Written evidence submitted by (ISC)²

(ISC)² is an international nonprofit membership association focused on building a safe and secure cyber world. We have more than 300,000 members, associates, and candidates, globally, with over 45,000 in the UK. Our membership consists of certified cybersecurity professionals responsible for securing our governments, economies, critical infrastructure, and personal information.

(ISC)2 welcomes the opportunity to offer insights on DCMS Select Committee’s inquiry on smart and connected technology. (ISC)2 contends that the net economic and societal impact of IoT is positive, whilst also acknowledging the risks (more opportunity for cyber attacks and privacy breaches) associated with a proliferation of connected technology. In this summary, (ISC)2 offers its views on the opportunities smart technology creates for the UK, and recommendations to alleviate the vulnerabilities stemming from the production and use of these technologies.

Seizing the Opportunities

Job Creation: Growing adoption of connected technologies across multiple sectors will drive the need for skilled people to design, develop, and maintain these products, generating increased demand for professionals in IT and adjacent fields such as cyber, data, and artificial intelligence. This will create new roles and an increased demand for high-skilled professionals.

Growth in skills economy: This changing employment landscape offers the UK public and private sectors an opportunity to create a high-skilled, regionally distributed and diverse workforce to ensure that UK businesses can continue to innovate and grow.

Increased global competitiveness: Capitalising on opportunities for new product development and service delivery for a tech-enabled future, will not only lead to a more sustainable economy, it also will strengthen the UK’s position in a competitive global technology market. Whilst celebrating the UK’s leading tech position in Europe, and its strength globally[1], it should also be acknowledged that there exists a significant opportunity for the UK to accelerate its smart technology market.

Mitigating the Risks

Expanding and enhancing the cyber workforce: It is clear that the economic and societal gains described above will not be realised without the right people, especially in IT and cybersecurity. Specifically, in cybersecurity, the UK currently has an unfilled demand for 56,000 professionals, a 73.4% increase over 2021[2]. This shortage of cybersecurity staff puts organisations at risk for issues including oversights in process and procedure, rushed deployments and preventable incidents like malware infection and potential exposure. (ISC)2 urges the UK government to redouble its efforts to address this significant and immediate workforce gap. As part of our commitment to help close the gap and diversify the profession, (ISC)2 has pledged a 100,000 free courses and exams to individuals in the UK to support them with skills development for entry- and junior-level cyber roles[3].

Safety and security by design: Smart technology brings to fore considerations for security throughout the product lifecycle, starting from the design of the product through to point of sale, and beyond. Connectivity amplifies the duty of care manufacturers and distributors have toward the security and privacy of users. (ISC)2 applauds the UK’s pioneering role in introducing the Product Security and Telecommunications Infrastructure Act[4] and the government’s advocacy in embedding safety and security principles[5] early in product development. (ISC)2 asserts that these legislations and standards will further generate demand for cybersecurity professionals and urges the UK government to provide employers with access to subsidised training so that business can prepare their staff to design and develop more cybersecure products and better protect consumers. Recognising the significance of security by design, (ISC)2 developed the Certified Secure Software Lifecycle Professional (CSSLP)[6], a certification that ensures professionals have the advanced technical skills and knowledge necessary for authentication, authorization, and auditing throughout the software development lifecycle.

Privacy and Protection: Connected technologies generate a significant amount of directly relatable and meta data that if misused can harm the interests of users.  A fundamental requirement for preventing harm is the provision of robust security – there can be no privacy without security and all data (even if published) should be secure. 

Strengthening the cyber ecosystem: It is true that to protect smart technology from cyber attacks, both suppliers and users will need to be better prepared. (ISC)2’s 2022 Workforce Study shows that 95% of organizations with 100 or fewer employees have no information and systems security professionals at all[7]. This is concerning given many of these small organisations form an essential part of the tech supply chain. NCSC’s cybersecurity guidance for small businesses[8], and its principles for secure design[9] are important contributions to building a resilient ecosystem. (ISC)2’s Centre for Cyber Safety and Education is running a Cybersecurity Health Check programme which enables certified cybersecurity professionals to empower small businesses by helping them understand and minimise their cyber risks[10]. 

(ISC)2 would welcome the opportunity to collaborate with DCMS Select Committee on developing the most effective policies for optimising the opportunities that smart and connected technologies present, whilst also minimising the associated risks.