Dr Sarah Morrison, Faculty Lecturer, AIM Business School

Cybersecurity addresses operational risk; it includes technology but is not limited to technology. However, it is not always taught as such. Cybersecurity is still often seen as part of the realm of the technologist, with many students believing that to get a job in the cybersecurity field, you must have a strong understanding of technology and be able to battle it out against threat actors in the cyber arena.

Having the word cyber attached to security does not help the situation, as cyber is often depicted with scenes from The Matrix of falling green code delineating a simulated reality environment – spoiler alert, the green code from the matrix is Sushi recipes (Hooton, 2017) – just like the term cybersecurity, things are not always as they seem!

Cybersecurity jobs are not all technical and the cybersecurity community needs people with varying skill sets. Some of the best consultants I have ever hired did not bring technology skills to the job, but other transferable skills such as risk management, training and education, and policy development. In fact, most of the information security/cybersecurity frameworks organisations implement to help protect them against cyber threats only have a small portion allocated to technical controls. The rest rely on soft skills, such as the ability to be able to project manage, research and communication skills and analytical skills. The following article will examine cybersecurity's role across multi-disciplines, extending beyond the traditional IT realm.

The second purpose of this article is to demonstrate that with cybersecurity becoming a significant issue for all industries, it is imperative that we arm students with tools to help defend against threat actors. Currently, cybersecurity is offered as an elective for some courses. I am proposing, however, that rather than putting cybersecurity as an afterthought, it should be front and centre, a core subject to arm students with the tools to protect themselves and their future employees. At the same time, we are introducing students to the varying possibilities within a cybersecurity career.

Cybersecurity is not an IT Problem

Google “Cybersecurity is not an IT problem”, and you get a plethora of articles eloquently describing how cybersecurity should be interwoven into everyone’s job description, not just IT. The security environment has changed (Hanspal, 2021) and requires a top-down and bottom-up approach. The board and executive team need to be educated and informed on the security controls within their organisations, customers need to trust that the organisation is protecting their information and employees and contractors need to be given the right tools to support them to ensure security is front and centre. To meet these demands, we need a diverse range of skills to fulfil cybersecurity positions and provide the proper education to everyone, so that the right questions are being asked. For example, are we doing all we can to protect our customer information?

The skill shortage

In 2022 studies indicated that globally there was a need for an extra 3.6 million security professionals, an increase of over 26% from the previous year (Henriquez, 2021) . However, only 3 per cent of graduates have a degree in computer and information sciences (Kroll, 2019); the skill sought traditionally for cybersecurity jobs (it is worth noting that not all these graduates will go into cybersecurity). Even if we only wanted cybersecurity students who are technologists, news flash, globally, we are not producing enough students to fulfil the gap. We need to look elsewhere and change the stigma that working in cybersecurity requires being a technologist. The reality is that there are so many cybersecurity jobs out there that do not fit the role of the technologist unless, of course, the technologist is a unicorn.

The Unicorn

Having worked in and around information security for over 20 years, I have encountered a unicorn maybe twice. A unicorn is an individual who firmly understands the technology involved in protecting an organisation from threat actors but who also understands the process and the people elements just as much. The unicorn is the developer, turned penetration tester, turned governance, risk and compliance consultant, who has worked in forensics and has also done threat analysis work! Some of these skills require a technology background, but not all.

In this not-all space, we need to start to educate students to demonstrate that to work in cybersecurity, we need an array of students with different skill sets. Some are technical, others are human-focused, and others are process driven. This is known as the three pillars of cybersecurity: Technology, People, and Process.

Diversifying cybersecurity skills

For many years technology was the key focus for organisations regarding cybersecurity. If you had firewalls, end-point protection, and a plethora of other technical controls, you could practically ensure your organisation's security. However, as technology improved, threat actors got more creative, turning to new ways to gain access or create chaos. Take, for example, the phishing email. A phishing email is a social engineering scam perpetrated over email in an attempt to get the recipient to action the email. The consequences may include a combination of data theft, malware distribution or using the email account to send further phishing emails. From a technology perspective, spam filters and secure gateways monitor your organisation for incoming fraudulent emails. Your technologists should be busy behind the scenes ensuring that these are turned on, tuned and updated regularly. However, as we all get spam emails, we know technology does not always work, so organisations are now turning to the people and process pillars of cybersecurity to help keep them protected.

Security Awareness

Security awareness comes under the pillar of people, as it educates individuals on the threat of phishing emails. Armed with data and examples, your security awareness should provide your employees with the tools they need to identify phishing emails. These are not technical tools, nor should technical jargon pollute the conversation. Security awareness can be generic, or it can be specific to a job function. For example, IT, Human Resources and Finance are traditionally the areas most targeted by threat actors. (Food for thought, wouldn’t it be great if we provided cybersecurity subjects to graduates of targeted professions)

The elements of a good presenter, according to a recent article by Presenter Academy (2021) are:

1. Confidence.
2. Charm and charisma.
3. Dedication and passion.
4. Authenticity.
5. Understanding the audience.
6. Enthusiastic.
7. Relaxed and calm under pressure.
8. An active listener.
9. Good communication skills, and
10. Good team player.

