“Government organisations are routinely and relentlessly targeted [for cybersecurity attacks]: of the 777 incidents managed by the National Cyber Security Centre between September 2020 and August 2021, around 40% were aimed at the public sector. This upward trend shows no signs of abating.“
— Government Cyber Security Strategy – Ministerial Foreword
Both the Government Cyber Security Strategy 2022 to 2030 and the National Cyber Strategy 2022 make it abundantly clear that people and organisational culture are at the heart of reducing cyber risk. At the same time, these are the areas most overlooked in cybersecurity. We must fundamentally shift our focus to the human element of cyber resilience and the unique challenges that the UK government faces to achieve its desired outcomes.
The Current State of Government Cyber Workforce Recruitment
The cyber security sector workforce has grown by around 50% in the last four years, with demand for skills still vastly outstripping supply. While many people are drawn to public service, government agencies are adversely affected by the cybersecurity skills shortage because they cannot compete on compensation with the private sector. IT budgets are particularly tight in the government sector due to budget cuts and the need to show return on investment. The majority of skills shortages across the UK, including government, are found among more senior positions. There is therefore a need to both recruit effectively and to upskill the existing workforce.
“We need to ensure that the UK has the right professional standards and mechanisms in place to recognise individuals who are competent and sufficiently expert, as required, to manage the UK’s cyber risk. This is essential for assuring that practitioners responsible for cyber security functions that include the design, testing, monitoring and reacting to system breaches, have the right knowledge and skills to do this effectively.“
—“Embedding standards and pathways across the cyber profession by 2025”, GOV.UK
It is a nearly impossible task to prove return on investment when it comes to the cyber security capabilities. However, the aim of any organisation must be to have the data at its disposal to reduce risk and prove cyber resilience. Evaluating and proving cybersecurity capabilities is fundamental.
The National Cyber Security Strategy states that opportunities must be spread more evenly across the country and the diverse population. To do so requires removing bias from the recruitment process and targeting all regions equally. This demands a shift away from hiring and promoting people based solely on how they perform in interviews and their cybersecurity accreditation towards a testing framework which evaluates skills based purely on capability.
It is vital to discover talent internally and to create minimal requirements objectives to encourage employees to apply for internal cyber roles. Individuals who are progressing in their roles and are satisfied that they have strong opportunities to grow with well defined career paths are less likely to look externally.
The shortage in cybersecurity skills means that competition is tight so applicants have many opportunities to choose from. Therefore, it is essential to speed up the recruitment process and assess candidates rapidly and effectively so that they don’t take roles elsewhere.
The vast number of applicants for a role means that it’s simply not possible to interview them all because it is time and resource consuming. It is vital to have a solution which tests applicants against specific skills required. In that way, you can assess as many candidates as you have picking top scorers (based on points, accuracy & speed) to take to the next stage.
Ransomware remains a significant risk to public sector organisations.
- In October 2020, Hackney (a borough of London) Council was the victim of a ransomware attack which cost millions of pounds to rectify and resulted in the collapse of citizen’s property purchases.
- In May 2021, the Health Service Executive (HSE) of Ireland also suffered a major ransomware attack which took months to recover from.
- In December 2020, the Scottish Environment Protection Agency (SEPA) was attacked at a level which displayed “significant stealth and malicious sophistication”. SEPA did not capitulate to the ransomware demand.
Of the five priority actions outlined in the National Cyber Strategy, the second pillar is to strengthen resilience at national and organisational level to prepare for, respond to and recover from cyber attacks. This requires those responsible to be continuously ready for a major crisis such as the three examples above and to have the necessary knowledge, skills and judgement to respond rapidly and effectively to minimise impact.
“… while effective risk management, appropriate and proportionate protective measures and enhanced detection capability will make government a considerably hardened target, government organisations will still be impacted by cyber security incidents. There is therefore a critical need to ‘test and exercise incident response plans’.”
— Government Cyber Security Strategy 2022 to 2030
Traditional vs Modern Approaches to Cyber Crisis Response Readiness
Traditional Approaches to Cyber Crisis Response Readiness
The traditional approach to crisis preparation is to bring all required stakeholders together for a lengthy period of time and performing a tabletop exercise facilitated by a consultant and often delivered via powerpoint which mimics the adverse circumstances that an organisation might face in the event of a real-life cyber crisis. The challenge with this approach is in the difficulty of assembling all relevant stakeholders because of their individual time constraints. Therefore, these exercises are typically performed infrequently. This means that participants are not well practiced in crisis response and so are often ill prepared in the event of a real-life crisis. The exercises are also flat in nature meaning that a decision made throughout the scenario does not necessarily affect the next vital task you would be confronted with in a real-life crisis.
A Modern , Outcome-Driven Approach
The better approach is to allow stakeholders to perform cyber crisis exercises remotely through a dynamic environment and to run them at a time which meets their busy schedules, either synchronously or asynchronously. In this way, participants are dynamically presented with challenges that are far more in keeping with what might happen in a real-life scenario. It also means that the exercises can be performed much more frequently. This leads to enhanced muscle memory and far greater preparedness.
As with the public sectors of all major economies, UK government is particularly exposed to cyber security threats. The strategies and research which are quoted in this blog will help significantly reduce this risk over the coming years. People are at the heart of cyber resilience and it is especially important for this sector to attract and retain cybersecurity talent. To be adequately prepared for cyber breaches of all severity demands that the entire workforce continuously develop the knowledge, skills and judgment to be resilient in the face of mounting challenges.
Immersive Labs’ Cyber Workforce Resilience platform redefines how technical and non-technical roles within an organisation can protect against cyberattacks continually and successfully.
To understand how we can help you and to speak to an expert, book a demo with us.