Next steps for UK cybersecurity: legislation; skills; and security by design
Talal Rajab of techUK looks at the key elements that are contributing to a hugely important year for cybersecurity in the UK
It seems like we say this every year, but 2018 is really shaping up to be an important year for cybersecurity in the UK.
Firstly, from a regulatory angle, the landscape has changed considerably for businesses, both large and small, and this has meant that their responsibilities when it comes to cybersecurity have also changed.
This, of course, will not be the first – or last – time that an article on cybersecurity mentions the General Data Protection Regulation (GDPR). But its introduction is seen by many of techUK’s cybersecurity members as a game-changer in how they discuss data security with their customers. One of the most important data-protection principles laid down in the GDPR specifies that personal data must be processed with an appropriate level of security. This means that businesses must take responsibility for both technical and organisational measures and carefully think about ways to effectively secure personal data.
For many businesses, however, it is not just regulation through GDPR that increases their cybersecurity responsibilities.
Amidst all the frantic unsubscribing of emails that occurred towards the end of May, many people missed the introduction of an equally important piece of regulation that seeks to improve the security of network and information systems across the UK. The Network and Information Systems Directive (NISD), implemented a couple of weeks before GDPR, increases the cybersecurity responsibilities of operators of those essential services which, if disrupted, could potentially cause significant damage to the UK economy. From ensuring the supply of electricity and water, to the provision of healthcare and passenger and freight transport, the directive correctly recognises that the reliability and security of our critical infrastructure is essential to everyday services and requires adequate protection.
Solving the cyber skills shortage
So, what are the next steps for those companies that have a responsibility to meet the requirements under GDPR and NISD? Well, for one, it means that businesses are in dire need of the cybersecurity skills that we constantly hear are in short supply. Depending on which study you read, there will either be a global cyber skills shortage of one million or two million people by 2020, with the UK’s share of unfilled cybersecurity jobs expected to be around 100,000.
To help the UK in this regard, the National Cyber Security Strategy sets out a series of interventions aimed at plugging the growing gap between demand and supply for key cybersecurity roles. This long-term strategy will look at areas such as the lack of young people entering the profession, the shortage of current cybersecurity specialists, the insufficient exposure to cyber and information security concepts in computing courses, and the absence of established career and training pathways into the profession.
It is this last area that we at techUK have been working with government on, with the intended result being the creation of a professional body for cybersecurity that would grant royal chartered status to cyber professionals. A consultation on this has recently been launched by the Department for Digital, Culture, Media and Sport (DCMS) and techUK will be responding to it on behalf of our members.
techUK have been working with government on the creation of a professional body for cybersecurity that would grant royal chartered status to cyber professionals
Most of these initiatives, however, are long term in nature and will take a long time to come to fruition. That is why it is important that digital companies – the manufacturers and suppliers of digital services – take their cybersecurity responsibilities seriously and build and design products and services with security built in from the outset.
Estimates show every household in the UK owns at least ten internet-connected devices and this is expected to increase to 15 devices by 2020, meaning there may be more than 420 million in use across the country within three years.
We cannot expect consumers – the users of these products and services – to understand the different security requirements within all their devices. They want to take products out of their boxes and use them straight away, without having to worry about whether the product they use is insecure or not.
So, DCMS has conducted a “secure by design” review and report, published in March of this year, which at its core contains 13 principles that IoT manufacturers can follow to embed security into the design process, rather than bolt them on as an afterthought. Government has stated that, whilst the principles in the code of practice are voluntary, they may be made into a regulation sometime in the future if the state of play does not change.
So, that is why 2018 is such an exciting time for the UK cybersecurity sector, and gives a sense of where the sector is going; a mix of regulatory action, work to develop skills and capabilities, and action taken by manufacturers themselves to ensure that security is embedded into everything that we do.
Ahead of technology- and data-led reforms, officials have been invited to vent their frustrations with how Whitehall works
Dominic Cummings’ ambitions realised as prime minister’s office seeks to recruit crack squad of data scientists for No. 10 skunkworks
As many as 20 roles available in Newcastle and Manchester
Department recruits for individual to apply design principles to solve government challenges