The scarcity of skilled cyber security workers in Europe is getting worse, with just under two-thirds of employers saying they are now short of staff, according to the latest report from (ISC)2.
The training and certification body’s Cybersecurity workforce study 2019, which was based on interviews with 3,200 professionals around the world, revealed the gap in the number of skilled personnel in the region has almost doubled to 291,000 over the past year. It also indicated the challenge was most marked among small companies with less than 100 staff or large ones with more than 500.
But whatever the size of the business, survey respondents pointed to skills shortfalls as being their number one concern, with just over half saying they feared their organisation was at either moderate or extreme risk as a result.
That such concerns are widespread was also backed up by the UK cyber security skills survey, conducted by Ipsos Mori on behalf of the government’s Department for Digital, Culture, Media and Sport (DCMS) at the end of 2018.
It found that 54% of the businesses it questioned – the equivalent of 710,000 out of a total of 1.32 million across the country – had insufficient access to basic expertise, which included detecting and removing malware. Just under a third (407,000 organisations) also experienced high-level technical skills gaps in areas such as penetration testing, interpreting malicious code and user monitoring.
Other specialist fields in which expertise was lacking among companies in the cyber security industry itself, meanwhile, included cloud and endpoint security, identity and access management, and threat-hunting, with artificial intelligence software and other automation technologies expected to join the list over the next three to five years.
But the end result of all this, points out Martin Courtney, principal analyst at research company TechMarketView, is that the industry just ends up recycling the same staff in an endless merry-go-round.
The problem is that many employers – if they can afford it – are simply “poaching staff from rivals rather than nurturing their own talent, inflating salaries in the process and adding cost to security provision for all concerned”, he says.
But this already tricky situation is also not being helped by the fact there is currently “no widely accepted definition” of what a cyber security professional actually is or does, according to the DCMS study.
As John Davies, co-founder of the CyberWales ecosystem and cyber security product supplier Pervade Software, says: “There’s a really broad spectrum of disciplines that sit under the banner of cyber – it’s massive and covers everything from people managing firewalls to forensics. They all have a role to play, but it’s in the more technical areas where the real skills issues lie.”
A broad and varied discipline
Unsurprisingly then, in its Initial national cyber security skills strategy policy paper, the UK government acknowledged that cyber security is a “broad and varied discipline” that has grown “rapidly and organically” over recent years but can prove baffling to outsiders.
“This rapid development has led to a fragmented narrative around cyber security skills and a lack of coherence between the different specialisms,” the document says. “The absence of clearly established career and training pathways has meant that cyber security can be a confusing landscape to navigate, compounding the diversity challenges evident across the workforce”.
For example, the DCMS study says, there is “no single gold-standard cyber security qualification, or even an accepted minimum qualification to work in the role”. Another issue is that, even though getting a degree in the subject is now a key route into the profession for many, it is not considered enough to make for a rounded practitioner.
Mike Lloyd, chief technology officer at cyber risk modelling platform provider RedSeal, explains: “You can’t just sprinkle fairy dust and make someone a security professional. People agree that, with a new graduate, it generally takes about 10 years because you need a lot of real-world experience.”
In his view, what is required is a mix of “base technical skills, which means learning how the modern digital world works, for example, how websites can be attacked”, and developing an “adversarial mindset, which takes years of experience in playing cat and mouse games”.
Davies from CyberWales agrees, but also believes that too many graduates are simply not given the “foundational knowledge” required to “understand what’s happening under the bonnet”, which is why large cyber firms end up putting them on six to nine-month training courses after hiring as they are unable to “hit the ground running”.
The DCMS study likewise defines the current talent pool as “relatively immature”. While cyber security firms are relying on a “newly formed labour market”, which focuses heavily on “recruiting graduates and apprentices at the start of their career”, employers in the private, public and third sectors are mostly coping with the help of non-cyber-security professionals who look after the area as part of a wider remit.
To help tackle this tricky situation, the UK government launched its Initial national cyber security skills strategy in December 2018.
The aim, it said, was not only to recruit new professionals into the industry, but also to improve cyber security education and training more broadly and ensure the country had a professional structure in place that was “well structured and easy-to-navigate”.
