Sergey Nivens - Fotolia
How the IT sector can help plug the cyber security skills gap
Businesses have a role to play in plugging the cyber security skills gap by engaging with future talent at a young age, providing more role models for under-represented groups, communicating the nature of the threat, and changing their approach to cyber security recruitment
Rarely a week passes by without a story on a high-profile data breach, cyber attack or even a story of cyber espionage.
Unsurprisingly, given the impact it could have on the UK, recent weeks have been dominated by the prospect of UK infrastructure coming under strain online as the dispute over the poisoning of former spy Sergei Skripal and his daughter continues to escalate.
Fear of disruption to the UK’s critical infrastructure is a reminder that our personal information and the services that businesses and society rely on are facing potential threats every day.
It is also a timely reminder that we urgently need more cyber security talent, now and in the future, to keep the UK safe.
The UK is moving in the right direction: the work of institutions, such as the National Cyber Security Centre, and new initiatives, such as the Cyber Security Skills Immediate Impact Fund – which is designed to incentivise organisations in developing, scaling, or refocusing cyber security training initiatives – are important.
Equally significant are initiatives such as the Cyber Security Challenge UK and the two annual university-level cyber security competitions I started, the UK-wide Inter-ACE and the international Cambridge 2 Cambridge in collaboration with MIT, to inspire and engage the next generation.
Yet there is much more to be done. Despite current efforts, the sector is set to experience a global shortfall of 1.8 million trained workers in the next four years.
The UK is at real risk of facing a significant skills shortage, and there are three main ways IT directors and businesses operating in the sector can contribute to upskilling their workforces and the wider UK.
We need more role models
Cyber security retains an air of mystery and intrigue. We need to get past the idea that a cyber attacker is your stereotypical teen in a basement, wearing a hoodie and looking like something out of a bad action film, someone that can’t be stopped.
That’s not helpful in terms of communicating the core message that cyber security is really about risk management and harm reduction, nor is it helpful in attracting new talent to the sector. Ask yourself, would you have considered a role if you had no idea what it entailed at the start of your career?
Businesses should invest in getting their staff out there and engaging future talent at a young age, ideally before critical decisions about GCSEs and A-levels have been made.
We need more role models, and especially female role models for the cyber security sector. As a single example, the number of female participants joining Inter-ACE has grown from just two in 2016 to eighteen in 2018.
That is to be celebrated, but with more than 130 students taking part, it’s a sign of how far as an industry we still need to go. Without women in the sector, we are leaving out half of our prospective talent.
Communicate the nature of the threat
Interstate cyber conflict may grab the headlines, but it is mass, untargeted commodity-grade attacks that remain the bigger threat.
The issue with these basic attacks is that they are very easy to scale – meaning lots of businesses are at risk. This is less about taking down the national grid and more about convincing Steve in accounts to click a link in a malicious email.
From a training perspective, that means making users aware of why they need to take cyber security seriously and what could happen if their system were to be compromised.
But it also means as an organisation being prepared to take a hard look at how IT systems and access privileges are applied across the organisation, as the reality of much IT infrastructure is that it has evolved over time.
It means considering issues such as whether the privileges, permissions and access a given user has are appropriate, and it also means making sure that security is easy to use.
It is about making sure security works for the users. Passwords are a classic example of failing to achieve the latter. We know that people can’t remember more than a few strong passwords – yet standard IT policy often remains about having different passwords on every account and forcing a password change every couple of months. The result is that passwords get progressively weaker and security becomes compromised.
Think outside the box on recruitment
With the UK already experiencing a skills shortage in cyber security, competition for talent is fierce, and the traditional recruitment pipeline focused on external hires may be insufficient.
Instead, organisations should note that their future cyber security workforce may already be working at the company in a different role.
Skill discovery plays well with a trend towards employees self-training, and cyber security of all careers is one that particularly favours self-education given how quickly the field is evolving. After all, the first winner of Cyber Security Challenge UK in 2011 was at the time employed as a postman.
Incorporating national competitions into staff training can be a simple option for discovering talent in the organisation, as well as increasing awareness of the issue more broadly.
The number and scale of the cyber threats facing the UK will continue to intensify. Meeting that challenge requires coordinated action across government, academia and the private sector. The IT sector – by getting out there into schools, engaging the wider workforce and sharing skills – has a significant role to play.
Read more about the cyber security skills shortage
- UK organisations urged to develop cyber security skills.
- Demand for cyber security skills outstrips internal supply, research finds.
- Cyber security skills a priority for UK government.
- Companies struggling to fill infosec roles should focus on finding people who can do what they need, not qualifications, according to a security industry panel.