As a fast-moving sector that hinges on advancements in technology, it’s almost inevitable that the cyber security industry will be forever chasing a skills gap. This gap is significant, however, and due to the widespread adoption of popular technologies such as the cloud, the IoT, and DevOps, it’s constantly growing. Analysts have predicted there will be a shortage of 1.8 million workers in the information security sector by 2022, a figure that was recently revised upwards from a forecast of 1.5 million just three years ago.
The concern over the size of this gap is such that it was the topic of a parliamentary hearing by the Joint Committee on the National Security Strategy in July, which concluded that the shortage of specialist skills and “deep technical expertise” was one of the “greatest challenges faced by the UK’s critical national infrastructure operators and regulators in relation to cyber security.”
It is clearly becoming increasingly hard to deal with the rising volume, diversity and frequency of high-profile cyber-attacks, such as the recent breach in which the details of 29 million Facebook users were compromised. There is a need, therefore, for those in the IT sector to upskill in order to evade further attacks, and the harm they can cause to an organisation’s operations, its reputation, and its bottom line.
Lack of suitable qualifications
The Joint Committee’s session in July was an important opportunity for industry members to offer their views on cyber-security in general, and the growing importance of cyber-security in Critical National Infrastructure (CNI) in particular. Indeed, the WannaCry ransomware attack on the NHS in 2017 highlighted the risks faced by the UK’s CNI as well as demonstrating the need for greater vigilance.
Also under consideration was the recently introduced Network and Information Services Directive, which has the capacity to impose fines of up to £17 million or four per cent of an organisation’s turnover, whichever is greater, for inadequate cyber-security provisions.
But despite the fact that these increased risks and potential penalties should both serve to focus minds on cyber security, a report by Capgemini revealed that only four in ten employees in any given company will have the skills necessary to tackle the problem. What’s more, a separate report revealed that four in five organisations aren’t able to recruit suitably qualified staff.
Two of the main reasons for this, according to the UK’s National Security Strategy 2016-2021, were the lack of young people entering the profession in the first place, and the absence of established career and training pathways into the profession.
This year’s GCSE results, for example, showed a 16.6 per cent year-on-year fall in the number of students sitting computer-related subjects, and this year has seen a noticeable decline in the number of school-leavers pursuing STEM-related subjects at university.
According to Ciaran Martin, CEO of the National Cyber Security Centre (NCSC), recruiting the necessary deep technical expertise is a “constant and difficult challenge”. Mike Turner, COO of Capgemini’s Cybersecurity Global Service Line, agrees, adding that “spending months rather than weeks looking for suitable candidates is not only inefficient, it also leaves organisations dangerously exposed to rising incidents of cybercrime.”
Complexity and clarification
With the growing sophistication of cyber-attacks making their mitigation more complex than ever, the cyber skillset is continually evolving, and the definition of these skills may require more clarity than has been previously afforded.
Margaret Beckett MP, chair of the Joint Committee on the National Security Strategy called for more support from the government, saying that “we acknowledge that the cyber security profession is relatively new and still evolving, and that the pace of technology may well outstrip the development of academic qualifications. However, we are calling on government to work closely with industry and education to consider short-term demand as well as long-term planning.”
It’s reassuring, therefore, to see that the Department for Digital, Culture, Media and Sport (DCMS) has published a consultation on the creation of a Cyber Security Council, a single professional body that would aid with this clarification.
It’s important to recognise, though, that for skills to remain up-to-date requires a variety of experience, continual learning and development. What’s more, with solutions such as artificial intelligence (AI) and machine learning (ML) becoming more widely employed in automating the detection of anomalies across an organisation’s network, individuals must be able to work with and programme this technology, as well as interpreting and acting upon its outputs.
In such a fast-moving environment, in which suitably qualified practitioners are increasingly hard to come by, training or upskilling of existing cyber-security experts may be more appropriate than recruitment.
Another option would be for organisations to uncover candidates internally that might have adaptable skillsets. For instance, those who hold positions in areas like network operations, database administration and application development, might have complementary and transferable skills that can be translated into a cybersecurity remit. Indeed, those that find external recruitment challenging, can look to their own workforce and potentially uncover staff that can be upskilled.
Looking farther afield
As the issue appears to be largely universal, a simple first step in upskilling the UK’s workforce is to learn from others; looking at other regions and how they combat the gap in their own cyber skills and knowledge.
Israel, for instance, has a national service scheme which selects the very best cyber talent and uses their skills for the service period before they are placed into industry. Elsewhere, the U.S. employs experienced military veterans to offer cyber-security training and certification, and the Australian government is facing calls to make cyber-security training mandatory for each of the country’s public sector IT workers.
The demand for cyber-security talent is set to grow over the next two to three years, as businesses protect themselves against an increasing and increasingly sophisticated threat landscape while having to comply with new legislation such as the GDPR.
Here in the UK we have a good programme of cyber reservists, but we should now look at how development and nurturing of these skills can lead to better career progression for them, and better protection for our businesses and the precious data they hold. It’s encouraging that government and industry have acknowledged the importance of working together to tackle this critical issue, but there is still more that needs to be done. The stakes are high and getting higher, and we must take action now to embed the skills in our current and future workforce if we are to stay one step ahead of the attackers.
Peter Carlisle, VP of sales, Thales eSecurity
Image source: Shutterstock/Kirill Wright