Cyber security skills gap a 'legacy problem'

The much-debated cyber security skills gap was the topic of debate at two separate conferences in the UK on Tuesday.

More graduates are training for IT careers
More graduates are training for IT careers

Following on from our in-depth look at the cyber security gap – and on from GCHQ announcing its intention to accredit Master degree courses in cyber security –  several information security experts mulled how the situation could be rectified yesterday.

At the Westminster eForum in London, Cyber Security Challenge UK CEO Stephanie Daman pointed to EU data showing that the region will need another 500,000 IT professionals by 2015, and to a CBI study which highlighted a shortage in STEM skills. The same study indicated that 41 percent of firms believe that this gap is likely to persist for a further three years.

“There's a very large skills gap…we have lots of jobs and lots of opportunities, but we don't actually have the people to fill those jobs,” said Daman – who added that the void impacts both the UK economy and national security.

“It's a legacy problem because we haven't been teaching ICT very well in schools.”

A panel comprising Daman, (ISC)² EMEA MD John Colley, Ruth Davis - TechUK's head of programme for cyber, justice and emergency services, and Malwarebytes EMEA CEO Fernando Francisco, debated the need for new skills to recover evidence, such as coding, programming, tech engineering skills, and questioned the salary gap between jobs being offered in the public and private sectors.

Colley agreed that the cyber security gap is a ‘real concern', especially with current information security professionals continually having to keep up to date on new areas of interest, and new skills too – like digital forensics.

“Every year we have to update the common body of knowledge with all the new stuff coming in,” said Colley.

“I believe the first step to tackle is to change our perspective. First, this is social issue, not specialist workforce issue. We should be looking beyond the development of the cyber security workforce,” said Colley, suggesting that developing the right skills would have a wider impact on society.

“Probably most importantly, we need to enable the masses, contextualise and embed the right skills and instincts across society. We need to create, develop and innovate with security in mind,” he added.

“We need to target the root cause. Ask yourself if you're building skills for security or to protect vulnerabilities? It costs to include security first, but the retrofit costs lot more and exposes you to bigger losses.”

Educators too must be supported, warned Colley.

“Educators are part of the solution…they're not part of the problem. They  need policy, they need guidance and access to resources - but that doesn't mean telling them what to do. They are the experts and we should support them in that.”

“Overall, a lot is being done and it's encouraging to see that – we now need policy to step back and review perspective.”

Malwarebytes' Francisco warned that SMEs are most likely to be hit by the shortage of skills, as they're not ‘exposed to the trends' and because their budgets are much smaller. “They're not able to attract experts to come and secure their premises.”

He said that industry must help these SMEs: “To do that, we need to engage SMEs through workshops, invite them in face-to-face meetings and training programmes – whatever we can do to show best practice, and how to protect networks.”

He urged for standards to be flexible and not watertight in the face of cyber threats that ‘evolve every day' to help companies, and said that a fresh approach is needed on attracting the right personnel.

“To attract the best skills, we need to understand that the top researchers are a different breed," he said, adding that Malwarebytes "doesn't even know the name" of one of its top researcher. "If you want to attract these type of researchers you need to accept they work on their own terms.”

Page 1 of 2