With new cyber-threats emerging on an almost daily basis, cyber-attacks are quickly becoming one of the biggest concerns for businesses. This is good news for cyber-security professionals, as demand for their skills vastly outstrips supply. However, it's bad news for businesses in the UK, where more than two thirds of companies struggle to recruit the staff necessary to defend themselves. In fact, analysis from the Center for Cyber Safety and Education suggests there could be a cyber-security workforce gap of 1.8 million by 2022.
One of the roots of this is a lack of young people taking up science, technology, engineering and mathematics (STEM) skills and careers in the UK. In fact, 40 percent of UK employers report difficulties recruiting staff with the relevant STEM skills. Another issue which is plaguing businesses, is that despite increasing investments, cyber-security budgets are still not sufficient enough to acquire and retain the people with the skills they need. To make matters worse, evidence suggests that children still have difficulty with STEM subjects – in 2015 and 2016, students struggled to achieve A* and A grades in engineering and science, which saw the lowest pass rates for top grades overall.
While A-level grades marginally improved in 2017, there are still systemic issues when it comes to cyber-security. Simply put: the pipeline of potential STEM talent isn't strong enough, and there's a lack of young people entering the cyber-security profession. So how can businesses address the skills gap?
A fresh approach to talent
To harness the talent they need to mitigate current and future cyber-threats, businesses need to look at changing the way they hire talent – especially when it comes to entry level positions. They need to adapt their traditional models of recruitment in order to harness a much wider spectrum of raw talent.
Not only do businesses need to rethink their approach to recruitment, they also need to understand what skills they need. The cyber-security profession largely relies on mathematical skills, and requires analysis of defences, the ability to think laterally when penetration testing, and the mindset to evaluate risk. Businesses should think beyond those with formal qualifications: potential new recruits can develop skills such as coding, ethical hacking, and analytics outside of education.
Innovate recruitment processes
Organisations might want to look at ways to innovate the recruitment process in a bid to source the skills that they can't currently find.
Gamification is a good place to start. Just look at GCHQ's codebreaking masterclass, which enabled candidates of all ages, ethnicities and genders to show their true potential when it comes to cracking code – no degree necessary. By having a gamified entry mechanic, GCHQ levelled the playing field for all applicants, and ensured that the recruitment process was inclusive to prospective candidates from all backgrounds.
Not only did it enable GCHQ to see how well potential candidates would fare on the job, it gave them access to a larger pool of raw talent. In turn, this results in a greater diversity of skills – an essential asset for any business looking to contend with a threat landscape that evolves by the minute.
Another route to bridging the cyber-security skills gap is for businesses to offer apprenticeship schemes for young people looking to get into the industry.
A cyber-security apprenticeship scheme involves the hiring of fresh talent after having done their GCSEs or A-levels. Apprentices can work, develop new skills on the job, while learning and earning at the same time.
This way, apprentices can study for the certifications they require, with businesses also getting the exact cyber-security skills they need to protect their organisation from threats. What's more, apprentices don't have to attend university or college to do apprenticeships, often they can often do their training through online portals.
Taking on apprentices is the perfect way for businesses to nurture a robust cyber-security team that is fit for purpose and has the technical and practical know-how to fend off cyber-threats.
Government support is available
It's not just up to businesses to plug the skills gap though, the UK Government has a big role to play as well. The good news is that it knows that the lack of cyber-security skills in Britain is a long-term problem that requires long-term thinking. That's why it launched the National Cyber Security Strategy (NCSS) in 2016 – part of which incorporates a plan to make sure there is a constant supply of home-grown cyber-security talent.
What's more, we recently saw the launch of the Government's £20 million Cyber Schools Programme, which will provide up to 6,000 secondary school students training through extra-curricular clubs, activities and an online game. The Sans Institute, BT, FutureLearn and Cyber Security Challenge UK will all support the training, with the aim of helping young people learn some of the skills needed to work in cyber-security.
With such support now available, businesses need to work alongside the Government, and support its strategy. To do this, employers should look to articulate their recruitment needs clearly, innovate the way they hire, and find new ways to train and develop young people looking to enter the cyber-security profession. If companies can support the Government in this way, and carve attractive career and training pathways, the UK should be one step further to solving the skills gap that it currently faces.
Contributed by Jay Coley, senior director, security planning and strategy, Akamai Technologies
*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media or Haymarket Media.