On a global scale, the UK IT industry is the least satisfied with its education system. Only 14 percent of UK IT decision makers (ITDMs) feel that the UK education system fully prepares professionals for the cyber-security industry.
A new global report from Intel Security and the Centre for Strategic and International Studies (CSIS) found that 75 percent of IT experts claim there is a cyber-security talent shortage across the UK. The number one skill that is lacking amongst UK IT pros is threat analysis.
Responses from 775 ITDMs involved in cyber-security within their organisation were gathered from across the UK, US, France, Germany, Australia, Japan, Mexico and Israel. The respondents were from organisations with at least 500 employees coming from both public and private sectors.
Most respondents (82 percent) admit to a shortage of cyber-security skills, with 71 percent citing the shortage as responsible for direct and measurable damage to organisations whose lack of talent makes them more desirable targets for hacking.
“A shortage of people with cyber-security skills results in direct damage to companies, including the loss of proprietary data and IP,” said James A Lewis, senior VP and director of the Strategic Technologies Programme at CSIS. “This is a global problem; a majority of respondents in all countries surveyed could link their workforce shortage to damage to their organisation.”
Respondents estimated an average of 15 percent of cyber-security positions in their company will go unfilled by 2020. The increase in cloud, mobile computing and the Internet of Things in addition to advanced targeted cyber-attacks and cyber-terrorism around the world make the need for a stronger cyber-security workforce more critical.
“The security industry has talked at length about how to address the storm of hacks and breaches, but government and the private sector haven't brought enough urgency to solving the cyber-security talent shortage,” said Chris Young, senior vice president and general manager at Intel Security Group. “To address this workforce crisis, we need to foster new education models [and] accelerate the availability of training opportunities, and we need to deliver deeper automation so that talent is put to its best use on the frontline. Finally, we absolutely must diversify our ranks.”
Countries and industry sectors that spend more on cyber-security are better placed to deal with the workforce shortage. The shortage has resulted in direct and measurable damage to 71 percent of respondents' organisation's security networks.
A meagre 23 percent of respondents say that education programmes are preparing students to enter the industry. The report reveals that a more effective way of acquiring and increasing cyber-security skills are non-traditional methods such as hands-on training, gaming and technology exercises and hackathons.
More than half of respondents feel that the cyber-security skills shortage is worse than talent deficits in other IT professions, putting an emphasis on continuous education and training opportunities.
Only 23 percent of respondents feel that education programmes, whether university or vocational, fully prepare cyber-security professionals for the industry.
Salary is the top motivating factor in recruitment, but other incentives such as training, growth opportunities and reputation of the employer's IT department are also important when recruiting and retaining the best talent. Nearly half of respondents noted a lack of training or qualification sponsorship were common reasons for the departure of talent.
Over three-quarters (76 percent) of respondents say their governments are not investing enough in building cyber-security talent. Heads of state in the UK, US, Israel and Australia have called for increased support for the cyber-security workforce in the last year.
Moving forward, it is recommended that organisations:
Redefine the minimum credentials for entry-level cyber-security jobs and accept non-traditional sources of education
Diversify the cyber-security field
Provide more opportunities for external training
Identify technology that can provide intelligent security automation
Collect attack data and develop better metrics to quickly identify threats
In commentary to SCMagazineUK.com, Raj Samani, CTO EMEA at Intel Security, said, “Demand for cyber-security skills has increased significantly, particularly those scarce high-value skills such as intrusion detection or attack mitigation. With customers turning their backs on organisations that have suffered breaches, the demand for these skills is set to rise even further. Moreover, as organisations identify their future growth within new technologies (eg, Internet of Things), they will recognise the necessity of a strong foundation in cyber-security. This will also increase the demand for specific cyber-security skills."
“The truth is that traditional education is not preparing individuals for cyber-security jobs. In addition to redirecting the curriculum to focus further on cyber-security, we need to look beyond higher education to train people for the profession. Whether through hands-on training or professional certifications, employees can access specific cyber skills without a certain degree course. Employers can encourage staff to undertake training and certification courses in order to better prepare both themselves and the business for the expanding attack surface. Beyond employer investment, our research also found that the majority of respondents do not believe governments are investing enough in programmes to help cultivate cyber-security talent either."
“Faced with a significant cyber-security talent deficit, our Hacking the Skills Shortage report highlights how organisations plan to address the international shortage of these skills. With many companies unable to fill key cyber-security roles, we will see an increase in businesses outsourcing security and making the most of technology automation. For example, companies can significantly reduce the number of events to investigate in person if intelligent automation processes are in place, thereby reducing the burden for staff. It is not just about sourcing more employees. Organisations need to consider a blended approach – finding the right combination of people, process and technology.”