The cyber-security skills gap is growing. According to the (ISC)2 Global Information Security Workforce Study, there will be a shortfall of 1.8 million cyber-security workers by 2022.
The issue is compounded by the fact that cyber-attacks are becoming more diverse, complex and sophisticated. As the WannaCry cryptoworm that hit the NHS last year demonstrated, cyber-warfare has largely replaced physical attacks - and businesses, governments and critical infrastructure are increasingly vulnerable.
Set against this backdrop, the sheer scale of the skills issue is overwhelming for both cyber-security professionals and the organisations that employ them. On the one hand, there is a desperate need for a greater volume of security workers. Currently, there are not enough university courses leading to a job in security, or indeed, enough young people taking the required STEM subjects in school.
At the same time, cyber-security is no longer just a technical subject: The sector needs a bigger range of skills than ever before. While talented programmers are still required, there is a need for soft skills such as those who work on strategy, communication and project management - as well as board level risk management.
Of course, the issue has not gone unnoticed. There are already a range of government and industry programmes aimed at resolving the crisis, including the Cyber Security Challenge.
According to Bob Nowill, chair of the board at The Cyber Security Challenge UK, the Challenge is aiming to find people to fill the talent shortage, who might not otherwise have had the opportunity to enter the industry. He explains: “We don't look at people who are already pen testers or cyber-warriors. We encourage those who aspire to that, or who haven't thought about it in the first place.”
Supply and demand
Experts agree that programmes such as these are already making a difference within the areas in which they operate. But overall, there is a supply and demand issue that is failing to fill the wide range of skills needed.
“Demand is greater than ever, and supply hasn't grown to anticipate that,” Andrew Rogoyski, head of cyber security at CGI explains. “Cyber-security used to require people good at network management and information assurance. But a much broader set of skills is needed today – such as investigators, analysts, and also criminologists and behavioural psychologists to understand what motivates attackers.”
Making things worse, as cyber-crime becomes an increasingly attractive business model, the number of adversaries is growing rapidly. As Lance Spitzner, director, SANS Security Awareness says: “The number of bad guys grows at an exponential rate: We add 10 good guys and 100 bad ones pop up.”
Yet the cyber-security sector is a “great industry”, so attracting talent should not be problematic, says Jane Frankland, CISO advisor, speaker and author. She points out: “It's forward-thinking, dynamic and well paid.”
However, she says, companies are often looking for the “perfect” employee, including a long list of accreditations, even when advertising entry level jobs. “We have said what we need, but we are not practising what we preach. We say, ‘you need this accreditation' and expect everything to be perfect rather than saying, ‘this would be the case ideally' and developing the person.”
Dr Adrian Davis, director of cybersecurity advocacy for EMEA for (ISC)2 agrees, saying: “We don't have enough entry level jobs. When a security analyst leaves the organisation after five years, the boss wants the same person again, and they forget they spent time training them to become this. Every time we write a job description we want everything – we end up recruiting senior people into middling positions and they leave.”
In the past, businesses have coped with the talent shortage to some extent by automating security. Some think therefore, that technology such as artificial intelligence (AI) and machine learning can help.
But experts point out that perversely, this could create the need for even more diverse roles. Davis says: “If we bring in machine learning and AI we will see a requirement for people who can translate cyber-security knowledge into the programmes that power automation. This will suck more people out of the pool we already have, and the skills shortage will get worse.”
It is clear the gap is widening, but are there any stand out skills missing from the sector? Many who spoke to SC Media UK outlined the fact that soft skills are lacking, including the ability to adjust to a constantly changing cyber-security landscape.
Naina Bhattacharya, associate director, Cyber Security and Privacy at Deloitte, says: “Today's cyber-security professionals must be able to work in ambiguous situations where things aren't clear cut and make sense of that chaos.”
Another issue to take into account is the added complexity for businesses created by the requirement to keep personal customer and employee data secure under the incoming Update to Data Protection Regulation (GDPR). It has led to the need for the so-called data protection officer (DPO,) which must be in place by May 2018.
It is not strictly a security job – given that the GDPR states that the DPO cannot be conflicted by having the dual role of governing data protection while also defining how it is managed – but it will be a difficult skill for businesses to recruit.
“The person has to be an ‘expert' in data protection law; they need to know your business,” according to Tim Hickman, a data protection lawyer at global law firm White & Case. “But there are not enough people who are experts and also know the business well enough that can they can talk to the regulator about the company's approach.”
More broadly across the security sector, although there is a need for non-technical expertise, there is a lack of proficiency in programming, says Dr Alexandra Mendes, a computer science and BSc cyber-security and networks lecturer at Teesside University.
But at the same time, Dr Mendes thinks more young people are becoming interested in cyber-security. For example, she says, the number of students taking Teesside University's BSc in Cybersecurity and Networks more than doubled this academic year. “Our course is broad in content, allowing students to specialise in specific security topics,” she explains.
Meanwhile, a particularly aggressive approach to solving the skills shortage is being implemented in Scotland. In 2006, Abertay University in Scotland was the first in the world to create a degree using the word “hacking”. Fast-forward to 2018 and almost every Scottish University offers at least one cyber-security degree, says Dr Martin Beaton, cyber-security cluster co-ordinator for Scotland, ScotlandIS.
Meanwhile, he says, in 2017 the University of Edinburgh was the first Scottish university to be accepted on an exclusive GCHQ accreditation scheme for cyber-security.
Filling the gap
Yet finding the right people through education can be challenging, because the relevant skills are not always academic, says Piers Wilson, director at the IISP. “Penetration testers look at how an attacker might get into a system. It's hard to train, but the people who've got this ability are real geniuses. This type of person would usually suit an apprenticeship, rather than the traditional academic route.”
Holly Foxcroft, STEM apprenticeship account executive, Highbury College Portsmouth and neurodiversity consultant, agrees. She does not think the industry is currently supporting the route into cyber-security. “We have plenty of training companies offering courses to teach transferable skills. However, as a school leaver, the next educational move is college.”
It is with this in mind that Foxcroft's college, Highbury College Portsmouth, is working together with the Collab Group and others to tailor further education courses to help students progress on to a cyber-security apprenticeship, or university.
Foxcroft is an advocate of “inclusion” - a word used multiple times by those interviewed by SC Media UK. The drive towards inclusion covers initiatives to encourage women into the sector, but another area of focus is neurodiversity. In other words, how do we open up the industry to those on the autistic spectrum, who are often very talented coders and programmers?
In fact, says Foxcroft, those on the spectrum can harvest the skills needed in cyber, because they often have an investigative nature and inquisitive mind-set. She says therefore, the apprenticeship at Highbury College Portsmouth is supportive of “learning styles” and as part of this, neurodiversity.
Indeed, offering a wide range of learning styles can help to harness the skills of many talented young people who might not otherwise have entered the world of cyber-security. For example, Dr Nowill is working on a programme called ‘intervention' aimed at guiding talented teenagers away from criminality and towards the defence side of cyber-security.
“Teenagers often go too far in cyber, and they can get in trouble. When they get to the stage where they have been issued a ‘cease and desist' notice from the police, we get their parents and guardians in the room and show them the way forward.”
So plenty of work is being done, but experts agree a high level of investment is needed to even put a dent in the growing shortage. It's a long game, and it will take time to see results.