After every new data breach or hack, a new headline appears with a company treading above water, desperately trying to survive the reputational damage and financial costs. Enterprises are petrified and are seeking the cyber security heroes of tomorrow to help. The predicament they face is that these cyber guardians are rare which is pushing the industry to breaking point. This is the harsh reality the cyber security industry is faced with and if something is not drastically changed the damage done will be irreversible.
What are the numbers?
The issue of the cyber skills gap is a trending topic, often discussed in debates and seminars, but suggested solutions to address this critical problem that is plaguing the industry are few and far between. With a predicted global shortage estimated to be nearly two million cyber security professionals by 2022, the current lack of skilled individuals in the industry has left one in four organisations exposed. This in turn has left 51% of enterprises feeling less prepared for a cyber attack than 12 months ago.
If we look across the pond to our American cousins, many have adopted a model that focuses on hiring hackers. This can be a positive solution, but not necessarily the best way to grow the industry. The outcome of this approach has left no distinction between the very good and the very bad individuals, which has consequently left organisations paying fortunes for relatively young people, who lack both experience and business acumen when delivering these services. This is not a route the UK should follow.
How should the UK prepare for the future?
What is needed is a plan of action to tackle the skills shortage that will benefit the industry and ensure it survives in the short, medium and long term. This will only happen if we answer the question: are we making cyber security attractive enough?
To make this a long-term success, it is essential we make cyber security more exciting to the youth and drive awareness through cyber programs within schools. Like in all walks of life, time is needed to grow and develop talent. By making the industry more accessible, through NCSC sponsored initiatives, younger people can understand the various avenues and pathways into cyber security. This will guarantee that a steady flow of cyber talent through the schools into college, which is where earn-while-you-learn apprenticeship programs should be offered.
During this period, students will have the opportunity and space to gain real world experiences, business understanding and develop work ethic through schemes which can be continued onto to university or out in the working world. Therefore, the cyber industry needs to forge strong ties with further education institutions; a relationship that is in its infancy but growing nonetheless.
In the short term, the industry needs to offer conversion courses which will attract graduates that not only studied computer science or that ilk, but also from other disciplines. This can be extended into other related subjects. Remember, the cyber industry is short of personnel in every department and not in just computer dependent roles - which is why a more definitive career pathway must be made available. For students that studied history or politics, going into threat intelligence would be an option, for example. The industry is short on researchers and marketing awareness for our programs which would appeal to those that studied English literature or marketing. A background in cyber is not always required, just the willingness to learn, a drive to succeed and a mentality that evolves with the cyber setting is desired.
Unanswered questions
Many organisations currently outsource work to Europe or hire from the diverse talent pool it offers. However, the uncertainty that surrounds Brexit has left many worried about the effects it will have on the industry. Research funding is already being lost. This is a problem, but can also be viewed as an opportunity to encourage industry and academia in the UK to work more closely together and ensure consistent nurturing of our own home-grown talent.
The UK simply cannot rest on its laurels and if a strategy is not in place to retain the current pool of talent, then we will be left behind with professionals flocking to mainland Europe. To achieve the end goal and make the UK a utopia for cyber security, we must ensure that our existing workforce is upskilled with our organisations promoting the latest technology. This will be the only way the UK will be able to compete with the rest of the world for the best talent.
Thankfully, there are those who have not given up the fight and aim to address this key issue during Security Serious Week.
Join Adrian Davis Managing Director, EMEA at (ISC)²; Ian Glover, President at CREST; Quentyn Taylor, Director of Information Security at Canon for Europe, Warwick Ashford, Security Editor at Computer Weekly as they discuss the cyber skills gap for Security Serious Week 2017’s virtual conference – sign up to the free webinar here