The cyber skills shortage gap – taming the perfect storm

Cyber skills shortage image There is no shortage of commentary about the widening skills gap in the cyber security sector – and the numbers make for uncomfortable reading. With each widely publicised breach, the demand for qualified cyber security professionals only increases.

The burning issue for Chief Information Security Officers (CISOs) and IT security teams must be getting the skills now. But if they can’t – how much worse will it be next year, or five years from now?

If nothing is done, all the indications are that their task will become considerably more difficult. Fast changing cyber technologies don’t come with a ready-made market of security experts – so the current and projected skills vacuum creates the perfect opportunity for the hacker to be one step ahead.

So, how can the cyber security sector better attract the talent it needs now and create a pipeline for the future?

Cyber skills shortage findings and predictions

In this case, the statistics don’t lie. These findings and predictions come from several sources and they all tell the same story.

“A perfect storm is enveloping the information security workforce with the resulting wake being a widening gap between the number of security professionals needed and the actual number available to be hired.”

The 2015 (ISC)2 Global Information Security Workforce Study

  • Cisco’s findings (2014) suggested a deficit already in place of c.1 million information security staff and managers.
  • Research by Raytheon suggests that the demand for cyber security professionals is growing 3.5 times faster than the overall IT job market and 12 times faster than the total labour market.
  • In a recent survey, the Technojobs careers site identified a 100% year on year increase in contractor opportunities in the year to December 2014, with contractor salaries up 16%.

What impact is this having on supply?

Anyone involved in information security resourcing is having to contend with a workforce that knows it is in demand. In this climate, it will cost more to retain and recruit, and mobility is commonplace. The (ISC)2 survey reported that, in 2014, nearly one in five security professionals changed their employer or employment status.

While larger enterprises have the finances to compete for the best talent, smaller organisations risk losing their cyber security specialists. What’s more, the European Union Global Data Protection Regulation (EU GDPR) is expected to come into effect in 2017 – with one of the standards being that any organisation with 250 or more employees must employ a designated trained data protection officer. In the climate of increasing skills shortages – where are they going to come from?

Any organisation planning to look to the graduate market had better be quick. There are incidents of cyber securityuniversity students being headhunted even before they have graduated from their courses.

How can the cyber security sector respond?

Before we make our suggestions, here’s a bit of a challenge to our own industry. There are certainly skills shortages – all the above research can’t be wrong. But, as proven by regular and high-profile security breaches, there’s clearly no shortage of hackers either.Is part of the problem not only the lack of availability of labour – but that perhaps securing cyberspace isn’t as appealing as breaching it?

Let’s start by looking at the cyber security sector – how appealing is it?

The (ISC)2 survey says that job satisfaction among information security professionals is as high as it has ever seen – but that’s the view from the inside. People who are in demand and well paid would tend to be satisfied. How does the sector look from the outside? From a female perspective it would look very male-dominated – it is estimated that 94% of workers in the UK and German cyber markets are men. Is this gender imbalance likely to make the sector attractive to female IT talent? No.

Surely attracting and retaining more women has to be considered, not just to address the skills shortages but because it is clearly a spectacular imbalance. Perhaps the lack of female representation in the sector goes back to career perceptions and choices made at school. After all, early awareness of career options helps to generate interest and influences syllabus choices.

What could be done to promote the cyber security sector in schools and higher education?

How many 13-16 year olds know about cyber security or that this profession exists? They are more likely to have heard of IT, but what is their perception of that? If they think it’s a very ‘techie’ world of computer screens and data crunching then they are not likely to see beyond that to the dynamic world of cyber security that we know. So, campaigns that appeal to the imagination of school children must also be a priority for the future – and the good news is that they have already started.

The Cyber Security Challenge Schools Programme has recruited over 700 Secondary School Teachers from across the UK since its launch in 2013. It’s a great initiative with cyber security lesson plans, but could the Cyber Security industry do even more to change perceptions of the sector?

For more than 20 years, The Royal Society of Chemistry has run a long standing campaign, aimed at school students aged 11 upwards. Called ‘Not all Chemists Wear White Coats’ it has very successfully challenged traditional perceptions and replaced them with the reality that chemists use their skills in all sorts of sectors.

It is in the interests of all in the cyber security sector that Government and industry work together to encourage school age students to think about IT and cyber security as a career choice and study towards that objective. Assuming this is successful and that greater awareness within schools starts to generate more demand to study cyber skills at university, what are the options?

Rather surprisingly, computer science and IT related courses are currently estimated to have less than 5% cyber skills content – so adjusting this content upwards must also be a priority. There is little point investing in awareness at schools level if higher education doesn’t deliver the required learning.

How can the typical recruitment process change to better attract cyber security talent?

We’ve looked at filling the talent pipeline for the future – but what about filling roles today?

Recruiters are often under pressure to find the right person for a vacant role. Accordingly, recruitment adverts and job descriptions can easily turn into a demanding ‘wish list’ of skills required and fail to promote the more exciting reasons for wanting to work in the sector.

The challenges of cyber security and of getting inside the mind of hackers and building systems to keep them out are, or could be, a stimulating part of the recruitment message. However, they are often neglected for a rigid set of criteria that are increasingly unlikely to be found. So, rather than ask for what everyone else is looking for, how about ‘selling’ candidates the opportunity to learn, fix problems, beat cyber crime and make a name for themselves. Isn’t that more appealing?

What other options are there?

In place of conventional candidates, are ex-hackers a viable option? In late 2014, KPMG research indicated that 53% of UK companies would consider hiring ex-hackers to assist in dealing with their cyber security issues. Some might call this tactic a drastic measure – others might consider it enlightened.

“They would not hire pickpockets to be security guards, so the fact that companies are considering former hackers as recruits clearly shows how desperate they are to stay ahead of the game.”

Serena Gonsalves-Fersch, Head of KPMG’s Cyber Security Academy

A far less radical solution is to engage specialised cyber security consultancy expertise through a 3rd party. Although not a permanent arrangement, such experts can bring a specific set of skills to meet a specific need in a cost effective way. There’s also the additional potential that some of those skills will be acquired by in-house employees.

Ascentor cares passionately about information security and the industry in which we operate. From the standard and training of our own consultants to the quality of information on our website, we aim to bringcyber securitybest practice to clients and the wider sector. Whether it be helping to de-risk the delivery of products and services to customers, implementing highly effective and efficient information risk management solutions or accrediting systems and processes, everything we do is focused on delivering a positive business result.

For more information:

If you have found this article of interest, the Ascentor blog regularly carries articles about cyber security and information assurance issues. You might also like to keep in touch with Ascentor by receiving our quarterly newsletter and following us on LinkedIn and Twitter.

If you’d like to discuss how ourconsultants could advise on any aspect of cyber security, please contact Dave Jamesat Ascentor.

Email: [email protected]

Office: 01452 881712

Web: ascentor.co.uk

 


Other posts you might like:

IA Inside – building Information Assurance into the heart of your projects

What’s the Difference Between Cyber Security and Information Assurance (and does it matter?)

Which cyber security breach could cause you the most pain this year?