The expert view: Fixing the UK cyber skills gap
11 September 2017 |
The UK is suffering from an intense shortage of cyber security professionals. And the skills gap is only set to get worse.
Back in 2014 Cisco warned there was a global shortage of 1 million cyber professionals. And some estimates say the shortfall will rise to 1.8 by 2022.
The shortage is particularly acute in the UK. Judging by the level of interaction with recruitment ads (only 30% of job posts get a click compared with 60% in the USA), the UK has the second worst cyber gap in the world.
So why is there a skills shortage?
Fourteen senior cyber security professionals attempted to answer this question at a breakfast briefing at the Goring Hotel in London on the 7th of September sponsored by TEISS cyber security and hosted by cyber security writer and consultant, Jeremy Swinfen Green.
Education, skills and cyber security
The skills shortage, perhaps unsurprisingly, seems to be caused in large part by education. It’s education at school, where there is an insufficient focus on computer skills (let alone on keeping safe online), compounded by a lack of support from teachers and parents.
And it is further and higher education, where the type of training offered simply doesn’t match industry requirements. At universities, cyber security is often treated as an engineering problem when it should be treated as a business issue with a deep understanding of risk management baked in. It is treated as a theoretical issue when the focus should be on solving real life situations.
The same isn’t completely true of the UK’s apprenticeship standard where there are two specialisms, technologist or risk analyst. However, even here the risk analyst specialism focusses largely on risk assessment, security policies and incident response with only a small part of the standard addressing business culture and nothing on wider business issues such as the need to balance cyber risk against the cost of defence in terms both of money and employee convenience.
In other words, while people pay lip service to the idea that cyber security needs to concentrate on technology, process and people, the reality is that the educational spotlight tends to centre on technology.
Also of interest: Cyber security training
Diversity drives information security
There are other problems though. And diversity is one. Only about 15% of the cyber security workforce is female for instance. This is perhaps a reflection of the way cyber security is treated as an engineering issue rather than a business issue.
Diversity is important. Even if we accept that men and women have exactly the same strengths and are equally capable of, and comfortable with, dealing with the very different areas of data analysis and people management, the fact remains that men and women often have different life experiences. These different life experiences offer different insights into cyber security. And so do the different life experiences of different age and cultural groups.
Without diversity we can never hope to understand why cyber security breaches happen and how they can be managed.
Avoiding a blame culture
For those few who decide they want a career in cyber security further hazards await. The default approach of business is “hire and fire”. Hire someone with the right qualifications and then fire them when a breach happens.
This blame culture is hardly conducive to building a confident set of industry professionals. There seems to be little understanding that, while breaches can sometimes occur because security professionals are negligent, most occur for reasons that would be hard to predict or in ways that are (given available resources and existing technology) impossible to defend against.
Businesses also seem to be weak when it comes to retaining staff. A high turnover of security professionals in an organisation means that no one stays around for long enough to learn how a particular organisation weakens its own defences and what can be done about this.
A failure to train staff continuously (after all threats evolve continuously) combined with a failure to offer them genuine career paths (where do you go after CISO?) and a failure to offer long term incentives, means that many people will substitute the additional money gained by changing jobs for real career development.
Another problem is the limited access to the profession. There is no “silver bullet” for cyber security skills, no one set of skills that will make people a perfect cyber defender. And the default requirement, all too often, is for people with high level IT skills. The industry seems to ignore the fact that many other skills are often highly transferable. (An exception perhaps is that the skills learned in the military are often regarded as being appropriate for cyber security work).
Would a health and safety or engineering professional made redundant from the oil and gas industry have anything to offer cyber security? Almost certainly. Would they get an opportunity to demonstrate this? Almost certainly not!
Perhaps the industry needs to take note of the German experience where it is acknowledged that Data Protection Officers (DPOs) who advise organisations on protecting personal data can come from many backgrounds.
And if DPOs, then why not cyber security professionals?
In fact personal qualities, rather than technical skills, are probably more important for many roles in information security. Qualities of curiosity and problem solving combined with ethical courage and a deep understanding of risk management.
That is certainly true of the people tasked with protecting information in small and medium sized organisations. Where there are only one or two people in the cyber team, those people must have a very wide range of skills and knowledge. And crucially they must be people who understand how their organisation works.
Also of interest: Is it because recruiters focus too much on experience?
Prejudice in HR
That won’t be true for all organisations however. In banks and major retailers, security teams may be large and full of people with different talents and personality. And here we come up against another problem: the HR department.
Many people would argue for “neurodiversity” in large security teams. The role of specialist analysts may well be performed best by people on the autistic spectrum. (GCHQ joke: You can tell the extroverts here. They look at the shoes of the person they are talking to rather than their own shoes.)
Trouble is that HR people rarely warm to people who are not communicative and confident. “We can’t employ sociopaths” they say.
Why not, if the role is right for them?
Getting cyber recruitment right
It is difficult. Cyber security is a profession that is understood by many, including most cyber security professionals. So it is hard for other professionals to understand who would make the best person for the job.
But understand we must. And as part of our understanding we need to accept two key things: the importance of diversity; and the value of transferable skills learned in other roles. Until we understand these two basic concepts, we will continue to be faced with a cyber security skills gap.