Cybersecurity skills gap and boardroom blindness invite hacker havoc

Person in a suit pointing to a security padlock icon
(Image credit: Shutterstock) (Image credit: Shutterstock)

It was interesting to read the Ipsos report on Cyber Security Skills in the UK Labor Market 2023, which highlighted the ongoing frustrations and challenges in recruiting, training, and retaining staff across all cybersecurity domains. Some enlightening findings were:

Approximately 739,000 businesses (50% surveyed) need to fill in basic skills. That is, the people in charge of cyber security in those businesses lack the confidence to carry out the kinds of basic tasks laid out in the government-endorsed Cyber Essentials scheme, and are not getting support from external cyber security providers.

Approximately 487,000 businesses (33% surveyed) have more advanced skills gaps, most commonly in forensic analysis of breaches, security architecture, interpreting malicious code and penetration testing. 41% have an internal skills gap when it comes to incident response and recovery, and do not have this aspect of cyber security resourced externally.

James Allman-Talbot

Head of Incident Response and Threat Intelligence at Quorum Cyber.

Lack of incident response

Most alarming was the report uncovering a lack of incident response skills; this is unacceptable when hacking is now a paid career. The net result is a growing demand for trained cybersecurity professionals, and we need to prioritize education and training programs to fill these gaps. In addition, these shortcomings extend to senior managers and board-level executives who need to understand the steps to take to manage an incident. While it is encouraging to see that boards are increasingly understanding cyber risks; clearly, more needs to be done to help educate senior management on their involvement during an incident. Cyber incidents have always required a business response rather than just a technical response. The senior and board-level actions can be as simple as:

  • Make sure to report the incident
  • Inform your cyber insurance provider immediately
  • Don’t go it alone; always seek outside assistance
  • Appoint a Cyber Incident Owner to oversee the response process
  • Keep an action and decision log
  • Focus on containment
  • Listen to advice and best practices; you’re not the first to be breached
  • Be patient; addressing cyber crimes is a process
  • Help authorities and regulators as much as possible with documentation
  • Be concerned about reputation management and control the narrative.

Cyber attacks are a business

IT departments must translate cyber risk into operational and business risks so that there is comprehension at the board level. Board members understand business and—cybercrime is a well-organized business. IT individuals need to explain that the cyber-criminal world has evolved into an ecosystem made up of three different types of groups:

The access broker focuses on finding organizations with vulnerabilities, compromising networks, and probing for the easiest way into them— to sell this as a package to other groups.

The developers build the ransomware-as-a-service (RaaS) tools to hire out.

After purchasing the access information and hiring the RaaS tools, a third group will move into the network, steal or encrypt data, execute the ransomware payload, and make the ransom demand.

In short, it’s become an industry. Groups have taken on different specialist roles, splitting the profits depending on their skill sets and the risks involved in completing their part of the deal. This business model makes it harder for researchers to identify which cybercriminal gangs were involved in each cybercrime.

An ounce of prevention

One of the most effective methods of knowledge transfer is to put senior-level managers through the experience of a simulated cyber incident to educate them on roles and responsibilities when an attack occurs. Table Top Incident Response exercises are an excellent way to ensure that plans, playbooks, and teams are thoroughly tested. By working closely with senior-level management, IT can help them learn lessons from each exercise to prepare them for any eventuality. This knowledge transfer includes not just input from in-house legal, finance, and other business leads and external domain experts but also quickly setting the direction and prioritizing the many demands that will be placed on the team and driving a no-blame, no-fear culture.

Over the past 15 years, I have worked with the boards of many organizations that have fallen victim to devastating incidents. I have seen first-hand the positive impact of effective leadership and direct board involvement on successfully navigating through an attack. While we’re all trying to work out how we attract and train the new top talent in our industry, we can help ourselves by working with our senior leadership to educate them on their role in positively influencing the outcome of an attack.

We've featured the best business VPN.

This article was produced as part of TechRadarPro's Expert Insights channel where we feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here:

James Allman-Talbot is Head of Incident Response and Threat Intelligence at Quorum Cyber.