An additional element that I believe is essential to cybersecurity is the ability to be honest if you do not know the answer to a question. You can always get back to them after the session.

Simulated phishing tests are another invaluable tool organisations use to test your security awareness program's effectiveness. Simulated phishing campaigns can be undertaken using a variety of available tools, where you draft your fraudulent email and send it out to your staff. As it tests your staff’s ability to respond to a phishing email, it comes under the pillar of people. Yes, technology is used to send out the email, but just as a delivery tool. Like anything to do with technology, you need to be open to learning new technologies to get the job done. You are also required to have an active imagination to make your phishing email look both authentic and phishy. The email must pass as looking real at first glance, but it must also have the characteristics of a phishing email so staff have a chance to identify it as such. If they pass the simulated phishing test, they get a gold star; if not, it is back to training.

Security awareness is not the only role within cybersecurity that does not require a technology background. In fact, most governance, risk and compliance roles within information security fall within this category. Going back to the security frameworks mentioned early, security controls are often broken up into categories. For example, NIST (2022) uses, Identify, Protect, Detect, Respond and Recovery. Only some aspects of each of these controls require the skills of an IT profession.

For a full description, NIST Cybersecurity Framework is a free online tool. It is not feasible to explain each control in this article. We will, however, examine two of my favourite areas, Policy and Process, which is covered under Identify, Protect and Respond and Threat Landscape, which falls under all of the headings, as you cannot defend against something if you do not know what it is you are defending and what you are defending it against.

Policy and Process

Security frameworks such as NIST Cybersecurity Framework and ISO/IEC 27001 are great for making organisations accountable for how they do things and ensuring security is front and centre. Policy and process are tools that are often forgotten about within organisations, as people are so often busy doing, they do not always take time to document and review how they are doing things. Take, for example, the humble acceptable use policy. This document articulates how staff should treat an organisation’s technology, from the laptop they are issued to the fob key they use to get in and out of the building. The policy will also remind staff of their legal and regulatory obligations. Other areas your policy and processes may cover include:

• Password management (how long staff passwords should be, how often they need to be changed, whether the organisation uses a password manager).
• Asset register – a primary tool that details what applications are used and permitted within the organisation, who owns and manages these applications, how often the applications must undergo an access control review and the type of information being stored on the asset.
• An incident response policy and procedure in case there is a security incident, and
• An information security risk management framework outlines how the organisation defines information security risk, the escalation points for cyber risk, and what constitutes a risk assessment.

Threat Landscape

Threat landscapes are a powerful tool for organisations when determining what threats they need to be aware of and developing a security roadmap to defend against these threats. With a combination of technology, process and people, a threat landscape will involve looking outwards first to similar organisations in size and industry. Once you have examined what is happening external to the organisation, you then need to look inwards to the threats your organisation is currently facing, such as known or suspected incidents, results of social engineering tests, security assessments, company sentiment etc. You then need to combine this information to help form the overarching security strategy for your organisation.

To develop a threat landscape report, you need to have excellent investigative skills to research:

• The tools and attack methodologies of threat actors.
• The organisation’s reliance on technology.
• What information the organisation has that it needs to protect.
• The networks available to threat actors that enable their profitability (i.e., cryptocurrency, the dark web).
• The current trends driving cyber-attacks, and
• External factors, such as the recent COVID-19 pandemic, that saw cybercrime rise globally (Del Conte, 2022).

Knowing how technology works will help you immensely in each of the controls listed above, but you do not need to know the ins and outs of the technology. Essentially, your technologists focus on the operational side, while your people and process focus on both the operational and strategy side. If you do not have processes in place to manage and govern security, then it does not matter how innovative your technologists are. Without someone identifying the gaps, the cyber risks and defining the cyber strategy, you risk investing in the wrong technology or focusing on the wrong security controls (Chipeta, 2022).

Cybersecurity as a Core Subject

Working for AIM, I have the privilege of teaching Cybersecurity and the Cloud as an elective to MBA students. It is in this subject that I repeat the message, cybersecurity is more than technology, and that all members of an organisation need to be asking the question, is this secure? Going back to the original statement that cybersecurity addresses operational risk, the question must be asked, why aren’t cybersecurity subjects being taught as part of all degrees? Cybersecurity is not going anywhere and most people will encounter a cybersecurity threat at some point in their life. Organisations are relying more and more on their staff to help protect them against cybersecurity threats, yet cybersecurity is not seen as a core subject.

When looking at cybersecurity as addressing operational risk, according to the AuditBoard (2019 p. 9), “operational risk permeates every organisation and every internal process. The goal in the operational risk management function is to focus on the risks that have the most impact on the organisation”. Cybercrime is a global issue, which is on the rise, and there are no signs of it slowing down, in fact by the end of this year (2023), cybercrime cost is predicted to reach $8 trillion with a 15% increase by 2025 (Nivedita, 2023). From 2018 to 2023 the leading global risk to organisations has been cyber incidents defined as cybercrime, malware and ransomware causing downtime, data breaches and fines and penalitites (Statista, 2023).

