In the UK, we are currently experiencing a large cybersecurity skills gap. Although businesses are becoming far more reliant on technology, there are not enough trained professionals to meet this demand. Allison Jones, our Talent Acquisition Specialist, explores how much of a problem it really is, and what can be done to address it.
What is cybersecurity?
Cyber Security, computer security or information technology security is the protection of computer systems from the theft of, or damage to hardware, software, or electronic data, as well as from the disruption or misdirection of the services they provide.
Why is it so important?
As the world becomes more reliant upon tech, UK industry has never required such robust and secure systems. Despite this though, a government report published in 2018 revealed that more than 50 per cent of UK businesses have a “basic technical cybersecurity skills gap”. 51 per cent of respondents accepted that they were not confident in carrying out a cybersecurity risk assessment. In addition to this, 47 per cent of respondents felt they lacked confidence in developing security policies. The audit also revealed that just under half of all the businesses felt they were not sufficiently skilled to work on a cybersecurity breach or attack.
Perhaps more significant though, was the inability to perform more high-level technical tasks. Around three in five businesses reported being unconfident in their ability to conduct penetration testing or perform forensic analysis of their own data. The cybersecurity skills gap is putting many businesses at risk from cyber-attacks as they simply do not have the staff to deal with them.
How does this impact UK enterprise?
This lack of security confidence has alarming implications. Here in the UK, enterprise faced an average of around 1,46,000 attempted attacks between April and June of this year. This works out to be one attempt every 50 seconds.
Off the back of these results, the UK government has recently announced plans to conduct a second audit into our nation’s cybersecurity workforce.
Ipsos MORI will carry out the survey of private business, public sector organisations and charities. It will focus upon issues around the employment and training of cybersecurity professionals. It is the hope that UK enterprise will have addressed the cybersecurity skills gap amongst its workforce as identified by last year’s review.
However, if respondents are still facing the same issues and report the same shortfalls, it is clear that the way in which companies recruit and train cybersecurity professionals need to change.
What can be done to improve the skills shortage?
An Improved Recruitment Process.
There is a consensus that the tendency to generalise has limited the effectiveness of cybersecurity recruitment. There is no one type of security attack and as such, hiring the right cybersecurity professional needs to be just as nuanced. For example, an expert in cloud security may not be so advanced when considering IoT or app security.
According to the 2018 study, 46% of businesses write the term “cybersecurity” into job descriptions. Generalising the term in this way has been thought to limit the hiring process, the performance of these individuals and indeed the security of the organisation looking to hire.
Instead, it is essential that the job description be specific about the role. The hiring team need to be knowledgeable about the requirements of the position and the cybersecurity ecosystem as a whole.
What needs to be changed?
While it is encouraging that almost 1/3rd of businesses have tried to recruit for cybersecurity roles in the past few years, it is the embedded legacy of human resources which has proven to be most disadvantageous. It is understandable that in-house HR departments are eager to get involved and manage the process. However, these teams may be uneducated in the finer detail. The result of which is that the hiring process becomes a box-ticking process; one that is overly dependent upon credentials and accreditation.
Whilst these certificates may be worthwhile, they do not necessarily indicate that a candidate is the best fit for a role. They often fail to take into account some of the ‘soft skills’ required to perform effectively. For example, technical language can be very alienating to the vast majority. The ability to communicate risk to the rest of a business in a relatable, clear and non-technical way is crucial. A failure to be able to do so has the potential to impact the safety of an organisation.
The threat landscape is always changing and as a result, certifications can become outdated very quickly. There are also many talented professionals in work who don’t have the time or resources to throw at accreditation.
One solution is for HR teams to identify talented candidates, and working alongside experienced security experts, upskill these individuals accordingly as per the requirements of the role. This would go a long way to address the cybersecurity skills gap, of course, has its own challenges though…
An Improved Education System
The UK higher education system is being placed under increasing levels of scrutiny…especially those routes which support alternate career paths. According to Paul Johnson, Director of the Institute for Fiscal Studies, the lesser-known but in-demand career paths are seriously underfunded. Unsurprisingly, the cyber industry is one of the greatest victims of this lack of funding. Cybersecurity is growing in both demand and complexity, yet it still receives less funding than its more-traditional counterparts.
On top of this, government spending per higher education student has fallen since 2010. These factors combined make the forecast even more cloudy for the recruitment of a robust IT security workforce here in the UK. The cybersecurity skills gap will continue to grow if funding is not available, and organisations do not invest in it.
