Cyber security skills gap a 'legacy problem'

News by Doug Drinkwater

The much-debated cyber security skills gap was the topic of debate at two separate conferences in the UK on Tuesday.

Following on from our in-depth look at the cyber security gap – and on from GCHQ announcing its intention to accredit Master degree courses in cyber security –  several information security experts mulled how the situation could be rectified yesterday.

At the Westminster eForum in London, Cyber Security Challenge UK CEO Stephanie Daman pointed to EU data showing that the region will need another 500,000 IT professionals by 2015, and to a CBI study which highlighted a shortage in STEM skills. The same study indicated that 41 percent of firms believe that this gap is likely to persist for a further three years.

“There's a very large skills gap…we have lots of jobs and lots of opportunities, but we don't actually have the people to fill those jobs,” said Daman – who added that the void impacts both the UK economy and national security.

“It's a legacy problem because we haven't been teaching ICT very well in schools.”

A panel comprising Daman, (ISC)² EMEA MD John Colley, Ruth Davis - TechUK's head of programme for cyber, justice and emergency services, and Malwarebytes EMEA CEO Fernando Francisco, debated the need for new skills to recover evidence, such as coding, programming, tech engineering skills, and questioned the salary gap between jobs being offered in the public and private sectors.

Colley agreed that the cyber security gap is a ‘real concern', especially with current information security professionals continually having to keep up to date on new areas of interest, and new skills too – like digital forensics.

“Every year we have to update the common body of knowledge with all the new stuff coming in,” said Colley.

“I believe the first step to tackle is to change our perspective. First, this is social issue, not specialist workforce issue. We should be looking beyond the development of the cyber security workforce,” said Colley, suggesting that developing the right skills would have a wider impact on society.

“Probably most importantly, we need to enable the masses, contextualise and embed the right skills and instincts across society. We need to create, develop and innovate with security in mind,” he added.

“We need to target the root cause. Ask yourself if you're building skills for security or to protect vulnerabilities? It costs to include security first, but the retrofit costs lot more and exposes you to bigger losses.”

Educators too must be supported, warned Colley.

“Educators are part of the solution…they're not part of the problem. They  need policy, they need guidance and access to resources - but that doesn't mean telling them what to do. They are the experts and we should support them in that.”

“Overall, a lot is being done and it's encouraging to see that – we now need policy to step back and review perspective.”

Malwarebytes' Francisco warned that SMEs are most likely to be hit by the shortage of skills, as they're not ‘exposed to the trends' and because their budgets are much smaller. “They're not able to attract experts to come and secure their premises.”

He said that industry must help these SMEs: “To do that, we need to engage SMEs through workshops, invite them in face-to-face meetings and training programmes – whatever we can do to show best practice, and how to protect networks.”

He urged for standards to be flexible and not watertight in the face of cyber threats that ‘evolve every day' to help companies, and said that a fresh approach is needed on attracting the right personnel.

“To attract the best skills, we need to understand that the top researchers are a different breed," he said, adding that Malwarebytes "doesn't even know the name" of one of its top researcher. "If you want to attract these type of researchers you need to accept they work on their own terms.”

Skills gap - better or worse?

At a separate event later in the day at the University of Surrey in Guildford, two senior lecturers briefly debated whether the cyber security skills gap is getting better or worse.

Following on from a GCHQ presentation which indicated that the deadline to accredit MSc cyber security courses was on 20 June, Professor David Chadwick, the head of information systems security at the University of Kent, said that the number of MSc applicants at his establishment has increased ‘significantly', despite an earlier eSkills study showing that a gap remains.

“At the University of Kent our numbers have increased significantly,” he said, noting – surprisingly – that numbers soared after degree costs went up to £9,000 per year. “We put that down to, rightly or wrongly, when school leavers decide what degree they're going to apply for, they think where they can get their £9,000 back,” he said – a nod to the attractive salaries in the space.

“Computer science becomes more prominent than it was before,” said Chadwick.

Alan Woodward, a visiting professor at the department of computing at the University of Surrey, suggested though that the results were ‘patchy' from what he could see with his work at the university and at eSkills. “It's lifting, but it's certainly not closing the gap. In cyber security, that's the biggest gap of all.”

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews