Thanks to Debi McCormack, Sales and Marketing Director at The Cyber Scheme for this guest blog on why the cybersecurity skills gap is a threat to business – and what to do about it. We’re so pleased The Cyber Scheme is sponsoring the Bristol and Bath CyberCon, make sure you’ve got your ticket here.
The demand for cybersecurity skills is on the rise in all sectors, but the supply isn’t keeping up.
The Cyber Scheme is one of only two organisations accredited by the NCSC to offer Government-standard penetration testing examinations – and therefore right at the coalface of addressing the skills gap. You can read more on The Cyber Scheme’s offering here.
With the pace of technology growth, the pandemic accelerating the migration to home working and cloud-based services, vulnerability analysis experts, penetration testers and Security Operations Centre and Threat analysts are in high demand. Trying to manage continual risk daily within a business is becoming more and more important as regular threats become more prevalent.
It is generally accepted that cyber security personnel must have a reasonable technical grounding / understanding (2-3 yrs post technical IT / graduation) after this, skills are developed around policies, process and procedures (further 2-3 yrs) and then onto audit / risk assessment skills (3-4 yrs)… So a rounded, well-established cyber expert, someone we call a “Cyber unicorn” will have been 6yrs in the making and finding such talent is incredibly hard.
There are plenty of people interested in a career in this field who are already skilled IT professionals, but they are often put off by confusing terminology, a lack of clear career pathways and a de-regulated assessment landscape – they don’t know where to start.
Industry can also struggle to deal with the costs of developing new entrants/graduates to meet their needs. Individual businesses have unique and specific technology and security needs. It’s often hard to justify the development investment of personnel when the average amount of time someone might stay with the business is less than 3 years and often much shorter.
How can we attract more people into the industry?
Cyber is still seen as a bit geeky and perhaps not the premier profession to be involved in. There is a lot of work to be done in overhauling the image of the industry.
The lack of a defined career path for development and earnings growth probably holds some people back. Providing an unambiguous career ladder for people from all backgrounds, not just computer science graduates, without focussing primarily on how ‘smart’ you have to be would be a huge step forwards. The landscape if you look on the internet for new entrants is confusing, complex and driven by the financial objectives of training companies. We are working hard at The Cyber Scheme to overcome that.
We need to be encouraging uptake of STEM subjects and computer science, and also educating teachers and careers advisors that a career in cyber can be just as rewarding, and lucrative, as one in the more established fields such as accounting and law.
Parents, teachers and careers advisors need to be given the tools to recognise talent in a child, whether it’s coding, gaming or even ‘naughty’ hacking, and be helped by industry in channelling that raw talent into a cyber security career. We are working with local education network groups and providing cyber security ambassadors in secondary schools to help overcome any barriers at school level.
It’s also important to recognise that not everyone is suited to, or wants to go on to higher education. Apprenticeships and opportunities such as cyber competitions for school leavers need to be further developed in order to attract suitably talented but less formally educated entrants.
What options are there for businesses that are keen to upskill their workforce?
The Cyber Scheme strongly believes that training and accreditation is the way to formalize and regulate careers in cyber security. We are developing internal training schemes that allow larger companies to upskill individuals who already work in IT to give them the tools and skills necessary to protect their company from cyber attack, which is a much more viable solution than depending on external consultants, who usually are only engaged AFTER an attack.
By involving and educating an existing workforce we can also help businesses economise on external cyber security costs and hopefully reduce the pressure on pen testing companies that are in a spiral of wage inflation because of the lack of workforce. For example, if we can train existing staff to understand and manage red teaming exercises rather than rely on a completely external team they can not only help to recognise threats and mitigate risk but build resilience through the entire company by understanding the risks associated with areas such as social engineering.
In addition, we offer practitioner training to anyone who wishes to become a skilled practitioner in pen testing, which enables them to take exams and become accredited in all forms of ethical hacking including Check assessments needed to carry out government contracts. If employers invest in their staff allowing them to take the exams required to further their careers, they are much more likely to stay than be poached by competitors.
We are also developing a range of beginner-level training modules and assessments which will allow smaller companies to invest more modest amounts in training their workforce in specific areas e.g cloud or IoT.
How can businesses reduce churn and improve employee wellbeing?
Churn is driven by two things – how valued they are as an employee and how that value is reflected in financial and non-financial rewards when compared with competitors. In many ways, Cyber is very much like the medical profession where you feel as if you are on a perpetual night shift in A&E.
The difference is that junior doctors expect and are prepared for long anti-social hours as part of their induction. Ensuring that the people you employ understand the tempo and pace of the work and that they will be compensated accordingly will be important. There are many roles within Cyber that look much more like a normal office job but often, they are less well paid so being creative with other benefits (leave, flexibility etc) might hold them longer.
Accept that in this industry talent will be with you for an average of 2-3 years and plan accordingly. Create ongoing succession and development plans. Develop skills beyond technical capabilities into audit, risk assessment and process fields so that individuals can see a career progression.
