How can we solve the cyber security skills crisis?

It’s no secret that there’s a huge shortfall of talent in the cyber security industry. The number of people entering the industry is not at all proportionate to the volume of threats that continue to target users across the globe.

According to a report released by the UK government’s Department for Digital, Culture, Media & Sport in March of this year, in order to keep up with demand, the UK should be attracting over 17,000 new people annually to cyber security jobs. Unfortunately, the current figure only stands at 7,500.

As threats grow and evolve, so too does the technology developed to combat them. Since, technology is constantly changing to keep up with the pace and sophistication of cyber criminals’ tactics, an individual’s previous education, certification, and training may not align to current threat trends. However, it takes time for security professionals to develop knowledge of the latest tech and gain new, specialised skills.

With this understanding, it’s not surprising to learn that 50% of all businesses in the UK have a basic cyber security skills gap. This means these businesses don’t have the internal skills necessary to carry out the tasks outlined in Cyber Essentials.

What are the consequences of this gap?

Without a steady stream of new people entering cyber roles, organisations will struggle to achieve cyber security maturity. Currently, 45% of all businesses have just one employee tasked with managing all their cyber security. In addition, nearly 9 in 10 of all staff carrying out cyber functions in the private sector have taken them on from an existing, non-cyber related role.

Without a robust team of experienced security professionals, UK businesses will be targets for cyber criminals and struggle to keep up with the digital world, resulting a loss of money, sensitive data, and their brand’s reputation. In fact, 71% of employers already believe that the talent gap has caused direct, measurable damage to their business and growth plans.

The shortage has also made it harder for smaller organisations to compete. In a review of the skills shortage across the EU, it was found that larger, wealthier organisations snatched up much of the talent in the market leaving “smaller companies and non-profit organisations struggling to attract the knowledge and skills that would allow them to run their business safely.”

In our current digital landscape, we can’t allow smaller business to fall behind simply because there aren’t enough security experts available to for them to hire.

So, what can we do to close it?

There are multiple approaches that address the problem from different angles including exposure, education, training, and recruiting. All these perspectives are important for driving more people to the industry, ensuring they have the right skills for the job, and sustaining a pool of qualified cyber security professionals in the future.

1. Exposure

Getting kids interested and excited about cyber security is the first step to cultivating a pool of future talent. A number of organisations in the UK run programmes to attract young people to cyber security activities. One such organisation, Cyber Security Challenge UK, was founded in 2010 and aims to find and nurture cyber security talent by running events, competitions, and games across the country.

Its Executive Chair Dr Robert Nowill, who previously served as a cyber director at BT and GCHQ, says Cyber Security Challenge UK’s mission is more critical now than it was in the beginning. He commented,

When we were created, it was all about working with the skills agenda of the government at the time to get more people in [the cyber security industry]. We knew there was a skills shortage then, and now I could say exactly the same thing.

Through Cyber Security Challenge UK’s roster of events, such as CyberCenturion, a team-based competition for 12-18-year-olds, and CyberLand, a series of online games to introduce kids to key concepts in cyber security, the organisation hopes to inspire the next generation of cyber professionals.

We can’t talk to every child or every perspective cyber security professional in the UK individually, but it’s just laying out a carpet of things to make them interested in the hope they come back to us and have got enthused.

Cyber Security Challenge UK also hosts university networking events, career fairs, organisational training days, and more to help nurture talent and attract new people to the industry. These kind of efforts are important because in order to fill the skills gap, we need to make sure people are aware of the career possibilities available to them, even if they come from outside the industry or non-traditional educational backgrounds or disciplines.

Initiatives such as these will help feed the pipeline of talent to ensure there are more people entering both cyber security education programmes and the industry later down the line.

2. Education

Education transformation will not happen overnight and it’s going to take cyber security champions inside institutions to get the ball rolling initially.

I think at school, it depends very much on whether you’ve got a keen teacher. Not all schools have someone that keen because quite simply there aren’t enough hours in the day,

says Dr Nowill. However, he says once there’s a champion inside an organisation, more cyber skills start being added to the syllabus, even at primary level. “Anything is better than nothing…it’s moved on from just ‘Can you use Word?’ to ‘Do you have an appreciation of basic coding?’”

To help accelerate this process and bring cyber security into more curricula, the NCSC supplies a set of resources for schools to help provide training and guidance to governors, trustees, and staff. In addition, their programme CyberFirst provides bursaries, free courses and competitions for 11-17-year-olds. As part of this, the NSCS continues to develop their CyberFirst Schools/Colleges scheme, which aims to encourage “young people to engage with computer science and the application of cyber security in every day technology.” The scheme allows the NCSC to accredit schools that have adopted a structured approach to cyber security education.

