Cyber security is a field with well-known talent and diversity shortages. As a cyber security apprentice, I can appreciate that my role is a small part of addressing these issues head on. However, apprenticeship schemes are not the only efforts being made to get more people into the field, as I learnt at CyberUK 2018. Here are some of my top takeaways from an event that centred on diversity, while fully exploring the cyber security industry.
The conference had a large emphasis on diversity, from diversity pledges being encouraged to the broad range of speakers that the organisers had sought out. It was a clear effort to set the stage for more diverse role models, inspiring more people into cyber security.
I welcomed the focus on encouraging a wide range of people to consider cyber, such as those who struggle with formal education or older people looking to change careers. There was an emphasis on how people can repurpose skills for a role in cyber security without full formal training – a response that could be more likely to succeed.
Cyber risk was a prevalent topic of discussion, with the tone set by Dr John Thomas, MIT, who talked about safety engineering and how a systems approach could be applied to cyber security. He demonstrated the STAMP model and the STPA (System-Theoretic Process Analysis) model within it, highlighting the benefits of a vulnerability-based model over a threat-based model.
Christian Wagner from Nottingham University and Kev Jones from JP Morgan Chase discussed their collaboration between academia and industry. Tasked with creating a weighting system for experts’ differing opinions on scenarios, they sought a way to combine and visualise this data for a wide audience.
Building cyber into the credit risk model was explored by Ben Payne from Lloyds Banking Group, as he explained how banks are looking at cyber risk as they assess companies. Cyber security is becoming a crucial part of businesses, and banks are interested in how secure a company is, how they recover after a breach and their ability to stay operational after a major cyber attack.
Communicating the cyber risk landscape is just as crucial, especially as cyber security becomes a major board issue. Dr Ruth Mossic from Cranfield University talked about the problem with language: techies need to improve how they talk about cyber risks so that everyone can understand, especially as there is a high likelihood that those on the board won’t have technical knowledge. The most important takeaways from Dr Mossic were to write according to your audience’s level rather than your own, and that cyber strategy must complement business strategy.
Security is rife with standards and certifications, so it is important to know which are worth having and asking for. A few key takeaways on this included asking a company why they require certain certifications from you. Often, it is because they do not fully understand why they ask for them. You may be able to explain how your existing certification serves the same purpose, demonstrating knowledge and saving unnecessary efforts.
In terms of certifications to have, most panellists agreed Cyber Essentials should be the minimum, provided a company has a culture of adhering to it, not just ticking the boxes. This should apply to all certifications; getting ISO27001 simply to ‘be more secure’ is useless.
Standards were agreed as necessary – you need only look to IoT devices to see the insecure products created without them. Businesses without standards often don’t act responsibly, nor ethically. Professor Awais Rashid of University of Bristol discussed his work creating a ‘Cyber Security Body of Knowledge’ for use in the crafting of standards and certifications for professionals. He seeks to create a body of knowledge which can be used as the baseline for what a professional should know in their field, created with input from both academia and industry.
The overarching feeling from CyberUK 2018 was one of progress and encouragement – the country is making significant strides and now cyber security needs to take centre stage to ensure we have the right (and enough) talent to keep businesses secure.
Find out more about Nominet’s cyber security services.