Cyber skills are already in high demand, and the Global Information Security Workforce study estimates that by 2022 there will a shortfall of 350,000 appropriately trained and experienced individuals in Europe.  Organizations must take steps now to ensure they can draw on cyber security expertise in the future.

The Board should have an understanding of what cyber expertise there is in the organization and what you need. Do you have a CISO? An information security team? Incident managers? If not, should you?

This information will give you an insight into the resilience of cyber security efforts (are you currently reliant on one person?) and also will help you to understand the provenance of the cyber security information you receive.

You might also want to consider the expertise on the Board itself. Do you currently have sufficient specialist knowledge to ensure that the Board is able to make appropriate strategic decisions about cyber security? Are you likely to be able to keep pace as advances in technology bring new security challenges?

Given the lack of suitably skilled individuals and an increasing reliance on digital services that need to be secured, organizations that do not embrace cyber security will soon fall behind.

1. Work out what specific cyber security expertise you need. ‘Cyber security’ covers a range of different skills, from network security to risk management to incident response. It may be useful to first consider what skills you need to manage your highest priority objectives or risks and then assess which (if any) of these you cannot outsource and so must have in house.

2. Establish how urgently you need these skills. If you are considering developing existing staff, don’t underestimate what this entails. Putting someone through a training course does not make them a cyber security expert: they must also have the opportunity to develop hands-on, practical skills and so will require support for this from within the organization. If you need expertise in the shorter-term, it might be better to recruit a consultant or specialist.

Consider how you might recognize professional cyber security skills. As yet, there is no professional body for cyber security expertise. This could mean that validating the ability or quality of a new hire and/or developing training plans, is difficult. Consider how you might be able to work with trusted partners or industry specialists to give you the necessary assurance.

MAKE THE BEST USE OF THE SKILLS YOU HAVE

The best way to make use of the skills you have is to identify and focus on the things that are unique to you (or the things that only people within your organization are most qualified to do). This can be enabled by making use of established, commodity technologies. For example you might choose to allow cloud vendors to build and secure your infrastructure, which frees your experts to spend time exploiting the unique insight they have into your organization.

Due to the cyber security skills shortfall, your organization must draw and nurture talent from the largest possible pool. The cyber security industry is subject to the same skills challenges as all technology-focused industries. Organizations may find it hard to recruit and retain high-calibre staff from all demographic groups. In fact there are many talented women and minorities working in cyber security, but they are often less visible. They may experience hostile working environments that slow or stop their career, or avoid the industry altogether. Working together to overcome these challenges will give your organization a competitive edge.

LOOK BEYOND TECHNICAL SKILLS

When designing job roles and desired candidate profiles, particularly at entry level, be imaginative. Protecting our organizations relies on bringing together many different skills, technical and non-technical, to deliver security that aligns with the organization’s objectives. Recruit for broader business skills, aspiration and potential as much as for current technical skills.

LOOK AFTER YOUR EXISTING TALENT

When trying to make our organizations more diverse and inclusive, we often focus on bringing in new talent, while ignoring the issues that prevent your current staff staying and thriving once they are in. The talent available may be beyond your own direct control, but you can control how much cyber security talent you lose because of difficult policies and processes, and unwelcoming workplace cultures. As much as strong security cultures, you should focus on fully inclusive workplace cultures.

Broadly there are 3 options to increase cyber expertise within your organization.

TRAIN EXISTING STAFF

Don’t just consider the staff who are already in security-related jobs. After all, there are many different aspects to cyber security and someone who is expert at designing a network architecture might have a very different skill set to the person working with staff to make sure security policies are practical and effective.

Depending on your organization’s needs and your staff, training could take the form of on-the-job training, professional qualifications or placements. Do remember that developing cyber security expertise is no different to many other professional areas: staff will require continuous investment, training and development opportunities to hone their expertise and also to keep up with changes in the industry.

BUY IN EXPERTISE

There are several complementary routes available for introducing external expertise. A large organization will probably take advantage of all of them.

1. Recruit a skilled non-executive director to your Board.

2. Add a virtual CIO to your team.

3. Employ a consultant to provide specific cyber security advice.

4. Identify specific cyber security services which can be fulfillled by a 3rd party.

5. Recruit employees who already have the skills you need.

Recruiting expertise externally can provide a quick solution where there’s a lack of specialized cyber security knowledge. However, be sure to identify someone who can adapt cyber security principles to your organization.  ‘One size fits all’ is rarely applicable in terms of cyber security, and someone who just applies an out-of-the-box solution may not be significantly improving your cyber resilience.

Develop future staff: sponsorship, apprenticeships and work experience

Supporting young people to pursue an education in cyber security can be a brilliant way of ensuring a future pipeline of employees with the right skills. There are many schemes aimed at school and university-age students and almost all of them involve some industry participation or support, including apprenticeships, site visits and speaker opportunities.

The following questions can be used to generate productive discussions with your technical team. The aim is to identify what constitutes ‘good’ cyber security in terms of growing cyber security expertise.

You should find out:

• What expertise do we need to manage our cyber risk? What do we need to keep in-house and what can we outsource?

• Are each of our requirements continuous? For example, you might only need a penetration testing team to come in a few times a year, but you might need someone to monitor your systems all year round.

• What expertise is the minimum for all staff? How can you ensure a healthy cyber security culture in the organization? How well and how frequently are you training staff in your security policies and any particular threats your organization might be vulnerable to?

• How many staff do we currently have with cyber security expertise and what gaps are they telling us we have in our provision?

You should find out:

• Which skills are a priority?

• Who owns the plan to develop cyber expertise, and how are they responsible for delivering against it?

• How you will find people with the right aptitude for the different cyber security skills? Remember that people from all backgrounds, and with technical and non-technical skills, may be well suited to this field.

• What support the Board can give to this work, both in terms of investment or broader resources?

• Do I understand enough about the decisions being made on cyber security in my organization to be accountable to shareholders?

• If not, what plan do I have in place to increase my expertise?

• Do we have a champion for EDI (Equality, Diversity and Inclusion)?

• Do we have the right policies in place, and do they work well in practice as well as looking good on paper?

• Are we gathering the right data and interpreting it correctly? Are we then having the right conversations with individuals all around the organization, to supplement this data and create a richer picture on less tangible measures?

• Are we making active, meaningful efforts to recruit from all communities, to reflect the society we operate in?

• Do we use a range of recruitment methods, to help overcome unconscious bias and ensure we fully explore candidate strengths?

• Are we confident that we are recruiting and developing staff to meet the challenges our organization will face in the future, not just complete the tasks of today?

• Are we creating the right environment and culture to make staff feel confident, safe and comfortable in flagging issues?