Cyber security has often been regarded as a technical career, given its predecessor origin of Information Technology (IT) Security and relevance to computers. With our growing dependence on technology, the cyber security sector is hard-pressed to be agile and adaptive to address increasingly sophisticated threats ranging from tech-savvy criminals to nation-state hackers. This hard-press for more solutions has revealed that the cyber security sector is in the midst of a “skills gap”. A problem that is especially prevalent across the Asia-Pacific region, given it’s rapidly modernizing IT space.
Or is there a skills gap?
What if I told you there is no skills gap? That the skills required to empower the cyber security sector are, in fact, readily available to both customers and Security-as-a-Service (SaaS) providers? Despite being a well-documented problem, it’s highlighted a greater underlying flaw in how the gap is perceived.
Find a Business Analyst
According to Forbes, Telstra’s 2017 Cyber Security report indicated that 59% of Asian organizations experienced a security event that interrupted business operations at least once a month. Cyber security is first and foremost, a business problem that is concurrently tied to the IT field.
Understanding that it is a business risk, Business Analysts are adeptly positioned to provide the most relevant and effective support. This can range from ensuring compliance with emerging security regulations and assisting with prioritizing key business operations to support Disaster Recovery Plans (DRPs) or Business Continuity Plans (BCPs). Moreover, Business Analysts need to be cyber security experts in their own right. This is because everything can be hacked and businesses all critically depend on technology to support most - if not all - their operations.
Hidden Gem of Social Science
The term ‘cyber security’ is essentially the security of all contents and user interactions within the digital environment known as cyberspace. The key terms here are ‘user interaction’ and ‘environment’, something that has already been explored in academia. In 2013, researchers at Carnegie Mellon University in the United States (US) collaborated with scientists from the Army Research Laboratory and other American universities to integrate social science disciplines, such as psychosocial analytics, to develop methods to enhance machine learning based security capabilities.
SaaS providers and internal security departments may consider branching out to candidates with academic or professional experiences in social science to enhance their security capabilities. Candidates with criminology or law-enforcement experiences can significantly empower forensic investigations and incident response teams. Whereas candidates with media or marketing experience can empower disaster communication protocols or narratives to ensure minimal reputational loss during and after a security event.
Expansion into Security Studies and Traditional Sectors
Larger conglomerates no longer occupy the international business space. The internet saw to that by empowering smaller to medium-sized enterprises (SMEs) with the abilities to prosper from the global marketplace. However, this also opens the doors to Advanced Persistent Threats (APTs) and organized attacker profiles (e.g. Nation State Hackers). This is already evident from cyber attacks such as STUXNET and NanHaiShu, two cyber security events allegedly instigated by government agencies with political motivations.
While business may wonder why they might be targeted, the answer resides within how their business contributions to national developments in regional economies, security capabilities, and political influence. Candidates with security studies, political science, and intelligence experiences can empower threat intelligence teams in generating scalable risk management plans against potential APTs.
People, Processes, and Technology
Cyber security strategies need to be holistic to address people, procedural, and technological challenges concurrently. Rather than dunking all onto an IT team that may lack insight towards social and business issues, consider empowering their ability to protect your business through closer communication with key business analysts, security academics, or criminal investigators.
Intelligence experts can support people solutions through identifying suspicious activities indicating an impending malicious threat. Law enforcement experts can assist with incident responses and managing insider threats. Business experts can support the determination of business risks and priorities associated with cyber security events. Media experts can assist in outlining effective media strategies to preserve a company’s reputation after a cyber security event. Criminologist can assist threat intelligence teams to determine threat trends and tailor intelligence reports supporting key security decisions. Social scientists and mathematicians can help development teams identify the right data sources to support advanced machine learning driven security solutions!
Despite the greater adoption of technical solutions, hackers remain human and are often incentivized by human motivations of greed or power. The skills gap doesn’t exist but is a figment of our narrow perception of what it means to work in cyber security. Cyber security is not just a field for technical professionals, but others too, from different walks of life and professional experiences. Finding the right people to address the right gaps is the only way forward towards holistically creating a safer cyberspace.