One of the almost universally agreed tenets of cyber-security is that there is a global shortage of skills. It doesn't seem to matter which country, which industry or which organisation you consider, they all agree that they can't get enough people of sufficient experience and talent to meet their needs.
In the UK, the Government has invested time and effort in the creation of standardised curricula and has created secondary and tertiary courses in cyber. It has also actively promoted cyber-careers through initiatives such as the UK Cyber Security Challenge and has even reformed the teaching of computing in schools, focusing on fundamental coding skills and logical problem solving. And that's just a few of the initiatives.
Other governments around the world have taken similar steps. However, the cyber-skills shortage problem remains unsolved. Nothing seems to be moving the needle. As we hit this educational innovation wall, we need new ideas to inject further impetus in the quest for cyber-skills.
I believe that we need to focus on three areas: Scope, Sources and Psychology.
Scope – One of the challenges in attracting young minds to study the disciplines in cyber-security is that topics are seen as ‘geeky', ‘hard' or ‘boring'. The caricature of a cyber-security expert is a young male, perhaps long hair, a bit socially dysfunctional, given to talk at length on the arcana of computing. Whether or not this profile is really true is less important than examining what kind of skills our typical cyber-security roles really demand.
Currently they're rooted in subjects like computing, maths and engineering. However, the scope of cyber-security is changing. The constant development of new forms of attack, the relentless ingenuity of the cyber-criminals and the rapid pace of technological innovation are giving rise to a need for a much broader set of skills.
We are already seeing the rise of data scientists in cyber, people who can analyse huge amounts of data, visualise complex data relationships, sifting through data sets to find the obscure tell-tail signs of a hidden attacker. These demands are extending into behavioural science and criminology as people try to predict attacker behaviours in order to identify new areas of vulnerability, or to understand and defeat new social engineering attacks that exploit the weaknesses in the human psyche to perpetrate an attack.
Psychology is becoming increasingly important as we get to grips with insider threats, understanding why people are motivated to damage their own organisations, while creating security controls can be implemented in a way that isn't seen as a barrier or something to be circumvented. Increasingly, good communication skills are important as we try to raise awareness, train or simply communicate concepts to people, all of whom need to understand their role in keeping themselves and their organisation secure.
Even subjects like economics and finance are becoming integral to cyber as we fight to show the cost-benefit of keeping organisations secure, always apparent after an event but almost impossible to explain when nothing bad has yet happened. So, expanding the scope of cyber-skills is both essential and desirable. Adding into the mix economists, psychologists, data scientists, behaviouralists and communications specialists should broaden and enrich the career of a cyber-specialist, attracting people into the profession that might have otherwise dismissed it as an option.
Sources – Many organisations look to universities to provide the raw skills intake for their cyber-needs. I think we need to look much more broadly, looking for intake much earlier, and much later, in educational and career timelines. The UK Government is already working with industry to create and run cyber-apprenticeships, offering young people a chance to build a career in cyber without having to go to university.
Work is now being done to create degree apprenticeships in cyber-security creating fantastic opportunities for young people to become qualified, experienced and skilled without the debt burden associated with tertiary education. Some work is being done to take these opportunities even further back in the education timeline to 14- year-olds, with the creation of University Technical Colleges (UTC), where a school is created in partnership with industry and universities to provide specialist curricula with strong ties to real-world careers.
UTCs specialising in IT, cyber and engineering are already running and more are in the pipeline. We ought also to be looking at how older, more experienced people can start late careers in cyber-security. Real-world experience of businesses, industries and government should be seen as invaluable in improving the security of an organisation. Innovation is needed to create ways that people can gain the necessary skills, while taking advantage of their existing experience, to start a new career in cyber.
Events such as the UK Cyber Security Challenge have illustrated that there are extremely able people out there who don't necessarily have the background to start a career in cyber-security, until that is, they win the competition. Innovation is necessary in training, in access to courses and in creating entry-level roles that recognise such individuals' needs and capabilities.
Psychology – The final piece of innovation we need to bring to cyber-security careers is the psychology of the roles themselves. Specifically, we need to reach out to people to explain that the job of a cyber-specialist is highly creative, utilising talents in problem solving, lateral thinking and intuition. In no other field are you pitted against a human adversary who is highly creative, highly motivated and who isn't constrained by rules or laws. It's a job that is incredibly challenging and constantly evolving. People who thrive on such challenge are relatively rare, so we need to make sure that such individuals consider cyber-security as a career option alongside other challenging and creative industries.
Of course, it's not just about attracting such people into the profession. You also need to understand that the psychology of such individuals requires different handling, different management styles and different motivations. At the risk of gross generalisation, such people get bored easily, they don't like admin, they don't like corporate dress codes and they don't tolerate old or out of date equipment. They generally aren't motivated my money (although the realities of modern life sometimes impinges). They can be high maintenance. Primarily, they like a challenge and they like working with other people who think the same way.
So, to attract such individuals into cyber-security roles requires a recognition that they think differently, that they are motivated differently and that they need to be managed differently. This needs to be communicated and organisations need to deliver on their promises to manage them differently.
If we succeed in communicating these facets of a cyber-role, then creative, talented and motivated people may start to regard cyber-security as their career of choice, as something to aspire to and as something to be proud of.
Contributed by Andrew Rogoyski, VP cyber-security services, CGI UK