The energy industry has intensified its focus on cyber security in recent years in response to rising geopolitical tensions and infrastructure and assets becoming more digitally connected.
DNV’s Cyber Priority research, which explores the changing attitudes and approaches to cyber security in the energy industry, highlights expectations for increased cyber security spending alongside the ongoing need to attract talent and upskill as we head into 2024.
It takes the right mindset, company culture, and access to skills to ensure increased cyber security budgets translate into greater resilience. Our research finds that energy professionals are deeply concerned about their organisation’s ability to recruit and retain the talent they need to protect themselves from threats, with energy professionals regarding a lack of in-house cyber security skills as the single greatest barrier to maturity in the industry.
While awareness of these threats continues to grow, investment in cyber security services has cooled in some parts of the overall market in 2023 as companies look to cut costs, and this is putting pressure on the workforce in some sectors. Budgets are likely to grow again in the longer term as companies increasingly consider cyber security as a central business risk, with a tightening regulatory landscape in particular set to fuel demand.
DNV’s research suggests that incoming regulation will be the greatest driver of cyber security investment by the energy industry in 2024. In the EU, for example, organisations in the energy sector face tougher regulation in the form of the revised Directive on Security of Network and Information Systems (NIS2), set to be transposed into national laws in 2024. As well as widening the scope of sectors covered by regulation, it increases the required standards of executive oversight and imposes new reporting charges.
For many companies, greater investment will come up against the cyber security workforce gap. In its Cybersecurity Workforce Study 2023, (ISC)2 estimates a global cyber security workforce gap of 4 million people globally, on top of an existing workforce of 5.5 million. Since last year, the study finds that the workforce has grown by 9%, but that the workforce gap has increased by 13%.
We need to change perceptions and culture in the cyber security industry. To do this, education can play a significant part. Cyber security affects everyone, whether in our personal lives or in the workplace, and dedicated education in schools can help to build more cyber resilient societies. It can also spark interest for young people to pursue a career in the field. For this, we need to show the many varied careers within cyber security that are not simply technical-focused and requiring a computer science background.
In the energy industry, for example, it is often engineers who are responsible for aspects of cyber security as the industry secures operational technology (OT) – the control systems that manage, monitor, automate and control industrial operations – as well as the IT that all industries rely on. There is also a need for people with non-technical skills in the cyber security industry. We need to attract everyone to realise benefits from more diverse teams and crucially to help address the growing workforce gap.
More can also be done to attract women into the industry. Among under 30s, women represent only a quarter (26%) of the cybersecurity workforce, according to the study by (ISC)2, and this drops to just 15% of cyber security professionals over the age of 39.
Promoting strong female role models and giving greater visibility to women can play a role. This is not just in company communications and industry events; it’s also about wider media – from podcasts to Hollywood movies. Whether they are soon to enter the workplace or in established careers, greater visibility can inspire women to see a future career in cyber security.
Networking opportunities can help, opening doors, building confidence, and providing spaces to build relationships among women in cyber security, including for mentoring and career guidance.
Beyond attracting talent, continuous training is important for organisations to build cyber resilience, as it requires all staff to act with cyber security in mind. Companies need to resource strategies for effective training, particularly using tailored e-learning, incident response exercises, and modules designed for specific positions.
Information sharing is also essential. There is great opportunity for energy companies to learn from the industry as it shares information. The recent SektorCert Report, for example, provided valuable insight on what happened during an attack against the Danish energy industry, including its coordinated response. Energy companies are aware of the constantly evolving threat landscape, but they benefit from being constantly reminded about the possible attack vectors that they are exposed to.
Cyber security enables much-needed digital transformations in the energy transition and secures the critical infrastructure that we all rely on. We need to better tell the positive story of cyber security and to demystify the work we do, to increase awareness of the importance of cyber security and to make sure that we attract top talent and close the workforce gap for the sake of the energy industry’s future.
