When it comes to all things cyber there is a tendency to always look for a technology solution. Yet although technology is an essential part of any cyber solution, it is people using technology and many other skills, who deliver genuine cyber resilience. The reality is lots of different types of people and skills are required, to ‘ride the wave of chaos’ that cyber threats create in what is perhaps the most complex and dynamic ‘market’ in the world. So first what is cyber resilience, second what skills and people are needed and how do we develop people and teams?
Cyber resilience is the capability of an organisation (public or private), to have the agility to be proactive, responsive, robust, flexible and adaptive to cyber threats and attacks. In an era of ‘industrial’ levels of cyber crime, thieves and other attackers will find the combination of attack characteristics (vectors, payloads, behaviours and effects) to circumvent any security capabilities that are in place, to achieve their aim.
To be resilient requires a genuine ‘board room to server room’ approach. This includes organisation’s strategically accepting a level of risk and proactively managing it, supported by a diverse and practiced team. This team stretching across all business functions and often including external stakeholders, needs to be able to communicate, collaborate, and establish mutual trust and shared understanding, to develop the necessary agility required for cyber resilience against complex, dynamic and uncertain attacks by criminals and others.
But who are the people and what skills are needed to develop cyber resilience? The answer goes well beyond the traditional and important pool of academic and certified personal qualifications. These are important skills and have a high cost of entry, and can lead to a narrow focus on encouraging a particular type of person, whilst perhaps discouraging people outside the IT area to engage with and to understand the issues and risks. It deceives organisations into thinking this is a technology problem and solution – it isn’t. But a narrow focus on these ‘black arts’ skills can also lead to a very narrow recruitment pool and career path with few opportunities to grow and bring value beyond cyber security.
So to widen the talent pool and to help engage the wider organisation to develop cyber resilience, requires a change of approach. In particular to develop an education and training programme which can be opened up to apprentices and to draw people in from other disciplines, who understand the business and can communicate effectively the risks and consequences of different attacks. This broadening of the team skills and backgrounds should increasingly enable organisations to ‘think thief’ and ‘join the dots,’ when considering different cyber attacks.
This change of approach needs to move from traditional paper-based and didactic learning to more individual experiential learning – learning through reflection on doing; and cooperative learning, where problems are solved through collaboration and using the collective resources and skills. This can bring together software and network engineers, data analysts, business operations, corporate communications, business continuity, crisis management, psychology, security and other disciplines together, in a similar way that those exploiting business intelligence and big data often fuse teams from different disciplines and goes beyond contextual analytics, but rather really exploits them.
This approach can encourage and identify those people who are only constrained by their imagination and their ‘chutzpah’ to try it, these are the type of people who can social engineer their way to achieving their chosen effect, or understand how others may. With these multi-skilled teams
drawing expertise from across the technical and business teams of an organisation, a more agile (software) manifesto type approach of iterative development of cyber resilience can be achieved.
This can range from identifying vulnerabilities to developing incident response plans across all business functions, so that when an attack occurs the consequences can be effectively managed whilst the diagnosis and remediation is taking place.
The reality is every organisation will be attacked, the best way to manage this risk, is to develop organisational cyber resilience. This requires new approaches to widening and rapidly developing the talent pool at its centre.
Richard Preece is a director of cyber training specialist cybX