Government breach data highlights cyber skills misconception

The Cyber security breaches survey 2019 illustrates how many organisations are failing to understand the extent of their cyber security skills gap, warns James Hadley, former GCHQ trainer and CEO of training company Immersive Labs.

The survey shows that 80% of businesses and 77% of charities believe they have enough people dealing with cyber security to manage the risks effectively, while 77% of businesses and 69% of charities think the people dealing with cyber security in their organisation have the right cyber security skills and knowledge to do the job effectively.

But the survey also shows that only 27% of businesses and 29% of charities said their staff had attended internal or external training, including seminars or conferences, on cyber security in the previous 12 months. In businesses, only 36% of information security or governance staff had attended courses, but this is up 10% from the previous year. The proportion of IT staff attending such training remained flat compared with the previous year at around 30%.

“This is a common failing,” said Hadley. “Organisations assume that by adding flesh and by sending them away for a couple of days in a classroom every few months, risk decreases. It doesn’t. In addition, they have no practical way of measuring whether their security teams have the right skills and knowledge because of the rate at which threats change.

“If only 36% of information security or governance staff are attending courses, it is not clear how organisations can say they are confident that their security teams have the skills and knowledge they require to be effective.”

Even if is an active training programme, Hadley contended that the skills learned are out of date before people leave the classroom, creating false security and human vulnerabilities because information security professionals are lagging behind the attackers.

This is because attackers, unlike businesses and charities, are free to innovate and do not have to work within the limits of the law and security budgets, while few training programmes or computer science and certification courses are geared up to be updated on a daily or weekly basis to include new threats that have been identified.  

“They build faster than development teams and change attacks quicker than traditional training can cope with,” said Hadley. “This is the same ‘time gap’ that plagued signature-based AV [antivirus] engines for years.

“Training needs to be continual, iterative. Otherwise, your cyber people become a risk and not an asset, because their skills have been assessed and certified in terms of knowledge that is not up to date, and they often do not have the tools they need to move at the same pace as their adversaries,”

Traditional approaches to training and skills certification in this context “do not make any sense”, according to Hadley, in the light of the rapid changes in tools, techniques and methods used by cyber attackers.

He also thinks multiple-choice questions are not an accurate way of assessing skills and knowledge because such exams can often be passed by studying exam guides available online without engaging with any of the course content and improving their capabilities.

As a result, said Hadley, a growing number of companies that are hiring information security professionals based purely on certifications are subsequently finding that these new hires do not have the skills they need in practice.

“Companies are increasingly screening job candidates to make sure they actually have required aptitude and technical skills rather than relying solely on certifications, but are still struggling to find a practical way of measuring skills,” he said.

In an attempt to address this problem, Immersive Labs has developed a challenge-based approach to training that focuses on aptitude, problem-solving, perseverance and research. In January 2019, the company announced a partnership with Digital Shadows that has seen the risk management firm’s weekly threat intelligence summaries and live threat intelligence feeds incorporated into Immersive Labs’ training environments within hours of global threats and vulnerabilities being discovered.

As well as providing real-time skills-based learning, the platform’s analytics and insight functionality provides visibility of individual and team cyber capabilities, identifying skills gaps and confirming that time-sensitive threat intelligence labs have been completed. This is aimed at giving business leaders confidence that their security team’s skills are up to scratch and highlighting areas of cyber risk so that appropriate action can be taken.

“As the market matures and we see more training providers having the ability to incorporate up-to-date threat intelligence into exercises that have to be completed rather than studied, followed by multiple choice exams, organisations will increasingly have the ability to ensure skills are up to data and measure those skills to identify gaps, which too few organisations are doing,” said Hadley.

“Organisations need to know where their skills gaps are to identify where they are most at risk and where they need to concentrate their efforts at upskilling security team members.”

Adopting international cyber skill frameworks is “critical” so that the language being used is the same across all countries, industries, organisations, employees and job applicants, said Hadley.

“Immersive Labs, for example, maps a lot of content and skills to the National Initiative for Cybersecurity Eduction (Nice) framework from the US National Institute of Standards and Technology (Nist),” he added. “Having an international standard that everyone maps to would make it a fair and open ecosystem for everyone to work within, so that people can more easily compare knowledge, skills and abilities.”