Acquiring the skills necessary to implement the UK Cybersecurity Strategy

Acquiring the skills necessary to implement the UK Cybersecurity Strategy

From Philip Virgo, co-founder PITCOM (now PICTFOR), currently Convenor of the Advisory Group of the London Cyber Resilience Centre

I recently compared the approaches to public-private partnership in the new UK Cyber Security Strategy announced in January, with the new US Strategy announced in March.

Neither Strategy addresses the skills for implementation.

But one of the lessons from past industrial strategies around the world is that success depends on using skills currently available to develop those that will be needed at all levels, both quality and quantity, for delivery, including as needs and objectives evolve.

Last year I became Convenor of the Advisory Group for the London Cyber Resilience Centre. In January the centre received Home Office funding for the core team. In February it moved into offices as part of the  Cyber Centre of Excellence at City, University of London.

OECD has just published Building a Skilled Cyber Security Workforce in Five Countries: Insights from Australia, Canada, New Zealand, United Kingdom, and United States . This indicates global skills shortages with almost all players competing for existing staff and neglecting the pipeline of new entrants.

The skills plan for meeting the needs of the world greatest Financial Services and Fin Tech Hub outside North America is therefore at heart of the work of the advisory group. 

So how do we get from here to where we want to be, given that time is not on our side as the UK haemorrhages £billions to on-line crime and loss of user confidence threatens the digital transformation plans of both public and private sector.

First where we have to recognise where we are and the context within which we are planning: including the window of opportunity provided by the processes for producing the Local Skills Improvement Plans that will determine public sector spending on skills until well into the life of the next Government.

  • Most current cyber skills development is done in-house by about twenty five large employers who employ about half the full-time professional workforce. About a thousand organisations employ most of the rest, usually in groups too small for in-house skills development programmes to be viable.
  • Current Cyber Security careers programmes reach barely 2% of schools compared to the 70% reached via the Careers & Enterprise Company careers hubs and advisors.
  • DWP Restart, Home Office Prevent and other adult social inclusion and skills programmes do not have comparable links with employers seeking to recruit diverse (age, sex, social and cultural background) talent for cyber/security roles (whether full or hybrid/part-time).
  • All parts of the UK are tasked to produce Local Skills Improvement plans by end May 2023 for approval and launch in September. That for London is bringing produced jointly by Business LDN, LCCI, CBU and Business LDN
  • In September 2023 the UCAS clearing house for University courses will be extended to cover apprenticeships.
  • The Advisory Group for the London Cyber Resilience, which has its first anniversary in September, has been working on a Cyber Skills for London strategy.
  • The Cyber Security Council, the chartered body for the Cyber profession, is expected to organise skills outreach programmes but, as yet, has no resources of its own.

 Second we have to agree realistic objectives. Those currently proposed are to:

  • Enable current cyber skills programmes to reach the majority of schools in London, not just the current 2%.
  • Extend those programmes to reach those not reached via schools – using youth groups, homework clubs and other social inclusion, remedial education programmes.
  • Extend current cyber career and skills programmes to reach adult entrants and re-entrants, including linking welfare to work programmes to technical and professional skills pipelines.
  • Spread awareness of current best practice in recruitment (including vetting), training, retraining, cross-training and continuous professional development at all levels, including for those already in the work force whose skills need updating and extending.

 That leads to a deceptively simple strategy

  • Use the current window of opportunity (LSIP headline priorities by end March, plans by end May, launch September) to assemble a coalition of those who are willing and able to create one or more linked partnerships to work through existing mainstream careers structures (including Careers Hubs, Restart, Schools Partnerships etc.) to harness the talent of London (all ages) to help meet the cyber, security and safeguarding skills need of London.
  • Build a band-wagon – starting small: with only those who want to work with compatible partners to achieve their own objectives, using their own resources, ignoring organisational, professional and structural boundaries.
  • Scale on success, inviting others to join and claim credit, provided they help.
  • Go with the flow: corporate, political, professional.

 And action plan

  • March/April 2023: Convene round tables (max 25) to identify who is willing to work with who to achieved what.
  • By end April: Identify driving team to agree a portfolio of projects and programmes by end May, for inclusion in the London Skills Improvement Plan (due for launch in September) and the London CRC First Anniversary event (also due September).
  • By end May: initial projects and programme under development, whether or not via LSIP.
  • By end September: initial projects and programmes launched as part of high prpfile events organised by partners

 We are currently (at the time of writing) in the process of discovering whether we have the necessary critical mass, half a dozen employers and a similar number of training providers, to get the band wagon rolling. We are in discussion, inter alia, with several PICTFOR members and, once the band wagon is rolling, will aim to brief London’s MPs on how they can help ensure their constituencies are well served.

And, whether we succeed or fail, part of my own task is to identify potential chairs and member for the London Cyber Resilience Advisory Board which will take over from the current Advisory Group  in time for the September launch events.