Blog
SECURE London stokes debate on the future of the cybersecurity workforce
April’s event calendar kicked off with (ISC)² SECURE London , a return to regional events for (ISC)² members and a conference that took place amid an unprecedented time for our industry and for practitioners. A global skills gap of over 2.7 million, years of disruption due to the pandemic and unprecedented digital transformation, geopolitical strife at the doorstep of Europe generating global cyberattack fallout and profound changes in the threats being faced and the technologies, tools and tactics that counter them.
The day began with a keynote from Chris Ensor , Deputy Director for Cyber Skills and Growth at the NCSC. Ensor discussed the lifecycle of the cybersecurity industry in the UK, the emerging similarities with other much-relied-upon sectors such as the medical profession, but also how organizations are struggling more than those in other sectors to clearly define roles and ensure skills development that meets the needs of the profession. Ensor talked about the critical role that education plays in addressing the workforce challenge, but also how many current efforts create a near 10-year lead time before they will impact the near three-million global cybersecurity skills shortage. How do we make meaningful progress today? Through initiatives that bring more people into the profession quickly, without compromising quality and by overcoming the insistence on high levels of experience for every role, right down to the entry-level.
A tale of two tracks
Dual tracks allowed attendees to explore a variety of themes, from how to plan and deliver a successful security awareness program, told from the perspective of Data Protection Officer (DPO) Laurie-Anne Bourdain, CISSP from Isabel Group. Meanwhile, Paul Schwarzenberger, CISSP, a cloud security specialist from Celidor took attendees on a security deep dive into the three prevailing cloud platforms to determine which came out on top. Schwarzenberger looked at everyday use cases and live demonstrations to compare the security architectures and features across AWS, GCP and Azure.
Prevention of internal security issues was examined in detail by Dave Cartwright, CISSP, the Head of IT Risk and Security at Standard Bank ICS. Cartwright’s talk, developed from a recent magazine article he wrote on the same issue, examined how regardless of the investment in training, education, policy and more, organizations will still face human induced cyber risk, simply because eventually someone will do something they shouldn’t – be it intentionally or accidentally. Determining how to react and when is key to minimizing repeat incidents. As is defining whether a documented policy can apply to all instances. Going zero-tolerance can be counter-productive, while going zero-blame can also result in a lack of remedy from repeat offenders if there is no motivation to improve.
Current geopolitical and health issues have put the importance of robust supply chain cybersecurity in stark focus. (ISC)² CISO Jon France explored the latest developments and impacts on supply chains and critical infrastructure, discussing how supply chain cybersecurity practices have had to change and adapt in the face of COVID, digital attack, and an increasingly interconnected world of infrastructure.
Diversity, equity and inclusion (DEI) is at the forefront of industry efforts to expand both the workforce and the talent pool, as well as make cybersecurity a more welcoming and accessible career path for more people. A panel bringing together Andrew Elliot, deputy director of cyber security innovation and skills at DCMS, Richard Yorke, managing director of Cyber Cheltenham, Catherine Burn, associate director at cybersecurity recruiter LT Harper and Dr. Sanjana Mehta, Advocacy Director at (ISC)² explored with the audience what a diverse ecosystem means, who must be involved to deliver a successful diversity and inclusion effort and debated why a more inclusive cyber profession will ultimately ensure the delivery of a safer cyber world for individuals and organizations alike.
The power of the crowd
The technical side of cybersecurity was then put under the microscope, first by Alex Haynes, CISSP, the CISO at software provider CDL, then by Joseph Carson, CISSP, chief security scientist and advisory CISO at access management provider Delinea. Haynes provided a deep dive into the concept of crowdsourced security. For the last decade, crowdsourced security has had a fundamental impact on pentesting, but it’s not without risks. As well as discussing the pros and cons, Haynes also provided attendees with insight into how the approach has been weaponized in the Ukraine conflict and has impacted innocent bystanders. Carson wrapped up the technical sessions with an extensive look at ransomware incidents and a step-by-step demonstration of an attack and how to effectively respond to it.
The day concluded with an interactive (ISC)² Insights session. This was a chance for attendees to pose questions to a panel comprised of (ISC)² CEO Clar Rosso, CISO Jon France, CISSP and board member Yiannis Pavlosoglou, CISSP, Attendees quizzed the panel on a variety of subjects including plans for the forthcoming Entry-Level Cybersecurity Certification, dealing with the UK and global skills gap, the potential for government regulation of cybersecurity professional development and the role of a no-blame culture in cybersecurity response and remediation.
For (ISC)², SECURE London also represented an important milestone, the first purely in-person event we have staged as an organization since the COVID-19 pandemic took hold. Safely bringing together representatives from across our industry to meet, network and debate has been something we’ve looked forward to doing for a long time, with the results well worth the wait.