Cyber Security Council
To this end, it is currently in the process of setting up a new UK Cyber Security Council with £2.5m of public funding to develop a professional framework for each of the various specialisms, the aim being to provide easy-to-understand advice for anyone considering a career in the field.
Each framework sets out different career options and pathways, which includes clarification of the certifications and qualifications required at each occupational level.
The Council will comprise a consortium of professional bodies, such as The British Computer Society, Crest and The Information Systems Audit and Control Association (Isaca), although the full line-up will not be finalised until the end of March 2021.
Cyber Body of Knowledge
Meanwhile, a team of UK academics has also been commissioned to develop a so-called Cyber Body of Knowledge (CyBoK), which will provide interested parties with a library of foundational information on which the field is based.
Also on the agenda is the appointment of independent ambassadors to promote careers in cyber security to a more diverse range of individuals. Following a wide-ranging review, the CyberFirst brand has likewise been relaunched to unify under a single banner all existing and future initiatives aimed at encouraging young people to embrace this career path.
Finally, the government also announced it would continue to finance the Cyber Skills Immediate Impact Fund during fiscal year 2019/20 in order to help create a “vibrant industry led training ecosystem”.
As an example of how it works, during the Fund’s third round of financing in August 2019, training providers were asked to bid for up to £100,000 to jointly design programmes with employers for retraining people from diverse backgrounds, including women and members of ethnic minorities, in order to supplement the usual profile of white, middle-class males in the sector.
But the big question is, are such activities really enough and if not, what other action needs to be taken? Opinions here definitely appear mixed. Anthony Young, director of security and risk assurance services provider Bridewell Consulting, for example, believes that things are “definitely moving in the right direction”.
“Much of the industry is now joined up and working together, with the idea of ensuring good content for schools and universities and aligning all the different certifications,” he says. “The Council’s aim is to ensure consistent quality and to provide employers with a way of grasping the different levels and qualifications so they can understand the quality of individual professionals, which is very useful.”
Another benefit of the government’s activities, Young believes, has simply been to “get people thinking about cyber security” and encouraging companies like his own to work with schools in order to engage with future generations of potential talent.
Pros and cons
But Davies is not so sure. “I don’t envy the task of defining skills pathways as it’s too complex and things change all the time,” he says. “The danger is that things are out of date before they’re written, which could be more misleading than helpful.”
Meanwhile, although Davies “loves the idea of creating a body of knowledge” for the industry, Peter Komisarczuk, a professor at the Royal Holloway at the University of London, warns that much work still needs to be done. While CyBoK may now be in its “initial format”, he believes it would still benefit from having its content tailored to a range of different audiences.
“If you go through some of the documents, you’d need a pretty good degree in maths to deal with the cryptography side, for example,” says Komisarczuk. “CyBoK needs to be accessible to technicians as well as experienced professionals, but it’s currently very high level.”
Other initiatives that Davies is also keen on include both the Cyber Skills Immediate Impact Fund and CyberFirst due to their “vocationally minded approach”. For the same reason, he is likewise taken with the idea of growing the number of cyber apprenticeships at all levels and retraining people from a range of disciplines who show an interest in the subject.
Young agrees, stating that if employers really want to get hold of the skills they need, they would be advised to focus less on trying to hire them in and more on taking the home-grown approach, which involves thinking “more creatively”.
As he points out: “We’ve taken people from application development, audit and infrastructure backgrounds who all have a general desire to learn, grow and develop because the rest of it you can teach.”
Automating admin tasks
But automating basic, transactional and admin tasks can also prove helpful. While many small and medium-sized companies now employ managed services providers to help them get on top of their cyber security problems, Lloyd points out that a lot of larger organisations are now resorting to automating tasks at the technician end of the scale, which should over time reduce demand for entry-levels skills.
“Bigger companies are investing in automation as even they can’t fill their skills gaps. And it makes sense because if we work on the premise that it takes 10 years to create a cyber security professional, that means we’re going to have skills issues for at least that long into the future – no matter what the government does,” he concludes.