As the only pure-play information and cyber security institution to have been granted Royal Charter status, the Chartered Institute of Information Security (CIISec) is dedicated to raising the standard of professionalism in information and cyber security. The rapid increase towards digitalisation, information, and cyber security holds greater importance to businesses and organisations as they look to protect themselves from threats.
Coupling this with ‘the new normal’ of remote working, cyber and information security professionals have to be adaptive to new challenges as they arise. Understanding and recognising the importance of adaptability and learning in cybersecurity, CIISec provides many security professionals with the tools and knowledge to respond to new challenges as they present themselves.
Amanda Finch is the CEO of the Institute and she explained that CIISec is: “the natural home for cyber professionals throughout their career.”
“What we want to do is we want to recognise people for their skills and competency, we want to help them with the development paths and we want them to be successful. We're giving them the tools to either develop the capability within an organisation or to look at their own career and develop it” she continued.
Having gained Royal Charter status in 2018, Finch explained: “it was quite a journey” as you can only have one Royal Charter status for a particular area. To prove they were a “particular niche” Finch and CIISec had to provide many examples to show they were the only body operating wholly in this field.
The application for Royal Charter status lasted three years, documentation went through the privy council and Finch described it as “a complicated process.” Now, CIISec is ready to charter other professionals and organisations that are full members that meet the charter requirements.
As well as being able to charter its full members, Finch discussed the Institute’s skills frameworks which also supports members of all knowledge levels to learn about cyber and information security. She explained, “We have a number of development programmes. We've got programmes that take people from being new to the profession up to what we call our associate level. We're starting an apprentice programme in October as well. Everything's built on our skills frameworks.”
Programmes taking professionals to the next level
These programmes are designed to help businesses and organisations gain full membership to the institute, and cover the whole industry to ensure professionals are prepared for cyber attacks.
Speaking about the programmes, Finch said: “We have programmes to help them to get to the full membership, which we will be aligning with chartered status when we’re able to actually charter people and give them that status. We'll do that through masterclasses. So we take people from across the whole profession and they run webinars that people can latch on to so that they can understand the parts of the profession and soft skills and things like that as well.”
Aimed to take professionals in the industry to the next level in terms of knowledge, CIISec recognises the eclectic nature of the profession and are therefore keen for other professionals to share their experiences. In doing so, members and prospective members can learn from each other’s cyber and information security challenges.
“A lot of what we do is filling in the gaps that professionals haven't been exposed to as a way to round their experiences and knowledge,” said Finch.
To further support its members CIISec helps professionals looking to move into the industry, as well as those looking to progress in cybersecurity, and prepare for exams in an accessible way. Its online exam preparation sessions provide structured revision to help “people with materials, with development programmes and with recognition for their skills and competency,” explained Finch.
This is particularly important as a lot of resources and training pieces around information and cybersecurity can be costly. By reducing this cost for its members CIISec hopes to make the industry and training within the industry more accessible.
Promoting diversity and inclusion
As the cyber and information security industry is largely male-dominated, CIISec is keen to tackle this diversity issue, promote women in cyber and make the industry more reflective of society.
The Institute’s Women in Cyber have produced a series of webinars on a variety of topics covering diversity and inclusion. Available to members, CIISec adds new webinars regularly to promote women in the industry.
Additionally, the institute has its Diversity & Inclusion Steering Committee chaired by Nina Paine. As a member of the committee, Finch explained her dedication to promoting diversity in her industry: “It’s ridiculous that the industry and profession don’t reflect society and I want to change that. I am in a position where I have a voice that I need to use.”
In order to address this gender imbalance in information and cyber security, Finch explained professionals need to share what can be gained from a career tackling security challenges. She said: “Something we need to do a lot more is getting out to schools and getting out career advisors, parents, sort of anyone that will listen with us for five seconds to say that this is actually a really interesting career.”
Keen to collaborate with others looking to promote different diversity initiatives and challenges, CIISec has been trying to signpost other people’s diversity programmes. This is to celebrate what others have been doing rather than replicating it themselves and avoid reinventing the wheel. Finch explained: “I think the problem we've got at the moment is that there are so many initiatives out there that actually it's a bit of a crowded space. Some are better than others and some target different areas.”
Tackling staff shortages to reduce burnout
With these diversity issues in information and cyber security comes another issue, staff shortages. Keen to address challenges within the industry, CIISec conducted a survey that showed staff shortages are a big issue, it can lead to burnout and result in more people looking for opportunities in other industries.
“The biggest challenge is people,” Finch said.
“It’s about having enough people working in the industry. The survey showed we’re getting better at dealing with incidents. But, it’s really about people, that there aren’t enough people and we have to address that shortage. We need to think out of the box about how we do that, it may be upskilling security champions within the business rather than having a big security team,” she added.
Not only has the pandemic catalysed the significance of these issues but it has also created new problems for professionals in the cyber and information security industry. With people working remotely, employees are exposed to new risks and cyber professionals have become increasingly busy targeting these. Due to this increase in challenges, Finch explained that CIISec is seeing burnout from professionals working in this space.
Finch explained: “The reason that people leave roles and stay in roles is really about being valued and being developed. Although leaving jobs for more money is a big factor, people actually leave if they’re not being developed, they’re not being managed, or given the scope to use their flair.”
With staff shortages leading to increased demand for those already working in the industry, there is little time for development leading to dissatisfied employees. Due to this, Finch explained that CIISec is encouraging organisations to look at existing employees and see how they can be utilised to boost their own cyber and information security teams. They encourage this while simultaneously developing employees that may feel like they could do more within their roles.
Looking to the digitalised future
When looking to the future, Finch explained the rapid speed of change in technology is going to dramatically change the landscape that cyber and information security professionals operate in.
“So what we need to do as professionals, what we've always done, is harness the tools that are out there,” she said. Adding a caveat to this, Finch warned against the wrong use of some technologies to support information and cyber security professionals, such as AI and automation, as this can lead to additional challenges.
As the cyber and information security industry has been constantly evolving, Finch discussed professionals working in this area and highlighted their adaptability as they have had to be reactive to changes as and when they occur.
“Information security problems will always change, they won’t get easier. There will be some things that get easier only because we’ve got more experience dealing with them,” said Finch.
Looking specifically at what the Institute is aiming to do over the coming years, Finch explained: “We need to keep looking at the new skills needed and develop those skills as the landscape changes. That’s one of the reasons that we put an awful lot of emphasis on continuous learning because it never stops.”