James Thew - Fotolia

Cyber security industry key to solving skills gap

In the face of a growing shortage of cyber security skills around the world, the security industry itself needs to do more to attract people

The cyber security industry needs do a better job at marketing itself, demonstrating what roles are available, and making it easier for people to switch careers, according to a panel of industry experts.

By 2022, there will be 1.8 million unfilled cyber security jobs, according to the latest (ISC)2 global information security workforce study.

“In Europe, the shortfall is projected to be around 350,000, with the UK’s share of unfilled cyber security jobs expected to be around 100,000,” said Adrian Davis, managing director for the Middle East, Europe and Africa at (ISC)2.

The study also revealed that only 10% of the cyber security jobs around the world are currently filled by women, with that figure falling to 8% in Europe, and only 7% of the current workforce is under the age of 30, he told the opening session of the 2017 Security Serious virtual conference.

“As an industry, we are facing a huge shortfall in skills. People with experience are expensive to hire, and there are relatively few women and too few young people being attracted to the profession, with the added problem of a very high churn rate,” said Davis.

Quentyn Taylor, director of information security at Canon for Europe, said information security is one of the toughest areas to recruit people.

“Candidates tend to be too expensive for the roles we have on offer. The other problem is that they have a lot of certifications, but have very little real-world experience, or they have very good advanced technical skills, but they are missing soft skills and the basic skills,” he said.

Taylor said while organisations are fairly likely to be willing to invest in further professional development training, they are generally unwilling to pay for training in basic security skills and the soft skills if these are lacking. “My advice to anyone applying for a cyber security role is to brush up on your basic skills and soft skills,” he added.

But Davis repeated that those recruiting people in cyber security industry have a role to play in making it clear what they are looking for.

“Young candidates tend to think that they need to have technical depth, but in reality, while hiring managers want to see candidates with good technical skills, they tend to weigh communication skills, analytical skills, business knowledge, and risk understanding higher than young candidates do.

“We are not sending the right messages to bring people into the profession – we are telling people we need one thing, but actually we want to hire for something else,” he said.

Read more about information security skills

Ian Glover, president at Crest, said while the penetration testing, technical cyber security incident response and threat intelligence industries are generally better off than the general cyber security industry when it comes to having younger people and a greater neuro and ethnic diversity, gender diversity is a shared challenge.

“We see quite a significant percentage of people who are on the neuro diversity spectrum, including people with autism and dyslexia, and we are also diverse in our ethnic background and educational background, but gender diversity is absolutely something we need to address,” he said.

However, Glover said there are indications that things are changing, with 60% of the intake for technical security courses made up of women, and women now representing around 40% of the intake for technical courses at Royal Holloway.

Upskilling and keeping employees

In terms of tackling the overall shortage of cyber security professionals, Glover believes that attention should be paid to those already working in the industry. “We need to upskill some of our existing people in the industry so they understand the technology they are working to support,” he said.

But when it comes to attracting new blood, Glover said the cyber security industry needs to think about putting a marketing strategy in place to encourage more people into the industry.

He believes it also needs to provide incentives for cyber security professionals to remain in their jobs longer, instead of constantly going in pursuit of better opportunities, which is driving up salaries artificially.

“I work in a really sexy, interesting industry that is of great interest to people as soon as we start to describe what it is. We need to explain how we work for the common good, that the money is really good and that information security is not age or education specific,” he said.

“We are an extremely open community for all aspects of diversity – we are not really getting that message over. We absolutely have to improve our marketing message – we have got to get out to more people.”

According to Davis, the cyber security industry needs to do more to raise awareness about the profession, particularly among teachers and career guidance services.

“We need to go out and market our profession and tell people what it is that we actually do and how they can help. They need to understand that it is not all about hackers in hoodies, but that we help businesses do stuff better, we solve problems, we deal with people and technology, and we make stuff work and work better,” he said.

Instead of looking to government, Davis said the cyber security industry needs to help the whole nation become more digitally aware.

“The more people who understand how great this stuff is, how our lives depend on technology, how they can influence it and how they can use it to have a better [life], the greater the chances are that we will have a bigger pool of people who are interested,” he said.

“[People] from many backgrounds who could bring knowledge and expertise or just sheer enthusiasm into our profession, which will help us grow, make us more flexible, and help address the skills gap.”

Plans for addressing skills shortage

In terms of a broader strategy for addressing the skills shortage, Glover said the cyber security industry needs to think of short-, medium- and long-term activities.

Short term, he said, there is a huge pool of people looking to return to work and change careers, but that pool is largely untapped because there is a lack of a structured set of activities that will allow those people in.

“Added to this is a number of hiring organisations that are unwilling to train people at entry,” said Glover. “But we need to find ways of doing this, such as asking people to pay for their own training and do a payback to enable conversion-based career changes,” he said.

