she specifically pinpoints the general concern of the industry’s skills shortage and makes the following claim, “We have a skills shortage because we are not communicating, not defining properly, because we have misplaced where cyber should be. To support organisations, we need to bring them back to base, bring them back to how cyber is affecting the business and help them understand the kind of help they will need”. Her argument is that organisations mislabel Cyber Security and place them into IT departments, thinking that it is a technology problem. Astutely, Claudia continues by stating that Cyber Security is wide reaching in its influence (you only need to glance over the control set in ISO 27001 to get some idea on that front), “The industry also needs to emphasise adaptability…because unlike some other areas of the tech stack, cyber security is in constant flux”. With this in mind, by highlighting and emphasising the technology shortfall, it ignores the other requirements of a Cyber Security role.
Her ultimate aim is to create a professional accreditation for the industry, backed by the Royal Charter. This would make the work of the Cyber Professional akin to the likes of accountancy and law. The focus has been especially placed on discipline, an ethical framework, and more fundamentally, trust. Much like this blog post, Claudia’s rationalisation is riddled with questions; “What do we think a good standard looks like? What does an entry standard into the profession look like? Where can you go once you’re in? How should you behave?”. Her approach is concentrated on the individual, redefining the Cyber career path to reconstruct the name that Cyber Security has built for itself, and shift attention away from technology and into professionalism.
In closing, with differing organisations, both within and outside the public sector, taking their own stance on what a Cyber Security Professional should look like, a view for a consistent baseline that’s well understood and accepted, is a welcome one. As always, time will tell.
Peter Daniel, Security Consultant, Advent IM