Cybersecurity needs to be expanded beyond IT. We need to ensure that graduates leave their degrees with the right skills. Arming students with cybersecurity skills, whether these are technical skills or soft skills, is one way we can help defend against threat actors while simultaneously paving the way for students to see the worth of their transferable skills in the field of cybersecurity.

The Skills Shortage – Part Two

We have already spoken briefly concerning the skills shortage in cybersecurity, and if you have not yet picked up on the message of this article, cybersecurity extends past technological controls. 23% of cybersecurity professionals surveyed in November 2017 did not start their careers in IT. Imagine if we taught cybersecurity as a core subject for each degree, circumventing the stigma that you need to be a master of IT to work in the industry. We might start to close the gap. In fact, several soft skills have been identified by Texas University (2023) as essential to cybersecurity professionals, which are taught across multiple disciplines:

• Research and writing.
• Collaboration.
• Interpersonal networking.
• Problem-solving and analytical thinking, and
• Empathy.

Imagine having a subject where students are asked to examine the current threat landscape and come up with initiatives across all three pillars of cybersecurity that organisations can undertake to prevent these threats. Not only are students being forced to examine the global threat of cybercrime, but they may also come up with new and ingenious ways to fight it! Combine these with basic knowledge of cybercrime, which are the threat actors committing cybercrime and how organisations can defend against cybercrime, and you have the making of a cybersecurity professional.

Cybersecurity and boards

The final point I will make is a little far-reaching but a relevant argument nonetheless. With cyber risk on the rise, and a new major incident being reported in Australia every few months (the latest being Latitude), organisations are turning to their boards and executive teams for guidance. However, a 2022 study revealed that only 0.8% of ASX 100 directors have cyber experience (BusinessThink, 2022). With a skill shortage currently occurring and cybersecurity being hailed in the domain of technologists, it does not seem likely that this statistic will change anytime soon. Cybercrime will not be stopped by technologists alone. We need to offer our future leaders cybersecurity education.

References

AuditBoard (2018). What is operational risk management? The overview. AuditBoard. (Accessed 30 March 2023) https://www.auditboard.com/blog/operational-risk-management/

BusinessThink (2022). Company directors fall short of cyber security skills mark. University of NSW. (Accessed 30 March 2023). https://www.businessthink.unsw.edu.au/articles/company-directors-cyber-…

Chipeta, Catherine (2022). What is the cyber threat landscape? UpGuard. (Accessed 30 March 2023) https://www.upguard.com/blog/cyber-threat-landscape

Del Conte, Tamarian (2022). The 3 pillars of cybersecurity: People, Process, and Technology. BlackBerry Blog. (Accessed 30 March 2023) https://blogs.blackberry.com/en/2022/10/the-3-pillars-of-cybersecurity-people-process-and-technology

Hanspal, Lakshmi (2021). Cybersecurity is not (just) a tech problem. Harvard Business Review. (Accessed 30 March 2023) https://hbr.org/2021/01/cybersecurity-is-not-just-a-tech-problem

Henriquez, Maria (2022). Addressing the cybersecurity workforce staff shortage. Security. (Accessed 30 March 2023) https://www.securitymagazine.com/articles/98708-addressing-the-cybersecurity-workforce-staff-shortage

Hooton, Christopher (2017). The iconic green code in The Matrix is just Sushi recipes. Independent. UK Edition. (Accessed 30 March 2023) https://www.independent.co.uk/arts-entertainment/films/news/the-matrix-…

Kroll, Steven T (2019). Only 3 percent of U.S. Bachelor Grads have cybersecurity related skills. Cybercrime magazine. (Accessed 30 March 2023) https://cybersecurityventures.com/only-3-percent-of-u-s-bachelors-degree-grads-have-cybersecurity-related-skills/

NIST Cybersecurity Framework (2022). National Institute of Standards and Technology. U.S. Department of Commerce.  (Accessed 30 March 2023) https://www.nist.gov/cyberframework/online-learning/five-functions

Nivedita, James (2023). 90+ cyber crime statistics 2023: Cost, industries & trends. Astra. (Accessed 30 March 2023) https://www.getastra.com/blog/security-audit/cyber-crime-statistics/

Presenter Academy (2021). What are the qualities of a good presenter? Presenter Academy. (Accessed 30 March 2023) https://presenteracademy.com/blog/what-are-the-qualities-of-a-good-presenter/

Statista (2023). Leading risks to businesses world wide from 2018-2023. (Accessed 30 March 2023) https://www.statista.com/statistics/422171/leading-business-risks-globally/

Texas University (2023). Getting into cybersecurity with a nontechnical background. (Accessed 30 March 2023) https://techbootcamps.utexas.edu/blog/cybersecurity-with-non-technical-background/

Disclaimer

Views and opinions expressed in this piece are solely those of the author(s) and do not reflect the views of the AIM Business School. Content is based on personal experience, knowledge, and research, and are intended for informational purposes only. The author(s) and the AIM Business School make no representations as to the accuracy or completeness of the information presented and will not be liable for any losses, injuries, or damages from the display or use of this information.