The skills needed for joined-up security best practice
12:00 Thursday, 22 April 2021
UK Cyber Security Council
To work effectively in cyber security, particularly in more senior roles, you will generally need some relevant education or training. You will, of course, also need skills that aren’t directly related: analytical skills to understand issues; a comprehension of how to measure risk in order to prioritise the changes you make; the ability to make the most of the tools at your disposal for monitoring the operation of the security estate.
The title of this article includes the words “joined-up”, though. What extra skills do we need to bring those two words into the security practice?
We need to look in two directions: inward (within the security team) and outward (as a part of the business). The most fundamental requirement within the team is for everyone to understand who does what, and who is accountable for what: any level of unclarity will lead to essential tasks going undone because everyone assumes someone else is doing them. Not far behind is overlap: just as resilience is essential for dealing with failures in your critical servers, firewalls and network links, so is the ability to cope with failures in the more organic elements of the security team – illness, leave, resignations and so on. Overlap of skills and knowledge lets you keep things moving – and secure – when people are absent, and also helps cope with peaks and troughs in workload, with less busy colleagues able to help out those going through a more strenuous few days or weeks. Your team is joined up if the members are multi-talented and can do – actually do – each other’s jobs.
Joining-up the security practice to the business needs communication, openness and awareness. Security staff are like IT staff in the sense that it’s easy for them to sit in a windowless room doing their thing and forgetting entirely that somewhere outside their abstract world, what they do affects the customers of the business. It’s essential, then, for the security team to have some understanding of the downstream effects of what they do. The reverse applies too: just as the cyber team may not be looking out of their windowless lab, the rest of the business may be unable to look in. People are naturally suspicious of opaque entities that they don’t understand, and so to be joined up with the wider business the security team needs to be open with the people that consume its services, to help them grasp the concepts, and to be honest about what is going on – even (particularly) when bad things are happening. And this openness is achieved by that third factor: communication. Communicating with those outside the team engenders understanding and acceptance.
And it joins the security function with the business.