An Improved Training Programme.
This lack of formal “education” for cybersecurity professionals means that UK industry is having to find alternate routes to upskill their teams. Many training courses tend to be class-room based and as such are pretty stagnant. Yes, these techniques are tried and tested, but this method does not always lend itself most effectively to the always-evolving landscape of cybersecurity. The prescribed approach doesn’t provide the hands-on, ‘on the job’ skills required to test and develop high-performing cybersecurity professionals.
Instead, industry experts have called for a move toward a more practical approach as a response to the ‘hacking’ and inquisitive ethos of the discipline itself. In this situation, professionals are able to witness just how destructive these threats have the potential to be. They are then able to dissect them and can see in detail just how they operate. This approach also requires creativity; one that experts believe is lacking within a traditional classroom environment.
An Improved Governmental Approach
The Department of Digital, Culture, Media, and Sport (DCMS) recently implemented a new campaign to attract a diverse and wide range of talent into the world of cybersecurity. The Institution of Engineering and Technology (IET) was selected to assist in the design and delivery of a new UK Cyber Security Council. Which is a body that was to assess and consider the prevailing professional landscape.
Its goal is to develop an accessible career path appealing to those who wish to enter the workforce.
This initiative is certainly one that can build and drive careers. It’s undeniably a welcome addition towards building a robust cybersecurity talentpool. Having said that though there is certainly an argument to suggest that the long term solution to address the skill shortage is to do so from the root.
What do the government suggest?
Simon Edwards, IET Director of Governance and External Engagement stated:
“It’s fundamental that cybersecurity is seen as a nationally recognized and established profession with clear career pathways.”
Nigel Adams is the UK’s Cyber Security Minister. It’s his belief that the initiative demonstrates the government’s commitment to assuring the UK’s cybersecurity industry. One that has a skilled and diverse workforce fully equipped to deal with any impending threats. It is also his belief that the newly formed Cyber Security Council, facilitates a clearly defined path for those wishing to join the profession.
There has also been a clear plan put in place for the UK Cybersecurity landscape once the UK leaves the EU in October.
The government looks set to publish the results of this latest research in December. Following this, it is expected they will propose further solutions to narrow the skills gap. This is crucial if the UK wishes to retain its crown as one of the world’s most agile economies.
How urgent is the problem?
The number of UK businesses reporting cyber incidents rose from 45 per cent in 2018 to 61 per cent in 2019. As such, there is a clear requirement to address the gap.
To protect the UK, there needs to be a multidisciplinary approach. One that considers education and training, funding, recruitment strategy and cultural mindest in equal measure.
The threat across the broader landscape is so great that the global cybersecurity market was reportedly worth around $152 billion in 2018. Within a few short years, it is estimated that this figure will reach a massive $250bn.
The growing threat is in part down to the growth of cloud computing and connected devices. The sheer number of connected devices permeating homes and offices has created an opportunity for companies that offer tools to protect these various endpoints.
Endpoint protection is a hot topic within cybersecurity. You only have to look at the recent acquisition and funding activity to get an idea of the scale of the growth. Crowdstrike recently hit the public market, while SentinelOne closed a $120 million funding round. Shape Security has also raised $51 million at a $1 billion valuation as it prepares for its own IPO.
Of course, there are some industry big hitters throwing their weight around too. Microsoft, Cisco, Intel, Trend Micro, and many others are all wading in on the debate.
What is Ignite Digital Talent doing to help?
Of course, the technology is important but as we have identified, skilled personnel are vital in the deployment of these systems and security applications. Perhaps in evidence of this, we can turn to look at BlackBerry who has recently enjoyed a reinvention from phone maker to cybersecurity specialists. They acquired AI-powered cybersecurity startup Cylance back in November 2018, and are using this partnership to support an innovative R&D Lab homing a stellar team of researchers, security experts, software developers and architects.
Each week, we use Our Week in Digital to bring you the latest news from across the tech and digital world. Our latest edition highlights all the nuggets of cybersecurity news hitting the headlines in recent weeks. If you are interested in the wider debate and the very real implications of cybercrime, click here to read what our Client Relationship Director, Miles has picked out as his top stories.
Closer to home Ignite Digital Talent is partnering some innovative and progressive companies, helping them to address their cybersecurity requirements. Over recent months we have placed professionals covering roles across the entire ecosystem. If you are looking to strengthen your IT Security workforce or are cybersecurity professional looking for your next role, we’d love to talk to you.
Reach out to our industry-respected recruitment partners today.