Francis Maude’s ministerial statement on the ‘Progress of the UK Cyber Security Strategy’ falls short in initiatives to enable the masses with the skills required for a digital age, assesses John Colley, Managing Director EMEA, (ISC)2. The requirement is for many different strata of society – from the public users, systems developers, legal and business professionals and of course many more potential security specialists – to develop an awareness and interest in security.
Reacting to statements from Francis Maude and Chloe Smith, Minister for Political and Constitutional Reform, who were speaking about the achievements of the first year at the Information Assurance (IA12) Conference, Colley said: “They are missing an opportunity to create the kind of market and consumer interest required to have real impact, with the budget dedicated to education skills and awareness being the smallest slice of the pie.”
“One year on, the public has moved into the Twitter era while the Government’s significant public initiatives have included publishing advice targeted at the FTSE 100 companies; and establishing Centre of Excellence status for a few universities,” summarises Colley. “They have celebrated the effort behind plans to launch public private partnerships in 2013 for information sharing within industry sectors, and schemes for companies to improve governance.”
“The major focus seems to be on influencing the elite and developing intelligence,” Colley adds. “It is not enough and is out of step with how the management of society’s information security risk must evolve.”
Colley predicts that in 2013 the security pressures on companies will intensify as the next stage of development with mobility, BYOD and social communities take advantage of the flexibility of virtualised and cloud-based systems. “In business, we see a mix of corporate and personal systems as technology development slips away from the control of a carefully planned IT strategy. The resulting vulnerability and threat landscape is following suit. Corporate boards will not be driving these trends. Real impact can only be had with a broader approach to the challenge.”
This time last year Colley raised concern that the UK Cyber Strategy document only fleetingly mentioned the need to raise public awareness without a plan of action. The record to date includes support for the annual Get Safe Online Week in October and a campaign from Action Fraud. “These initiatives are moving in the right direction, but only scratch the surface, and while the government has said more is to be done in raising awareness, they have not said that they will commit new funds to the cause. They are relying heavily on private partnership.”
Skills development too requires more focus at the foundation stages. “Funding new research centres and denoting ‘Centre of Excellence Status’ to universities that are already delivering graduate courses in this space does not begin to address the skills shortage that we all acknowledge is adding to the threat,” continues Colley. “There are already 55-60 graduate level courses in the UK and most students don’t pursue an education at this level. More is needed at the undergraduate level where awareness of the career opportunities can help reach the numbers required.”
Colley did praise the intent to make education in cyber security a mandatory component of software engineering degrees by 2015, and suggested that this be a requirement for all computing science and web development courses.
“The government has pulled together a comprehensive statement covering a lot of disparate and impressive initiatives, but I am not confident that the basic requirements are being covered or therefore that they are getting to grips with the problem,” he concludes.
John Colley, CISSP, Managing Director, (ISC)2 EMEA. (ISC)2 is the largest membership body of information security professionals, with over 88,000 certified members worldwide, 4000 in the UK, 14, 000 across EMEA.