There's a cyber-security skills gap that's hurting everyone

According to IBM, there are 20.8 billion digital devices online – three for every human being on the planet – so a joined-up, forward-looking approach to cyber-security is essential. But at present, such a policy is lacking in many organisations, which is why five billion personal records have been breached or stolen to date across every type of business. In most cases, the motive for such crimes is financial – and often enterprises’ inadequate response is simply down to bad management.

That was the message from Nick Coleman, Global Lead in Intelligence and Risk at IBM, kicking off the second half of the recent Westminster eForum event on cyber-security. The first explored the current threat landscape and opportunities for international collaboration, while part two zoomed in on the skills and actions necessary to create a more secure world.

In the first half, another speaker claimed there are 13 billion connected devices. One of the risks of the conference circuit is experts presenting figures that differ by several billion, creating the uneasy impression that, despite their ability to hold a stage (in some cases), they can’t agree on the basics.

There’s plenty of room for manoeuvre, though. IPv6 gives us 340 undecillion IP addresses (340 billion billion billion billion), as opposed to the 4.2 billion addresses available under IPv4, most of which were allocated to the US and Europe as early internet adopters.

So imagine all those devices gathering your private data and sending it to a gangster in Estonia, via a company in your own country selling you life insurance, and you get the big picture. There are lots of devices and lots of threats – the jumping off point for any cyber-security presentation, which tradition dictates will make the patently obvious sound like a Biblical revelation.

Not a holistic approach

But back to Big Blue. In every sector where IBM works, including banking, transport, and utilities, it becomes part of its clients’ supply chains or is deeply connected to their internal systems – a scenario that all enterprise suppliers will recognise. However, the increasingly digitised business environment is not joined up to the same extent when it comes to international regulations, either sector by sector or in terms of an overall approach to cybersecurity.

For organisations’ technology partners, this means they have different boxes to tick in different parts of the world to solve the same basic problems. Poor IBM! Coleman said:

We are in an increasing regulatory environment. Yes we are all joined up, but not yet on measures. In one sector, you might have four hours in which to respond, in another Act and sector you have 72 hours. So what do you practically need to do?

This implicit duplication of resources demands that IT leaders put three building blocks in place. First, is overall security hygiene. The NIST framework and ISO standards are globally recognised and should be the benchmarks for all organisations.

Second, automation is important in upgrades and patch management. For example, when services across the UK’s National Health Service were compromised in the 2018 WannaCry ransomeware attacks, it was partly because security patches had not been installed on hospitals’ outdated operating systems. That failure to download available updates put patients’ lives at risk.

The third is agile security, said Coleman:

We are all going on a journey to the cloud, to hybrid clouds, and transforming the way we do security to meet those operational demands. We’ve got to be agile, both in the way we build those environments – which is where agile comes into the language for compute – and how we then deploy those controls in a cloud-ready environment. That means we have to alter things, such as how we test and assure in the cycle when we are using shared infrastructure.

Sadly for IBM, most organisations go with Microsoft, Google, or AWS. But all this cloud hybridisation demands skills in governance, risk appetite, control, and crisis management.

Artificial Intelligence (AI) also has a role to play. Coleman claimed that IBM is getting a “60x increment” from applying AI to analysing risks and attacks, because data is now being ingested and analysed much faster in what he described as a shift from “deterministic software” to predictive analytics. That said, we are still in the early days of the technology’s application – moving towards more disruptive and pervasive use, yet still a long way from the emergence of general AI.

My take

Coleman's conclusion was that digital transformation plus agile security is where organisations should be today, backed by new technology and the relevant skill sets. High fives all round!