The UK government recently announced plans to conduct its second audit into the state of the country’s cyber security workforce. Ipsos MORI will carry out the survey of private businesses, public sector organisations and charities which will focus on issues around the employment and training of cyber security professionals.
The audit looks to build on the findings of its first report, published last year, which revealed that more than half of all UK businesses had a “basic technical cyber security skills gap”. 51 per cent, for example, admitted they weren’t confident in carrying out a cyber security risk assessment, while 47 per cent lacked confidence in developing security policies.
The capacity for more high-level technical tasks was even more problematic, with around three in five businesses unconfident in their ability to conduct penetration testing or perform forensic analysis of their own data. The previous audit also found that just under half of all businesses felt they were insufficiently skilled to deal with a cybersecurity breach or attack.
This is particularly worrying when you consider the risks that they face. One report found that UK businesses faced an average of around 146,000 attempted attacks between April and June this year – one every 50 seconds.
The hope is that this year’s audit will find an improved situation. Otherwise, the way in which businesses recruit and train cybersecurity professionals is in urgent need of change.
Counter-productive recruitment processes
According to last year’s audit, 46 per cent of businesses write the term “cyber security” into IT job descriptions. This may prove limiting to the performance of these employees, however, and could even jeopardise an organisation’s security. After all, just as there’s no one single type of cyber-attack, there is no one single type of cyber security professional. An expert in digital forensics, for example, may not be so knowledgeable when it comes to web or application security.
Indeed, a tendency toward generalisation may be contributing to the current skills gap. While it’s encouraging that almost a third of businesses have tried to recruit for cyber security roles over the last three years, deeply embedded legacy processes often drive the requirement for a more culturally astute solution.
It’s of course perfectly natural for HR teams to be involved in the hiring of cyber talent. But an absence of specialist technical knowledge can mean that, when filtering candidates, they can be overdependent on formal accreditation and certifications. However, although these certificates are undeniably worthwhile, they don’t necessarily mean a candidate is the right person for the job. They can neglect a lot of soft skills, for one thing, such as the ability to communicate risks to the rest of a business in a way that non-technical employees can understand. By perceiving threats purely as technical issues, some candidates may be unable to see them in a wider business context, making it hard for them to fulfil their primary purpose. In some cases, such a language gap could impact the safety of an organisation.
Given its importance, hiring a cyber security professional shouldn’t be a box-ticking exercise. There are many talented candidates on the market who don’t have the time or resources needed for certifications, and often the certifications themselves are not fit for purpose to keep up with the evolving threat landscape. One potential solution – although accompanied with its own challenges – is to work with experienced security experts to identify these individuals and train them up as appropriate.
Alternate education paths
On a governmental level, there is increasing scrutiny of our education system and its ability to support those who choose alternate career paths. According to Paul Johnson, Director of the Institute for Fiscal Studies, less trodden yet in-demand new career paths are seriously underfunded. The cyber industry is one of the greatest exponents of this lack of funding. It is growing in both demand and complexity, yet even university courses related to it receive less funding when compared to their traditional counterparts. It would come as no surprise to find that non-traditional educational paths receive even less government attention.
This hole in state funding is made worse by the realisation that government spending per higher education student has fallen since 2010, and it is no higher today than it was a quarter of a century ago.
Creativity and self-learning
The lack of educational investment is driving companies to upskill their workforces in other ways. This means training staff on the job or finding alternative routes to upskill their teams. Many training courses tend to be largely classroom based. They offer a tried-and-tested approach, but the prescriptive style of teaching employed doesn’t provide the hands-on rigour required to test and push high-performing cyber security professionals.
Moreover, the inquisitive nature of the industry and the ‘hacking’ ethos associated with it has provoked a move to more on-the-job training. In this instance, professionals are able to see first-hand how destructive many threats can be and pick them apart to find out exactly how they operate. This approach also involves a crucial element that a traditional classroom lacks: creativity.
A crucial requirement
The government publishes the results of its latest audit in December, and it is expected to propose further solutions to narrowing the skills gap. It can’t come soon enough for many, given the alarming rate at which cyber-attacks are occurring. The number of businesses reporting cyber incidents rose from 45 per cent in 2018 to 61 per cent in 2019. There is a clear requirement to address the gap in educational funding, as well as the change in cultural mindset required to protect UK businesses. If the government wishes to deliver on its promise to remain one of the world’s most agile economies, the time to redress the balance is now.
James Hadley is a former GCHQ trainer and the chief executive and founder of cyber skills development platform, Immersive Labs