Last year, the Government’s Security Breaches Survey found that 81 per cent of large companies had reported some form of security breach, costing each organisation on average between £600,000 and £1.5 million.
The reality is that the number of cyber security threats is continuously on the rise. The increase in basic and complex attacks on businesses is driven, in part, by an increased availability of underground offensive security technology.
Fully developed and tested malware, remote access tools, and other malicious toolkits are readily available for free or for rent on the black market. Most basic attacks do not even require a large amount of research or skill to implement, and are broadly applicable to a wide range of users or software.
Cybercrime professionals in short supply
In the face of this ever-growing threat, the 2015 Global Cyber security Status Report by ISACA found that a shocking 87 per cent of UK business and IT professionals believe there is a shortage of cyber security professionals, and furthermore, only 34 per cent of these professionals believe they are prepared for a cyberattack. It is clear that the need for skilled workers is greatly out stripping demand. This is reflected in practice with companies reporting that it can take as long as six months to find the right person for a role in the cyber security sector.
A major reason for the shortage of people pursuing a career in cyber security is a simple lack of awareness, partly caused by the absence of appropriate education in universities, making it difficult for young people to see cyber security as an accessible career. This is something that the government has already recognised with several schemes such as the Cyber Security Challenge UK aimed to recognise and encourage cyber security talent at a young age.
Cyber security education in universities
Currently, traditional computer science courses do not have enough practical work, or discussion of career options and their requirements, creating a gap between education and the workforce.
One way to fix this is to make university programs more hands-on and practical and incorporate actual IT work. This could be done in partnerships with cybersecurity companies who could be enticed to offer students real-world case studies in return for the chance to meet new and emerging talent.
Universities should offer students the experience that lets them make an informed decision about the sector of the IT industry in which they wish to work. Universities could then set up specialised streams for the last one or two years of a degree which would help those students specialise in that area and shorten the gap between graduation and entering the workforce.
New breed of apprenticeships
The subject of apprenticeships is often brought up as a solution but this raises some practical difficulties. Many apprenticeship schemes are aimed at people from the age of 16 onwards, and unfortunately it would be very hard to employ someone at this age that has no existing computer science or network management background and turn them into a valuable asset on a cybersecurity team.
This isn’t to say that it would be impossible, but due to the high skill level required even at entry level, apprentices and new starters pose a challenge. There would need to be a large amount of investment and pre-planning necessary to make them a trusted part of a team where mistakes can cost clients millions. The reality is that this approach only makes sense for companies where training will be a repeated activity, meaning there is a strong case to establish a formal training programme. This would apply to companies with high recruitment and turnover rates but also to companies aiming to be more efficient in bringing new employees up to speed.
However, a form of apprenticeship does already exist within the industry, mostly due to the skills shortage itself. As it can be hard to find the right person for the role, employers will often hire more junior people whose skills do not necessarily match the role and rely on their existing team to train them to match their new position. If you establish teams with strong leadership then this style of apprenticeship can be very effective, but the reason you are doing this – the skills shortage – can often make it difficult to establish a team capable of running this training in the first place.
One solution for mature companies would be to establish an apprentice/graduate training programme which would see a team dedicated to training being created. The benefits would be fresh minds tailored to the roles you require, who already understand your company processes. It is possible that something akin to legal training contracts could work in the cyber security sector, with candidates committing to a longer-term contract in exchange for their training by the company.
You could embed new employees within each specialist team in rotation and they would learn specific skillsets in bite-size chunks. This approach would be highly effective but needs to be approached as part of a structured training programme, to ensure that the candidates acquire the necessary skills at each stage. This requires company-wide dedication to the training of new employees as it will take the resources of established teams who have the resources to teach, train, and review new entrants on an ongoing basis.
The proactive response
With more than 2.5 million incidents of cybercrime in the last year alone, businesses can defend against these attacks if they have the correct skills base employed to deal with them. Universities are failing to bridge the gap between computer science and cyber security and there are many difficulties when it comes to training people in the field. This is a concern the entire cyber security industry must work together to address by being proactive and considering where their next wave of talent is coming from; by reaching out to a university, or taking on a trainee, companies can help to reduce the ever widening gap between threats and defence.
With Gartner predicting that worldwide information security spending will increase 4.7 per cent from last year and reach as much as $75.4 billion in 2015, it is up to us, information security professionals, to ensure the future of our own industry and take full advantage of this growth in spending.
With hard work and commitment to new talent, we will hopefully be able to nurture the innovative minds of a generation immersed in technology to protect against the growing threat from cybercriminals.
Elad Sharf, Security Research Manager, Performanta ltd
Image source: Shutterstock/shutteratakan