Skip to content

Will a new law dent the need for cyber skills?

Joining the profession

08:30 Monday, 20 December 2021

UK Cyber Security Council

A new law being introduced to Parliament and sponsored by the Department for Digital, Culture, Media and Sport, aims to compel tech manufacturers and their distributors and importers get the basic cyber security elements of what they do correct - moving away from poor default passwords, being transparent about vulnerabilities that are discovered, and the like.

Imagine that: a law that forces vendors to make stuff that's secure. We will have, for the first time, equipment manufacturers bound by law to do security properly. So, will this have any negative effect on the need for cyber security professionals?

In a word: no - for a variety of reasons.

First, the new law only scratches the surface. Sorting out default passwords and keeping on top of patches for vulnerabilities is a very low-level task anyway, and one that should take minutes each week for the average cyber person. All the new law is really doing defining basic technical measures that vendors should already be doing anyway.

Second, although proper admin passwords and patches are important in cyber, they are only one component of the big picture. Much more crucial is the component that introduces most of the security issues in systems: people. In this sense we don't mean people in the context of unwitting users clicking on links in scam emails (though they are of course a source of risk) but rather the people who design, build and maintain the systems.

The problem is the same with any system: no matter what security features are built in, there is generally plenty of scope for the IT team to configure it wrongly - that is, insecurely. Any security mechanism can be defeated by a bit of unwitting or incompetent design or implementation, after all. Like we said, the elements of security that the new law will deal with are just a small part of the problem.

And anyway, even with the vendors making sure we are aware of vulnerabilities and patches for them, nothing much changes with regard to how we monitor our equipment. And the reason is simple: knowing that version X.Y.Z of a device's operating software has a vulnerability is one thing, but we still need to monitor our systems so we know what versions our systems are running, and whether the vulnerabilities are relevant to our use cases.

And there is one final reason that the new law doesn't put cyber professionals out of business: it's a consumer-focused law. And by “consumer", the legislation means: “an individual acting for purposes that are wholly or mainly outside the individual's business". Which is unsurprising, of course, because it's the consumers that most need to be protected. And this is precisely because businesses have cyber security professionals who already know (or, at least, we hope they already know) how to change default passwords; they can generally afford some kind of toolkit to monitor the infrastructure and inform us when things are vulnerable or out of date. It's the consumers the government seeks to defend by legislating some basic security requirements for manufacturers, importers and wholesalers.

And anyway, legislation alone will never put cyber security professionals out of a job, or will make their skills irrelevant. And let's face it, the vast majority of businesses are getting better at dealing with the very basic security requirements demanded by the new law - requirements that align with standards such as Cyber Essentials which are already pretty well known and popular, and whose guidance includes vulnerability and password management.

So, while the new law is an important step for consumers, our business cyber skills will be required for some time yet.