While attacks on information networks are becoming more common, the proliferation of such networks is posing cyber security challenges of its own.
In a research project completed in January, VTT and Cyberlab Ltd explored the level of Finnish cyber security expertise and the related short-term needs. VTT Research Scientist Anna Leinonen notes that it is easier to bring society grinding to a halt than before, due to its greater dependence on technology.
“We refer to this as hybrid warfare. The global situation and relations between the major powers have reached the stage where we can expect instability to increase,” she says.
Leinonen and her colleagues do not engage in predicting future technology trends – their work has a broader, social and societal focus. They chose stakeholder workshops as their research method; in these, representatives of the business community, research sector and public administration examined the future within their own reference groups.
“The importance of leadership skills was one of the interesting issues raised in the business community workshop. Managers are not necessarily aware of the pressure points in cyber security. On the other hand, the critical nature of civic awareness and orientation in information security was raised,” Leinonen recalls.
Security requires able management
This means that cyber security requires a critical attitude and knowledge in support of decision-making. Senior Scientist Antti Pelkonen points out that the report highlighted the importance of a vision that extends beyond technical expertise. As digitalisation progresses, the need for cyber security is becoming more pervasive in society.
“Strategic management and leadership of cyber security, as well as the related legal and financial expertise, are needed,” he states.
The companies gave a clear signal that talent is in short supply. Pelkonen notes that six out of ten of the company representatives said that there was a shortage of talent.
“Companies and public sector actors had already been experiencing problems in recruiting, which shows that a skills shortage is already with us.”
Pelkonen refers to F-Secure as the best known Finnish pioneer in this area. He adds that mobile information security expertise can be found in both the private and research sectors, particularly Nokia. He regards cryptology expertise as being at a very high level in the research sector, but notes that it is dependent on just a few researchers.
“In Finland, the research side has been growing strongly but within narrow areas at the highest level, which are often dependent on individual researchers or research groups.”
On the other hand, Pelkonen notes that a relatively large number of people are employed by cyber security companies in Finland. These include successful growth companies with clear strengths. Pelkonen believes that cyber security involves a commercial and economic dimension, as well as public safety.
“This is a fast-growing sector internationally, in which Finnish companies have many opportunities,” says Pelkonen.
Top expertise resting on just a few shoulders
World-class research in the sector is often limited in scope and the overall volume remains relatively small. Pelkonen calculates that Finland has around a dozen or so professors specialising in cyber security.
However, research is being conducted on a broader scale in practice.
“As cloud services become more common, ensuring the protection of privacy could become problematic and the intelligence of products based on IoT solutions is so low that they may have no spare capacity for the implementation of information security.”
Finland has skill gaps as well as high cyber skills. We know how to develop technologies, but not how to sell or buy them.
“The management side is affected by a lack of understanding of the risks involved, while the skills gap in the public sector lies in procurement. Technical expertise is also needed in purchasing, so that rational objectives are drawn up when planning the tendering stage,” says Leinonen.
Leinonen points out that the innovative purchasing principle should be applied in cyber security tendering processes.
“This would also provide references for companies. However, buyers will need certain skills when formulating calls for tenders, which include the idea of developing something new as well as just buying something.”
Pelkonen calls for a type of cyber security leadership which dovetails a diversified strategy with multi-disciplinary skills. However, Leinonen observes that the roots of multi-disciplinary skills lie in familiar ground. She points out that a blend of mathematical and technological expertise forms the basis of the business sector in Finland.
“We need to secure such expertise if we want to succeed in the sector. Technological know-how has been traditionally strong in Finland, but it could rapidly disappear if education is starved of resources,” Pelkonen says.