In terms of higher education, universities need to ensure their curricula keep with the pace and demands of the cyber security industry. Employers have stated they feel current graduates don’t have the right practical skills or fully understand the fundamentals of a career in information security and that cyber security education programmes don’t meet the needs of their organisations.

“We not only have a shortage of the highly technically skilled people required to operate and support systems already deployed,” says Franklin K. Reeder and Katrina Timlin in their research on the skills crisis, “but an even more desperate shortage of people who can design secure systems, write safe computer code, and create the ever more sophisticated tools needed to prevent, detect, mitigate and reconstitute from damage due to system failures and malicious attacks.”

However, it should also be acknowledged that although courses should be kept updated, not every programme can fully encompass every specialty area and specialised skill employers may be looking for. It’s been suggested that cyber security courses should be designed according to career objectives, whether that be academia, industry, or government. Those wishing to enter the industry should be taught more technical, hands-on skills to better prepare them for their future career.

Employers should also build relationships with local colleges and universities to share their critical workforce needs and what they’re looking for in potential employees. By working together, employers and educators can ensure courses align with the industry’s needs.

3. Training

One of the most important elements for developing a pool of cyber security talent that fits an organisation’s needs is to complete ongoing training and development courses. Dr Nowill said,

Recruiting well qualified and accredited cyber security professionals is very expensive. The best thing to do is bring in talent that’s emerging and train them yourself. It’s easy to say and hard to do, but if the companies need somebody to do their IT security properly, unless they want to outsource of course, they need to get somebody in. Also, the investment in emerging talent is a good investment for the long term since those people are a bit more sticky. Cyber security professionals tend to move around a lot, but if you’re growing and you’ve been trained by someone, you tend to be a bit more sticky and stay a few more years.

Organisations should also consider establishing internal, retraining programmes to pull talent from other areas of their business to fill their shortages. This would allow for a more consistent stream of talent and open new career paths for those who may not have considered it previously.

And of course, training should not only be limited to just an organisation’s cyber team if it hopes to achieve security maturity. However, it always bears repeating since only 10% of all businesses have provided cyber security training to wider staff in the last 12 months.

4. Recruiting

Although there’s not an unlimited pool of candidates recruiters can draw from, they can’t expect to find one person to solve all their problems. One recruitment agent said that they considered over 30% of new cyber job postings “unfillable.” This is because employers tend to overestimate what one person can do or expect them to have in-depth knowledge across the entire cyber security spectrum. This leads to unrealistic job adverts that request every cyber qualification imaginable or try to recruit for two or three jobs in one.

Hiring managers need to ensure they’re familiar with the various qualifications or career pathways candidates may possess and how these are relevant for different roles. They should also work to understand exactly how much capacity each member of their cyber team has and should not expect one person to have all the skills they may be looking for.

What else should be considered?

Staffing issues are usually exacerbated by the fact boards and IT teams may not have an appreciation for cyber or recognise how critical it is to the future of their organisations. This can lead to poor cyber staff retention, a lack of investment in cyber, and minimal training opportunities. Once organisations accept that cyber is a business risk, not just an IT problem, more focus can be put on training, recruiting, and working to discover new talent.

If an organisation is facing a tough skills gap and doesn’t have the ability to train its current staff or the budget to recruit additional skilled security engineers, outsourcing is a good option. Outsourcing can expand cyber capacity and help fill in specialised skills that may be lacking in one’s internal team.

This is especially helpful for incident response, which can be challenging for organisations with minimal cyber resources. In fact, for the 38% of organisations that currently outsource some aspect of their cyber function, 82% get their security partner to handle incident response and recovery.

However, if the industry can’t attract more would-be cyber security professionals, soon managed security service providers will begin struggling to find qualified employees as well.

In conclusion, what recommendations can we take away from all this?

  • The need for cyber security professionals is growing at a much higher rate than those entering it. We need to attack the problem from multiple angles to make up the shortfall.
  • By exposing students to cyber-related activities from a young age, the industry can get kids more interested in careers in cyber
  • There are multiple pathways into cyber security. If someone is interested in a career in cyber, they should look at the career options available to them, even if they have a non-technical background.
  • Education will take time to evolve, but organisations can work with educators and the NCSC to shape new curricula and champion efforts like CyberFirst Schools.
  • Internal training should be adopted to allow people develop their skills and create a pipeline of talent for organisations. Re-training programmes can also help to bring over trusted talent from other areas of an organisation.
  • More realistic hiring standards need to be adopted amongst hiring managers. One person will not be able to solve all your cyber security requirements and management need to understand what roles an employee can realistically perform.
  • Continue to educate boards about the risks of neglecting cyber security and why it’s not just an IT problem, it’s a major business risk. This will allow for more investment in cyber security talent and training programmes.
  • Outsourcing may be a route to consider for organisations that cannot hire more cyber security staff in-house, especially those who lack incident response capabilities.