The impact of WannaCry was not only devastating on an international scale but brought the NHS to a virtual standstill. The global ransomware attack reportedly cost the NHS an estimated £92 million with as many as 19,000 appointments being cancelled as a result. Considering the impact, it was surprising to find that upon closer inspection the malware itself was relatively simplistic in nature. In fact, Lee Kim, Director of Privacy and Security at the Healthcare Information and Management Systems Society for North America notes WannaCry was poorly executed, adding that “It was just flexing the muscle in terms of what’s possible. We were hurt by it, even though it wasn’t totally sophisticated code, even though it wasn’t as coordinated as it could be”.
Aside from the damage caused, WannaCry served as a stress test, highlighting the level of infrastructure overhaul that’s likely to be required across the public sector. A recent report found that nearly one fifth (18%) of public sector organisations are currently grappling with a basic technical cybersecurity skills gap. The ongoing solution for this issue has been outsourcing, with two-thirds (65%) of public sector organisations using external support as a stopgap. But as the complexity and frequency of attacks are only set to rise in the future, continued outsourcing is not a sustainable solution.
Public sector organisations need to better understand the impact of the cybersecurity skill shortage on overall resilience, security, cloud computing and other IT functions—and the best ways to bridge the gap. Here is a collection of advice from experts across Sungard Availability Services on the current challenges and proposed solutions to the current cybersecurity skills crisis.
Barriers to overcome
IT department heads will be held accountable for security breaches
A recent survey that Qualtrics conducted on behalf of Sungard AS found that 40% of respondents believe their organisation’s leaders will hold IT teams accountable for cyberattacks or breaches. Security teams ranked second, at 23%.
“Given the accountability business leaders will likely place on IT and security teams, coupled with the skill shortage, public sector organisations must find ways to do more with available resources,” says Shawn Burke, Global CSO at Sungard AS.
It’s hard to find experienced cyber skill in SaaS integration and network architecture
“As organisations increasingly move to a cloud-first, Software-as-a-Service (SaaS) computing infrastructure, it’s been challenging for the public sector to find cyber skill with skills in this area,” says Chris Fielding, CIO at Sungard AS. “Often the expertise needed is in demand by other organisations, which makes these skilled professionals hard to snatch up,” she adds. Similarly, companies face skill shortages in network architecture, too. “A cloud-first strategy puts different strains on the network and requires a rethinking of methodology,” a skill set not yet plentiful in the cyber skill pool, Fielding says.
There is a real need for strong communication skills
“Being able to defend a technical recommendation based on tangible reasons that solve a business problem in writing or verbally is a very important skill in the industry, and while this may sound easy, it requires multiple skills that are rare to find in one person. Knowing the security implications with regards to the business problem being solved can significantly impact how resilient an architecture design is. Instead of the security stiff-arm that has been prevalent in the past, understanding the problem and what technology best addresses the concern and being able to succinctly communicate that as part of the design process is key,” says Todd Loeppke, Lead CTO Architect for Sungard AS.
How to tackle them
What can AI and machining do to help?
Behavioural Analytics and Artificial Intelligence (AI) can help organisations do more with constrained resources. “I anticipate more security vendors will integrate AI into their products to improve prevention and detection capabilities, and more companies will look to use automated security products to alleviate the lack of human resources, skill levels and time,” Burke says. But too often, organisations hire IT team members with a more generalised skill set and background, says Greg Cox, CTO Architect for Sungard AS.
“Machine learning is a huge growth opportunity, and being skilled in AI will become a requirement for those working in areas of technology that are not purely hardware-focused,” he explains. The IT professionals most prepared for this shift will not only be proficient in AI but mathematics and general computer science work as well, Cox adds. “Improving critical thinking ability and pulling together individual components to create a higher-value offering, IT professionals can separate themselves from the pack and show their worth as a high-performing asset to the organisation.”
Invest in upping team members’ skills
One way to combat the cyber skill shortage is to help your current workforce develop new, or deepen existing, skills. Consider the shortage of skills in SaaS integration, for example. To help close the skill gap in this area, focus on further developing existing employees’ skill sets. “Determine the employees who would be the best fit for the integration platform and then cross-train them to the new technology,” Fielding explains. “While this may initially slow your progress and lead to a few missteps, the payoff will outweigh initial setbacks and ramp-up required when onboarding new employees. You’ll end up with a stronger team that’s excited to learn new skills they can deploy in better serving the business.”
Stay in the loop
Stay focused on what’s happening in the IT industry and assess the changes happening that can make your IT environment more resilient and cost-effective, notes Fielding. “IT is constantly changing, so it’s important to bring a positive mindset, that change and evolution are good,” she says.
Retain staff engagement by exploring new technologies
“Team leaders should be forward thinking and consider how to best use new technologies to improve both the end-user experience as well as IT productivity and resiliency,” Fielding says. “This mindset to test new technologies in order to find new efficiencies opens the door to a Proof of Concept (PoC), which can be a way to investigate future technology options. The PoC gives employees both the excitement of being a part of a team testing new technologies and their opportunities, and a vision for how their skill set should progress to fit the new technology and goals.”
Nurture skill from within
To keep your team members engaged, focus on nurturing skill and promoting from within. “As your team gains these new cyber skills, it’s important to offer them new opportunities, too,” Fielding says. “You need to always be on the lookout for options to offer within your organisation. You can’t be afraid of people moving on. You never know when you may have an opportunity to work with them again.”
There is nothing new about the skills gap, I suspect there was a time back in the 16th century when farmers couldn’t find enough people trained to use a scythe, impacting their ability to reap crops. However, the ubiquitous nature of IT has meant a lack of skills has broad reaching ramifications for businesses, individuals and governments. It’s difficult to find someone today who isn’t aware of a breach that may have impacted them personally or professionally.
In conclusion, public sector organisations who don’t invest in securing and retaining the right skill are going to increasingly struggle to call themselves resilient.