Time and skills are vital to building resilience against future cyber security threats
It’s most often the case that IT and security staff are too busy dealing with the here and now to think about future threats, let alone how to flex their organisation to ensure its long-term resilience.
It’s a problem, but with the fourth industrial revolution (4IR) under way and technology emerging and shifting at pace, I think there’s a danger that cyber security practices are falling behind the curve.
Time is against us, yet that’s exactly what we need: time to think, to scan the horizon and to adapt our skills, culture and technology.
Global security challenges
The National Preparedness Commission identifies several key drivers of cyber security risk.
Accelerated digitisation means the distinctions between the physical and virtual worlds will continue to blur, further challenging our ability to define boundaries and protect perimeters. Attack surfaces will, therefore, expand.
Compliance regimes may not be adaptable or flexible enough to respond quickly to emerging risks. Compliance really suffers when budgets are tight and there’s typically little time, space or financial support for long-term thinking.
If everyone is already fully stretched, where does that extra capacity come from when a major incident occurs?
In this case, change and investment are unplanned and often follow incidents, as some education and research sector organisations have experienced in recent years, especially with respect to ransomware attacks.
What’s far better, I think, is a regime of continual investment that allows organisations and governments to adapt sufficiently and to be prepared for the inevitable cyber security attacks.
This scenario requires downtime for people to plan and mobilise. If everyone is already fully stretched, where does that extra capacity come from when a major incident occurs?
Keeping up with bad actors
In contrast, cyber-criminals are agile: don’t forget how quickly they responded to the enforced shift to remote work and study during the pandemic by deploying ransomware that exploited insecure remote desktop protocols.
Increasingly, cyber-crime is becoming industrialised with organised crime, particularly ransomware-as-a-service, running like ‘normal’ businesses.
It’s likely that unscrupulous governments will take advantage of these offensive cyber-capabilities, which are freely available on the internet.
Even without malign actors, secure national and international change management in a world of increasing complexity will prove all but impossible
More principled governments around the world lack the tools and treaties to respond to this ongoing cyber-warfare.
Even without malign actors, secure national and international change management in a world of increasing complexity will prove all but impossible. We’ll be forced to evolve, but it’s preferable to choose change.
We first need to recognise that future risks, for example the malicious or accidentally harmful use of artificial intelligence, are likely to be highly complicated, dynamic and unexpected.
Preparing for future threats
Preparation is vital on multiple levels, both technological and anthropological, involving everything from high-level international cooperation to individual development and accountability.
According to researchers from the University College London Global Governance Institute, we must throw off the shackles of old ways of thinking and instead embrace a complexity paradigm. This requires:
- Transparency and increased government accountability and cooperation
- Building global governance structures more capable of responding to instability, surprise and extraordinary change
- Replacing plan-based approaches with evolutionary design that allows for continuous, incremental changes
- Better modelling and analysis tools, drawing on big and open data
- Adaptive policy responses that enable continuous learning through coordinated experimentation, feedback, rapid action to correct failure and incentives for scaling up success
- Adaptive system design that includes responding to unintended consequences
At an organisational level in the education and research sector, my advice is to build ongoing horizon-scanning into the cyber security framework, employ more analysts, collaborate with external partners in intelligence-sharing, and build expertise into the risk management cycle.
Operating in the 4IR
According to employers surveyed for the World Economic Forum’s Future of Jobs Report 2020, the most competitive businesses will be those that reskill and upskill current employees in line with the needs of the 4IR.
Bearing in mind that 84% of employers surveyed are set to rapidly digitalise working processes and significantly expand remote working, the need to develop and sharpen technical skills is obvious.
But it’s interesting that among the most desirable employee attributes listed by employers are soft skills such as analytical thinking, complex problem-solving, critical thinking, resilience, stress tolerance, flexibility, creativity and emotional intelligence.
Organisations will progress to excellence in cyber security only if they are staffed to capacity, with appropriately skilled people, which allows for necessary thinking space and horizon scanning.
Support from Jisc
Get involved: Jisc is launching a campaign, ‘defend as one’, to unite higher and further education in a common cause, to build robust defences across the sector. Members can sign up to receive personalised instructions on how to improve cyber security posture across their organisation.
About the author
Alison Wakefield is professor of criminology and security studies and co-director of the Cybersecurity and Criminology Centre at the University of West London.