Glover said a lot of the work information security professionals do can be done remotely and could be done flexibly. “We need to put structures in place that allow people to do that, and we need to stop looking for people with 80% of all the skills and everything else they need to fulfil their role.

“If we drop to 65% or 55%, we can open up jobs like systems administrators, application testers and application developers as a way of drawing people into our industry,” he said.

Medium term, Glover said the information security industry needs to target university graduates from a wider spectrum of disciplines. “Four of the six people I have placed recently are graduates in subjects like international politics and American history, and they all went into threat intelligence industry.

“So we should be identifying the primary areas that we should be targeting at the universities – and then describing to them the type of jobs that are available – and again linking those to conversion course to allow people to get entry into the industry,” he said.

Long term, Glover said the UK higher apprenticeship programme has the potential to be “trailblazing”. A level-4 cyber security apprenticeship programme has been launched, while a level-6 degree-level apprenticeship programme is under development.

“The UK could be world leaders in this, but we need the industry to get behind it to support young people to help them to identify that an apprenticeship is a good thing to do in this area, and provide support to the educational institutions that help them to supply [apprenticeships],” he said.  

Taylor said as a hiring manager he is planning to bring in apprentices using the government scheme in the coming year. “We are definitely looking to do that. I was surprised at the quality of the talent – while the people did not have any specific infosec skills, they have great generic IT skills and a good understanding of what is going on in the industry,” he said.

Certifications used as ‘lazy shortcut’ by HR

Taylor said while certifications do have a role to play, he would never advertise a job saying candidates must have a particular certification or degree. “By doing so you risk throwing away a large chunk of potential candidates,” he said.

“While certifications are great because they indicate that candidates have a particular level of base knowledge, if someone does not have a particular qualification I will not discard their CV if it looks interesting in terms of experience. In most cases, I am more interested in experience than any other factor.”

Surprisingly, Davis said he does not think everyone in the industry needs or wants certification. “I don’t think everyone in the industry needs to hold a CISSP, and when people say they want to get a certification, the first thing I ask is what they want to do as a person.

“People should ask themselves how they want to develop, what skills they want to grow and what they want to learn. I think individuals should choose a certification that helps them develop, grow and learn,” he said.

For someone who is a pen tester and want to remain a pen tester, Davis said they should go and do all the Crest qualifications. “But if you are a pen tester and you want to end up as a CISO, then doing all of the Crest certifications may not be the right route – you may want to consider going to business school or joining the Chartered Management Institute.”

A big problem in the industry, said Davis, is that certifications are often used as a “lazy shortcut” for getting human resources (HR) to screen out all candidates without a CISSP, for example.

“HR tends to be a machine going through the same process, but hiring managers need to become more involved because cyber security does not fit that machine. We do not have job roles and descriptions that you can pull off a shelf and apply a standard process to,” he said.

“The better the cyber security industry can get at doing the job specification, the more we can get HR to do our work for us in a proper sense. Everyone hiring in the industry needs to engage with HR and work with them to get the right CVs, rather than relying on lazy criteria.”

Criticism of Equifax CIO discouraging

Commenting on the fact that former Equifax chief information officer Susan Mauldin “retired” from the company in less than two weeks after the credit rating firm admitted it had been hit by a massive personal data breach, and the fact that she was criticised in social media for having degrees in music and art, the panel agreed that it all sent out a negative message about the profession.

Taylor, who has a degree in biological sciences, said that all those abusing Mauldin over her degrees ignored the fact that she had years of relevant industry experience. “I thought that there was an ulterior motive of people just wanting to lash out at somebody,” he said.

Glover said that music qualifications were common in his part of the cyber security industry. “Some people with music degrees are also awesome pen testers. We would never criticise someone who decided to become an accountant because their background was in music,” he said.

It would be hugely damaging to our industry if we do not do something to show there is more than one route in
Ian Glover, Crest

“We have to look at the way other professions tap into people with different backgrounds by demonstrating a career pathway for people and tying that together with onsite training and experience, with further academic training for professional development. It would be hugely damaging to our industry if we do not do something to show there is more than one route in.”

Davis said the way Mauldin was treated could discourage people from considering a career in cyber security. “We need to look at ourselves as an industry because the message we are sending out is not a positive one: if you are in any position of responsibility and you get it wrong, you are going to be thrown to the wolves by a profession that should be supporting you,” he added.

Taylor said those posting criticism of Mauldin obviously have no understanding that as a CIO or CISO there is no magic wand they can wave and security patches will get applied magically.

“They showed no understanding of the fact that there may be 200 to 300 people involved with thousands of moving parts. You are guiding an oil tanker, not a nimble little boat – people forget you are more directing than being able to say do A on server B in the next 10 minutes,” he said.

Read more on Privacy and data protection