The information security world is facing a skills shortage. We know that because it's been widely reported, and because numerous studies tell us that the rise in the numbers of jobs is not being met by the number of people adept at filling those roles.
(ISC)2's 2013 Global Information Security Workforce Study revealed there to be an “acute gap” between the supply and demand of qualified cyber-security professionals. It detailed there would be 3.2 million information security professionals employed in 2013, and says that this demand is growing at a compound annual growth rate (CAGR) of 11.3 percent through 2017. Some 56 percent of IT decision makers said that they had 'too few' information security workers.
A separate study, from the US Bureau of Labor Statistics, showed that demand for graduate-level information security workers is to rise by 37 percent in the next decade – twice the predicted rate.
It was to no surprise then when the BBC recently reported that cyber security jobs are on the rise, while noting some encouragement in the fact that interest appears to be filtering in from university courses.
There certainly is no shortage in these types of courses. Unistats.direct.gov lists 98 university courses as having a cyber security element, and this figure seems to be backed up by Professor Fred Piper, of the information security group at Royal Holloway, University of London, who recently told SC Magazine UK: “There are now 40 to 50 MSC degrees that could claim to be cyber security, and as many as that partially cover the topic.”
Despite this, it would seem that this demand isn't being met by the appropriate personnel. HESA has previously reported that IT graduates find it notoriously difficult to find employment within six months, while data from Google Trends seems to suggest that more people are searching for jobs (and perhaps these are already in the industry) than searching for the relevant courses. A twin-axis search for ‘cyber security jobs' and ‘cyber security training' reveals growing interest in the former, although both are forecast to increase significantly through to 2015.
There is subsequently a knock-on effect in business. Sean Smyth, director at CyberSecurityJobsite, reveals to us that while 50 percent of his firm's 60+ job advertisers are now looking for cyber security skills, only a third of applicants currently meet this requirement.
Part of this problem, seemingly, is down to courses which are too steeped in academia and not in keeping with the true demands of the cyber security field.
Smyth told SCMagazineUK.com that the right practical skills aren't being taught, such as configuring and reconfiguring systems, trying out exploits, compromising the security of boxes and hardening defences.
“The courses aren't right…they're great but not quite who the employer is looking for,” said Smyth, who notes that most of his company's advertisers are in the defence sector (including GCHQ). He adds that too many of graduates have learnt reactive skills and not the stuff that “comes up in real life” (although some professors say that these are often taught on industry placements.
Mark Harris, assistant professor at the University of Southern Carolina, seems to agree and told the BBC that while a surge of student interest in cyber-security courses is apparent, the courses themselves are in danger of being left behind.
"Textbooks on the subject are out of date before they're published," he said at the time.
Such concern comes at a time when the UK government is making strides with numerous cyber security initiatives to improve awareness and interest. In recent times, it has participated actively in the Cyber Security Challenge, introduced the Cyber Streetwise Initiative, and launched the Cyber Security Information Sharing Partnership (CSISP) and CERT-UK. This is perhaps unsurprising given cyber-crime costs the UK economy £27 billion a year with businesses shouldering £21 billion of these losses.
The government is also looking for cyber security to become “integral to education at all ages”. It is announcing this month that there will be lessons from the age of 11 as well as plans for cyber security apprenticeships. Furthermore, it's planning for e-Skills UK to roll-out the Secure Futures school campaign in London, Greater Manchester and Sussex this year. There's some hope that this can improve take-up of cyber security courses at graduate level - and lower down the chain - of STEM (science, engineering, technology and maths) subjects in schools.
Alan Woodward, industry veteran and now Visiting Professor at the department of computing at the University of Surrey, is encouraged by the government action and says that the “vast majority” of graduates at his university are in employment within six months. However, he worries if the right people are being enticed into cyber security, with computer scientists, in particular, having an array of career options.
“We're trying to work out what the ‘missile gap' is but don't know where we are at the moment,” he told SCMagazineUK.com. He notes a study from eSkills, which states that just over half of workers are IT graduates, the majority are over 35 years of age and 85 percent are men. “The demographics are not encouraging.”
“We're not training people from the outset to be security people,” he added.
Interestingly, both Woodward and John Colley, managing director of (ISC)2 EMEA, are keen to stress that the ideal cyber security professional doesn't necessarily have to have deep technology attributes. Instead, both men attribute project management, and an ability to communicate – something Woodward touches upon as ‘softer skills - as essential to a cyber security expert. Woodward adds that young women are ‘often better' at softer skills than young men, and said that it's important in an age when 80 percent of attacks stem from social engineering.
“What we need in cyber security is not necessarily deep technology skills, but puzzle solvers who can take something apart,” says Woodward.
Stephanie Daman, chief executive of the Cyber Security Challenge UK, recently said that there are people out there with the right skills, it's just a case of finding them.
"We know they have the right sorts of skills, but none of them are currently in the cyber-security profession.”
Woodward admits that potential undergraduates can be put off cyber-security courses by thinking they will heavily reliant on programming, maths, science – or even worried by the never-ending flurry of provocative headlines. But he says that educating these people on the difference they can make is key.
He says that he often demonstrates basic operations, like the data being recorded from a smartphone (such as geolocation tracking), or beacons from a public WiFi network, to get people engaged with cyber-security, and the risks that people face on a daily basis.
“People want to get into careers where they realise that they doing something that has some meaning, a daily impact that affects everybody, like a doctor or in the military. But there's a long way to go.”
John Colley told SCMagazineUK.com that the cyber security skills boom has been coming for “seven to eight years” and admits the key question is “where do the people come from?”
He notes there being two issues on education – getting the right people through the door in the first place, but also ensuring that employed staff keep up with technological changes like social networking, mobile, BYOD and the cloud (indeed, a study from ESG from RSA 2014 suggests that infosec professionals are falling behind in this regard).
That aside, he and (ISC)2 – which has just partnered with the University of Phoenix to offer nine full-tuition scholarships on cyber security - have been talking with the Council Professors Heads of Computers – lecturers and other leaders at many of the leading universities- and he believes that there is an issue on how many computer science courses have a security element.
“Most computer courses have very little security [focus] in them, so graduates have no security skills whatsoever.”
He agrees that there are too many avenues for computer science graduates to go down – something Woodward refers to as cyber needing to “wave its hands” at prospective employees – and raises other issues that need addressing.
"There are three things that need doing. We need to educate that information security profession can be rewarding, plus very well paid. We need to raise awareness.
"The second thing is to turn out cyber graduates who have core security skills, so that they're more marketable. The third thing, as an industry, is that we have to take a risk and give [graduates] the opportunity to work and develop the right skills.”
Ways to improve
1) Continued initiatives to teach young children about online risks. Teach them the risks, and the importance of cyber security, while gently opening their eyes to future career opportunities.
2) Debunk the myths around cyber-related courses – it's not scary and reliant solely on maths and programming skills. All types of skills are needed, whether you're young or old, male or female.
3) MSc courses need to have a greater security focus, which will have a two-fold effect. It will make potential employees aware of the career path but also of the risks should they venture into 'other careers, such as application development.
4) Better target those with computer science degrees – commentators here admit that there's a lot to choose from and that cyber security needs to be a viable route for employment.