May 2024
Rowland Johnson, President of CREST, discusses the importance of the whole cyber security community working together to develop capability, capacity, and consistency on both a national and global scale.
While collaboration in the cyber security industry is often discussed, and there have been many ‘community-minded’ projects where organisations that would normally compete have worked together for a common purpose, these have all too often been short-lived.
This, of course, limits their benefits to the industry, particularly in the long-term. There is also rarely a perspective on the larger industry or global landscape. Ultimately, many of the organisations involved exist to market themselves and to be seen as better than their competition. And for genuine collaboration, this way of thinking needs a fundamental change.
Mind the skills gap
For example, when it comes to addressing the cyber security skills gap, which is one of the industry’s biggest issues, although much of the collaborative work done to get more people into the industry has been good, a lot more work is needed.
For example, we need to ensure the competency of these individuals is also measured, recorded, and then properly communicated to service buyers. This is true for everyone involved in providing cyber security services.
One example of a successful initiative in filling the sector’s skills gap is the National Cyber Security Centre’s (NCSC’s) CyberFirst programme. Launched in May 2016, CyberFirst originated as a program to encourage and empower young people to delve into the realm of cybersecurity.
CyberFirst now encompasses a diverse array of activities, including undergraduate bursaries, apprenticeship programmes, a girls-only competition, and seasonal courses held either online or at esteemed UK universities and colleges.
Discussing the CyberFirst scheme, Chris Ensor, NCSC Deputy Director for Cyber Growth, said: “Collaboration across the industry will be key to filling the skills gap, including through initiatives like CyberFirst. We want to empower tomorrow’s cyber experts with the tools they need to keep the UK secure and resilient online.”
And the UK government is keen to fill the skills gap, through more collaborative projects with the private sector and academia. Last year’s government paper, Cyber security skills in the UK labour market 2023, revealed that 50% of businesses have a basic cyber skills gap, with an average of 18,200 new recruits needed every year to meet demand in the cyber sector.
The government’s Upskill in Cyber programme is a 14-week training course aimed at people from a non-cyber background, delivered in partnership with the SANS Institute. The scheme comes as part of the government’s £2.6 billion National Cyber Strategy.
Measuring competence
It is also critical to ensure that globally, everyone recognises the cyber security certificates that demonstrate competence. But certifications should not be the end of the story. There are many good measures of competency that can be used in conjunction with certifications, including experience, training and mentorship, Continuing Professional Development achievements and assessment during recruitment.
And it is only by working collectively as an industry, including service providers, vendors, academia, government, regulators, and buyers, that any agreement be reached on what these are and what good looks like.
The variety of courses, certifications and accolades available globally can make it difficult to assess an individual’s competence. And not everyone can, should or is able to pursue higher qualifications such as an MSc or PhD in the cyber field. But organisations such as CREST offer more practical, real-world based certifications, which act as an excellent measure of actual skills and knowledge.
How to collaborate
There are several ways for organisations in the cyber security ecosystem to collaborate, help build cyber resilience and battle escalating cyber threats. These might include active participation in government or professional body-led research, workshops, and consultations to inform the future of cyber, or joining professional groups such as CREST that foster diverse and innovative ideas and collaboration in the global community.
In the USA, CISA’s Joint Cyber Defense Collaborative (JCDC) aims to foster collective cybersecurity defence across the public and private sectors. Serving as a platform for collaboration and information sharing, the JCDC brings together various stakeholders, including government agencies, industry partners, and critical infrastructure entities. Its primary focus lies in facilitating proactive, coordinated responses to cyber threats and incidents by promoting shared situational awareness, coordinating cyber defence efforts, and implementing best practices and innovative strategies to enhance the USA’s overall cybersecurity posture of the nation.
Meanwhile, another good example of collaboration is the NCSC’s Industry 100. This initiative aims to bridge the gap between academia and industry by providing top-tier cybersecurity students with the opportunity to gain hands-on experience within leading UK organisations. Selected participants, typically final-year undergraduate or postgraduate students, undergo a rigorous application process and, once accepted, spend a year working within partner companies or government agencies.
This experience allows them to apply their theoretical knowledge in real-world settings, tackle complex cybersecurity challenges, and contribute to ongoing projects or initiatives. The programme provides valuable practical skills and experience to students and helps organisations benefit from fresh perspectives and innovative ideas – while generating a pipeline of fresh talent for the cybersecurity industry.
As a member-driven organisation, CREST fully understands the need for greater collaboration across the sector to maintain and develop universal standards in the cybersecurity sector. Membership is available to all cyber security service providers. These naturally competitive organisations are working with CREST on projects that benefit the whole industry.
However, it is important that organisations from all parts of the cyber ecosystem are also involved in CREST’s mission – (of professionalising the cybersecurity industry and ensuring the highest standards in security testing, incident response, and threat intelligence) – so realistic solutions to the most critical cyber security concerns can be found.
This is why CREST recently introduced a new community supporter programme that allows any cyber-focused organisation, including government agencies, regulators, universities and other professional bodies and vendors to join the CREST community and collaborate to improve global cyber resilience.
The opportunity to become a CREST supporter is open to any organisation that does not provide cyber services that are accredited by CREST, but would like to contribute towards CREST’s goals and objectives in a tangible way.
CREST Community Supporters contribute to CREST’s mission to build capability, capacity, consistency and collaboration in the global cyber security industry and help raise awareness of CREST and its members.
Global cyber security is too critical an issue for us all not to work together on sharing information, knowledge and innovations. It is time the cyber security sector – and sector allies – joined forces more to help make the world more cyber resilient.
For more information on becoming a CREST community supporter: CREST Community Supporters – CREST (crest-approved.org)