It has been said that the cyber-security skills gap will result in a shortage of two million professionals by 2017 (according to ISC(2)), a problem which has led some to call for a societal shift in security thinking, as well as increasing government involvement.
On the latter, there has at least been some traction; GCHQ has started accrediting cyber-security Masters degrees, and Coventry University is now offering the first MBA in Cyber Security.
However, an analysis of this year's UCAS undergraduate course acceptances by SCMagazineUK.com reveals that this shortage will continue with the numbers – and thus interest – in security courses considerably lower than in recent years.
The majority of computer security courses are categorised in the UCAS numbers under ‘Information Systems', and a review of these courses reveal that they include ethical hacking, computer security and forensics, computer and information security, data science and cyber-security.
Although the universities themselves decide which category their course fits under, UCAS officials told SC that Information Systems is used for the majority of cyber-security courses, with the body's own categorisation indicating that these courses should include information modelling (how information flows within an organisation), system designs and methodologies, databases, system auditing, data management and systems analysis.
The bad news is that, looking at the UCAS entries for last year, the number of undergraduates taking these courses is plummeting.
In 2014, 1,905 men and 460 women (2,365 in total) enrolled in these courses but this represented a fall of 11 percent year-on-year (2,670), 18.7 percent compared to 2012 (2,910) and 34.5 percent compared to 2011 (3,610). The enrollment number was almost half as much (41 percent) as the 4,010 people that enrolled on Information Systems courses back in 2010, and is the worst since UCAS starting tracking course applicants in this way back in 2007.
It is worth noting that *some* cyber-security courses fall under the wider ‘I' group in UCAS' figures, with these encompassing the likes of computer science and software engineering. But even these figures made for dire reading, especially regarding the number of young women undertaking a computer science-related course.
Dr Adrian Davis, European MD at (ISC)2, told SC that the skills gap could take a generation to fix: “The numbers behind the skills gap are evidence of the colossal change that has taken place in our economy and society as we moved into our digitally dependent age. We shouldn't really be surprised at the growth in demand for people with the skills in areas such as information security that are needed to make our new society work; the adjustment required is enormous.
“We must also address other needs long before we can begin to directly develop skill. People need to discover and develop interest in a subject, appreciate the opportunities before they will even consider investing in an education. Students won't choose subjects they don't understand.”
Davis added that the information security profession must ‘do a better job of communicating', while governments, industry and academia must work together to fill the gap.
“We are talking about an adjustment that usually takes a generation to achieve; unfortunately, we do not have this long. Governments, industry and academia must work together on tackling the issues. It's time to ramp up the scale.
Other university lecturers professed to see growing interest in cyber-security – Coventry University, for example, says this is the case with its ethical hacking course. However, other professors say that the problem goes deeper, to a lack of interest in STEM subjects.
Alan Woodward, Europol adviser and visiting professor at Surrey University's Computing Department, told SC: “Possibly the most unusual aspect of this whole area is the general point about computer science; of all the STEM subjects it has the highest level of unemployment apparently. The Council of professors and heads of computing looked into this and found that it was very variable with places such as Surrey being at the top with over 90 percent employment down to some others that had as low as 60 percent. It seems to be more to do with other socio-economic factors as well as what employers think of the degree.”
“Many are now of the opinion that these more specialist degrees, especially when they become very specialised such as cyber-security, need some form of kite mark. Six of us have been fortunate enough to have GCHQ accreditation for our masters' degree so I suspect it will I trickle down to undergraduate degrees too.”
Like Davis, Woodward said that young people will ‘not choose degrees they do not understand', while adding that this would also apply to students' influencers, like parents and teachers.
“I think perception plays a significant role, and cyber-security is really suffering along with many other engineering subjects. “In short we have a problem, we know we have a problem, were collectively failing to attract young talent, and we're running out of time.”
Stephanie Daman, CEO of the Cyber Security Challenge, added: "The skills shortage in cyber-security cannot be solved by tackling it at one particular stage in the career development process. Universities play a critical role which is why past failures in terms of ignoring or at least failing to prioritise security sufficiently in computing and computer science courses are now being addressed.
“The GCHQ accreditations are an important step forward and we at the Challenge and working on our own university programme with industry mentoring and skills development training camps due to be rolled out with universities across the country later in the year. However, as this survey suggests, some of this good work will be lost if we don't have a fully primed pipeline of talented applicants to these courses. This is why the Challenge has, for a number of years now, been working at the secondary school age to introduce security as an exciting career rather than just a set of principles to keep you safe online.”
She added: “We also mustn't forget that a major source of untapped cyber-security talent can be found within the existing professional base, where there are thousands of people with all the skills, who would love move into security but can't see a route in that wouldn't require them taking significant pay cuts. As an industry we must make it easier for this group to demonstrate their talent and transition sideways rather making them start all over again at the bottom."