Cyber People – the great opportunity
The situation
Organisations throughout the UK – whether private companies or public sector bodies – face a number of similar challenges in cyber security, in all its forms.
The nation’s critical national infrastructure organisations are already well-aware of the threats from criminal gangs deploying ransomware or from Hostile Foreign States lifting valuable IP (or simply disabling capability).
And the specialist supplier communities supporting those CNI organisations are actively involved in helping keep those defences up and in keeping potential and emerging threats monitored.
But that threat-monitoring is not enough to secure the future delivery of the UK’s critical services.
As a delivery partner in the CNI community, Capita knows that the market for “cyber skills” is not just hot, but is booming, which means there is another cyber-related threat, too….
…namely the dearth of cyber-skilled practitioners in the UK economy; and the staff turnover that comes with high demand and an under-sized supply of practitioners.
So what is the UK’s CNI supplier community going to do to tackle that threat?
Working together towards a solution
If a few years ago, the supply of cyber skills was constrained, but available and simply expensive…then the answer to finding “a gap in the team” was purely about funding that expense.
But now?
Increasingly, the challenge in replacing “gaps in a cyber security team” is that there are simply not enough skilled cyber specialists to go around.
So how do organisations – whether in the private or public sector – address the cyber-skills-shortage challenge?
And how do facilitating organisations in the UK economy make those organisations with cyber skills more robust and less affected by staff turnover in a “hot marketplace”?
The answer lies in creating resilience through workforce planning; and through community partnering.
How we tackle the problem
If an organisation self-assesses its cyber security posture – say, through use of the Cyber Assessment Framework – and identifies its vulnerabilities, they may be infrastructure and applications-related or they may be people and process-related. It’s a “Ying & Yang”-style complementary operating model that needs to be considered.
Let’s start with infrastructure, applications and data.
Vulnerabilities or systems gaps that are spotted may be tackled through deploying technical solutions; and there may well be a simple need to be clinical in prioritising investment, where the Wish List for investment exceeds the budget available to deliver it. That’s the age-old problem that IT Directors have always faced, along with the organisational investment boards that have got to agree to funding technology upgrades.
And once enterprise-scale systems are fit for purpose, there is the constant challenge of not just managing and exploiting the data within the system, but also of using analytical insights to spark innovation.
This can be successful, but beyond that needs to recognise the possibilities of:
- Regulators inhibiting data-driven innovation
- Activists pivoting to cyber space
- Attackers poisoning the data well
And then, having addressed those challenges, another area for improvement is the deployment of existing skills and the growth of new ones in the workforce.
For example, an organisation may have “cyber-skilled colleagues”, but are they being deployed to best effect?
Are cyber-skilled staff spending time on corporate admin that a competent business support officer can handle, in order to release time for cyber-centric management and problem-solving? Are organisation staff with high-end cyber skills tackling cyber security tasks that an entry-level lay-colleague with some upgraded skills could tackle instead?
And when the organisation has optimised delivery from the range of skills and capacity it has in-house – what access has it agreed to its partner supply chain for “surge capacity”? Does it come from call-offs from resource augmentation agreements? Or from drawing on pools of talent in cyber academies training apprentices or re-purposing those with transferable skills?
And probably more of a challenge: what arrangements exist between suppliers within that supply chain for managing the peak capacity for in-demand skills? Without illegitimately operating cartels and fixing the market – how does a supply chain community collaborate so that scarce cyber-skilled resource is not sat idle?
It’s an interesting challenge to balance individual supply chain member corporate commercial objectives and client satisfaction whilst contributing to the security and well-being of UK citizens who rely on the services that CNI organisations deliver.
And it’s not just about immediate operational capacity – or even the viability of short and medium-term improvement programmes.
It’s about the resilience of those CNI organisations and their supply chains in a longer term, strategic context.
That resilience is not just about tech; it’s also about people and skills – the Ying & Yang model.
So it requires a degree of workforce planning – identifying key skills and focussing efforts on training up the “bottom layers of the organisation” to take on “cyber team tasks” that can be delegated with creative thinking, innovation in training techniques and the will to rethink the operating model.
It requires sustained planning on where to find core capacity in skills and where to find surge capacity in partners.
It’s about reducing turnover and retaining talent.
It’s about collaborating with a limited pool of skills to jointly tackle a cyber threat that one day soon, given recent geo-politics, may be less commercial than existential.
Reflecting on possible solutions
A tough challenge?
Well, in the CNI supply chain community – like in many other supply chain communities in differing sectors of the UK economy – we’re smart: we’re not going to leave this puzzle in the “too hard to deal with” box. Bring it on!
Read more about this on our website.