The world is desperate for cybersecurity talent, yet the sector limits entrants and clings to obsolete training methods. As the skills gap grows and organizations become increasingly vulnerable to ever-more complex threats, the need for a diverse pool of cybersecurity experts to learn in real time, rather than a classroom, strengthens.
The way that cyber talent is taught – at university and during training – is no match for the evolving threat landscape. Static measurements of skills, such as certification and periodic training, cannot keep pace with new threats that even the savviest security teams are unfamiliar with. The barrage of 24-hour threat intelligence is increasingly disconnected from the skills of these security teams, meaning badly trained defenders are simplifying attackers’ jobs.
In my time at GCHQ I learnt that the best cyber talent is creative and curious; they develop by breaking things and thinking on their feet, not sitting in classrooms and learning passively. Unfortunately, this jars with traditional training methods, which is one of the factors contributing to an unnecessary talent drain.
Ineffective training makes unhappy experts
Every year, Enterprise Strategy Group (ESG) conducts a global survey of IT professionals, reviewing the challenges they are facing as well as strategic considerations like purchasing plans. In one part of this survey, respondents are asked to identify areas where their organization faces a problematic shortage of skills.
In the 2018-2019 report, cybersecurity skills topped the list – a startling 53% of survey respondents said they were facing a shortage of cybersecurity skills. This was markedly higher than second place, which was IT architecture/planning skills at 38%. Clearly, the problem is global.
Statistics like this demonstrate the struggle many companies are facing: too few people are being granted access to the sector. This is why many businesses are now setting up initiatives to get students, the neurodiverse and war veterans (who typically possess security experience and transferable behaviours) into cybersecurity. These individuals are often overlooked when it comes to employment, despite the need to widen the cyber talent pool and increase diversity within the industry.
Stopping talent going to the dark side
Despite the drawbacks of classroom-based teaching methods, university remains one of the most common routes into the sector. However, on A-Level results day earlier this year, the Independent reported that top grades dropped to their lowest proportion in more than a decade as numbers going to university also fell. Promising talent missing out on university places is an age-old story, and it can even result in disappointed students turning to the dark side. This is because lacking the grades to achieve a place on a university cybersecurity course has almost no bearing on whether someone could succeed in the sector – and cyber talent knows that.
One example is Daniel Kelley, the 22-year-old who hacked the telecoms company TalkTalk, taking the personal data of more than 150,000 customers while also targeting other companies in Canada, Australia and the UK. During his trial, Daniel explained that he was motivated by revenge after failing to get the GCSE grades needed for a computer course.
Prosecutor, Peter Ratliff, said: “Where confidential and sensitive information had been stolen in the hack – typically the personal and credit card details of the company’s clients – the defendant would threaten the company with the public release of the material, knowing and exploiting the fact that the release would risk the ruin of the company concerned.”
If he had got onto the course, Daniel’s skillset may have developed more slowly. He is a prime example of the fact that cyber skills are, in some cases, better learnt than taught. With threats like this, it’s clear that the way people are being taught people is broken; the solution to the cyber skills gap simply won’t be found in a classroom.