Is there really a cyber-skills gap or is it just a marketing ploy to sell certs?

News by Roi Perez

As the government heavily invests in supplying enough staff into the cyber-security industry to keep everyone safe, one question remains: are we trying to solve the wrong problem?

It's a well-rehearsed idea in the cyber-security industry that there is an escalating skills shortage that will do everything from harm companies as they will lack the manpower to protect themselves from cyber-attacks, and damage the economy on a national level due to larger companies suffering at the hands of increased cyber-warfare.

It is for this reason that the Department for Culture, Media and Sport (DCMS) yesterday launched a new initiative to encourage teenagers to register their interest in taking part in a new cyber-security schools programme.

The initiative will see thousands of the best and brightest young minds given the opportunity to learn cutting-edge cyber-security skills alongside their secondary school studies through a nationwide network of extracurricular clubs, activities and a new online game, according to a release from the DCMS.

Up to £20 million has been made available to deliver the programme which will see students take a comprehensive cyber-curriculum mixing expert, instructor-led classroom and online teaching with real-world challenges, online games and hands-on work experience.

It is hoped that participants will develop some of the key skills they would need to work in the growing cyber-security industry and help defend the nation's businesses against online threats.

SANS, BT, FutureLearn and Cyber Security Challenge UK have been confirmed as partners to deliver the programme and prospective students, teachers, industry members and volunteers can now register their interest in advance of the scheme.

Nigel Harrison, acting chief executive of Cyber Security Challenge UK said in a statement: “To plug the critical cyber-security skills gap that is leaving organisations across the country vulnerable to attack, it is crucial that the younger generation is educated with the right knowledge and skill sets to fill these vacant roles.”

Despite such a voracious need to bring new talent into the cyber-security industry, many question whether the skills gap itself is to be cured through such methods of school-level education, certificates or university courses, or if the cyber-skills gap even exists in the first place.

Organisations such as ISACA, (ISC)2 and many others release regular reports and projections on the skills gap and its effects. (ISC)2, for example, recently released another of its mega-surveys – 19,000 cyber-security professionals in total took part –  and found what we already know in cyber-security: two-thirds of organisations state that they currently have too few cyber-security workers “as the region faces a projected skills gap of 350,000 workers by 2022”.

A 2015 blog post by hackerone's Ericka Chickowski claims, however: “One of the big issues I have with these kinds of 'workforce shortage' claims and projections is their fundamental lack of awareness of how economics and labour pool elasticity works. Many of these projections and statistics are based on the presumption that salaries, perks and current structures of security roles remain static.”

(ISC)2 says to combat this problem, employers should do more to embrace those new to the industry, as according to the survey results “92 percent of hiring managers admit they prioritise previous cyber-security experience when choosing candidates, and that most recruitment comes from their own professional networks.”

This raises an extremely pertinent question: is it better then to enter the industry by studying for CISSP-type qualifications from the (ISC)2 that cost thousands and require five years experience in the first place, or to gain real world experience by doing IT apprenticeships and working your way up the career ladder? Afterall, it's near impossible to ignore the fact that it's commercially beneficial for (ISC)2 to highlight the skills gap so it can sign-up more to its courses.

SC recently received an announcement from London-based business Fitzrovia IT, which said it is offering sixth form and college graduates the chance to take up a paid apprenticeship at the company starting this September.

Although only four places are available for the scheme - called The Fitz Academy - which will be available for individuals with A Level qualifications or the equivalent, the scheme will offer apprentices the chance to benefit from “first-class training” at Fitzrovia IT's central London offices whilst gaining the skills necessary to become a successful IT service provider.

Apprentices will also have the chance to undertake various recognised qualifications throughout the three years covering topics such as operating systems, disaster recovery, cloud services, coding and logic training, whilst benefiting from an annual salary, payment of travel expenses and a bonus.

Daren Oliver, managing director at Fitzrovia IT, said in a release: “We've been running apprenticeships for sixth form and college leavers across various roles for a number of years now with great success. They are an ideal opportunity for anyone seriously considering a career in IT who wants to gain the skills and experience necessary at the same time as being paid.”

Ryan Varney, who is a former apprentice at the company and now works full-time as an assistant help desk manager, said: “The Fitz Academy is the perfect opening into IT and offers the ideal stepping stone for those who are serious about forging a long-term career in the industry.”

It's important to mention that although the above quote does reflect well on Fitzrovia IT, it's highly unlikely that all apprenticeships are on a level playing field where the same levels of benefits and skills gained are the same.

However, it's clearly a valid way to go about closing the cyber-skills gap. Daren Oliver from Fitzrovia IT said that all who have gone through the Fitz Academy have gone on to be hired as full-time employees at the firm.

Similar such initiatives exist: James Hadley, chief executive of Digital Cyber Academy is looking to establish a place where students coming from any academic subject to develop practical cyber-skills for free, and be recognised as talent by employers helping plug the cyber skills gap. 

Hadley said, "We want to remove the reliance on 2:1 computer science degrees and CEH/CISSP/CISM etc and open the jobs up to those with an interest in developing skills."

The report from (ISC)2 goes on to describe “a revolving door of scarce, highly paid workers amidst a non-existent unemployment rate of just one percent in Europe.” Meaning, there's very little out there for those looking to start from the bottom, as companies require highly experienced staff.

Not only that, organisations are struggling to retain their cyber-staff, with 21 percent of the global cyber-workforce stating they have left their jobs in the past year, and facing high salary costs, with 33 percent of the workforce in Europe, in particular, making more than €95,000 / £78,000 per year.

“The combination of virtually non-existent unemployment, a shortage of workers, the expectation of high salaries, and high staff turnover that only increases among younger generations creates both a disincentive to invest in training and development and a conundrum for prospective employers: how to hire and retain talent in such an environment?” states the (ISC)2 report.

Adrian Davis, managing director EMEA at (ISC)2, said, “There are real structural concerns hampering the development of the job market today that must be addressed. It is particularly concerning that employers appear reluctant to invest in their workforce and are unwilling to hire less-experienced candidates. If we cannot be prepared to develop new talent, we will lose our ability to protect the economy and society.”

Davis is, by-and-large, correct. A low retention rate of staff shows the real winners in this situation will be those who invest in newbies and train them up, and then go on to employ them as they will have created a strong relationship between the employee and the company, with the employee wanting to stay as such training and skills development goes on to encourage loyalty and hard work.

Hackerone's Chickowski adds, “The shortage is not in the labour pool but in the willingness of organisations to invest in creating attractive security roles. Those that do are much more successful at recruiting the kind of unconventional problem solvers, builders and breakers who become good cyber-security professionals. Those that don't blame a nebulous market condition that's totally out of their hands.

“Creating an attractive role means not only budgeting for the type of salary that this quality of professional demands, but also building the culture that doesn't chase them away even when they're paid well.”


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews