We often hear, particularly withing the Cyber Security industry itself, of a skills gap and a real problem recruiting and retaining cyber security professionals. Why and is it real or imagined?  There is a very useful report you can reference from the Department for Science, Innovation and Technology (DSIT), which I’d recommend.

Firstly, let’s look at the market.  As my regular readers will know, I work largely in the SME market, having come from the corporate market where I worked for many years.  Even there, true cyber security professionals were always hard to find and it’s very important to recognise the difference between cyber security skills and experience, and technical skills and experience.

Let me explain.  Within the SME sector there has always been the perception that technical skills were what is needed when putting in place protections against cybercrime.  That does seem to be changing, and I asked the question of a business audience a couple of weeks ago; did they think cyber security was a business issue or best left to the techies.  100% said business which is much different than when I first asked this group the same question 18 months ago, when about 80% said it was a technical issue.  This last result was somewhat heart-warming.

So why does technology get pushed so hard in that sector?  If we look at the corporate market for a moment, we’ll see that these organisations have a solid security team in place, run by a Chief Information Security Officer (CISO), who often reports to a Chief Information Officer (CIO) who is a board member.  This allows them to build a team covering most of the security skills needed, cyber generalists and governance, risk and compliance specialists amongst others, and techies as well.  They will often only outsource skills only needed now and again.  But even here they often struggle to recruit.

SMEs simply don’t have that organisation in place, and even at the top ‘M’ end of the market, those company’s knocking on the door of the corporate market, they still outsource most of their IT and with it, their cyber security.  The reason why an SME would choose to do this is obvious, it’s cost.  They can’t afford to employ even IT staff full time and those that do, often have one person whose main role is to keep on top of their outsource partner.

A big issue facing SME organisations is balancing limited resources with the growing complexity and volume of cyber threats. The lack of resources is compounded by an overall dearth of cyber-security skills in general, and a real lack of skills in mid-sized companies and the IT companies they often outsource to.

Allied to this issue is that many IT support company’s, focused on the SME market, don’t really have any more of a handle on cyber security issues and how to fix them, than the SMEs themselves.  This might sound harsh but consider that their business is all about selling in hardware and software licences, the more they sell, the stronger their business.  Obvious right?  That makes them focused on the technologies they sell, firewalls, anti-virus etc, and they will have technical skills needed to support and maintain those products.  That’s all fine but ask them some simple questions: 

• Have they fully identified your security assets?  Security assets are not just hardware and software, in fact those are often the least of your worries.  It’s the data, where it is and how it’s protected that is important.
• Have they done a risk assessment on those assets.
• Have they recommended or implemented controls to manage the risk down to your acceptable residual risk level.  That is assuming they have spoken to you about what that acceptable risk is. 

It’s very important that business owners grasp the difference between the technical requirements of their networks, and the business requirement. 

Cyber security professionals will focus on encompassing all aspects of protecting digital assets, IT systems and networks, from unintended or unauthorised access, change or destruction. Cybersecurity focuses on a devising a security strategy and identifies controls, processes, and technologies to ensure the protection of data, programs, networks and associated software from unauthorised access or attack. It is focused on People, Process and then Technology.

Technical security focuses on the technologies employed as controls to remediate the risks defined in the risk assessments carried out.  Risk assessment is essential because without it, you can’t be sure that you have the right controls in the right place doing what you think they are doing.  In other words, it helps to ensure that your spend is targeted correctly and you’re not wasting money.

And that last piece is what your local IT provider is not doing.  They look at tech, not the business.

Getting back to the skills gap, it’s clear that whilst that gap exists it probably isn’t hitting SMEs hard because they weren’t invested in those skills in the first place in the way the corporate market is.  SMEs tend to outsource those things that aren’t their core business, including IT, HR and payroll etc, so why not cyber security?  The answer is often because they don’t think they need to, often until it’s too late.  Having someone on tap that you can contact for advice and guidance is worth every penny.  Trust me – I’m a cyber security pro!

H2 provides affordable and flexible one-off and ongoing data protection and cyber risk protection services designed specifically for SMEs; at a price they can afford.  Our advice and guidance takes a unique look at the problems facing SMEs whilst calling on our vast experience working for the larger organisations and government departments.

To learn more about the services we provide please click here https://www.hah2.co.uk/

Alternatively, please feel free to give us a call or email

T: 0800 4947478

M: 07702 019060

E: kevin_hawkins@hah2.co.uk

Trust H2 – Making sure your information is secure