Speaking at a Digital Skills Committee meeting in the House of Lords on Tuesday, prominent speakers from IBM, the Cyber Security Challenge and The Institution of Engineering and Technology discussed how the skills gap can be filled, and specifically looked at what the education sector is doing to address the shortage - which, according to training body ISC(2), will see a void of some two million security professionals by 2017.
After a short introduction by Baroness Morgan of Huyton, Nick Coleman, global head of cyber intelligence at IBM Service and an honorary professor at Lancaster University, highlighted that cyber-crime continues to grow at a rapid rate.
“I think that it's a challenge for all of us. If you look at the [cyber-security] landscape the last few years you've seen more sophisticated targeted attacks with a different number of motives and from a variety of sources.
“What we've seen is really an increase in digital [use] and an increase in attacks.” Coleman - formerly of the UK government – added that IBM's own research reveals that medium and large-sized organisations faced 91 million security incidents last year.
Stephanie Daman, the CEO of the Cyber Security Challenge, added that the cyber threat can be applied to every individual - and even felt by the UK economy.
“If you look at our lifestyle these days everything we do is based on something connected to the internet,” she said citing internet, banking, shopping and tax. “Everything has an internet layer.”
“At moment, in my view, we don't have sufficiently number of skilled people to do that protection piece. There aren't enough people with those skills. The money is there, the careers are there, and on face of it should be popular choice. But there's a [skills] gap.”
Previous statistics have indicated that only 0.6 percent of recent graduates (2012-2013) are currently working in the sector.
Daman went onto add that businesses must open their eyes and consider hiring those without the traditional qualifications.
“A lot of [the competition entrants] don't have formal qualifications so often we have to do some back learning.
"But a lot of big organisations like to have formal qualifications like a degree and A-levels and if you don't have those you don't get your foot in the door.”
Schools must step up
The experts concurred that cyber-security must have a bigger emphasis in schools and university courses – although they noted the increasing number of MSC Cyber Security programmes.
Daman said: “Schools are trying but often they aren't aware of the threats that come with new technology.” She added that teachers sometimes don't know how or what to teach and there's a “huge need to rectify that”.
“There are different layers of skills and one thing that is happening is that we are beginning to teach safety at a lower level and cyber-security at a higher level…but perhaps we're missing some linkages in between.
Hugh Boyes, cyber-security lead at The Institution of Engineering and Technology (IET), said that this training should also extend to coders who are using ‘internet-type technologies' that are ‘fundamentally flawed' and often ‘poorly configured'. He said that this is particularly critical when such technology is being used in critical infrastructure like smart cities.
“One big gap is the way we teach coding, and the quality software we write,” he said to attendees.
He added that injecting core skills – like security – into university curriculum was good if slow progress, but cited external efforts from the likes of IET and BCS in accrediting the quality of coding.
Coleman, however, added that schools and universities should not be held solely responsible for a cyber-security skills gap which – according to National Audit statistics, could take 20 years to rectify.
“It's not just a challenge at school – it's a societal challenge,” he said adding that security needs to be ingrained in how we build and use products such as banking applications and smart meters.
But one concern for Daman is that – despite an assortment of competitions, courses and awareness programmes – there is ‘no obvious pathway' into the industry. She believes that those changing career might provide the best hope.
“In many ways it's the career transitional that can fill our shortage.” She said that the Cyber Security Challenge is currently working with many armed forces in this regard.
Coleman however disagreed citing the new MSc courses, and said an increasing number of business courses are implementing security as part of their modules.
Speaking after the event to SCMagazineUK.com, James Chappell, founder and CTO of cyber intelligence firm Digital Shadows, said that the cyber security skills gap is slowly eroding, but admitted that the right people are “very thin on the ground at the moment”.
He said that there are so many different specialisations in computer science that it can be 'confusing' and added that some prospects could be put off by the strong emphasis on technical skills.
“There's some confusion what the skills path looks like,” said Chappell, who also believes that there's a mid-tier missing.
“I think there's a lack of the appropriate personnel at the stage before [higher education]. There's not much happening at the BTEC level. Security Operations Centres and operational IT needs these people at this practical level.”