The SASIG Skills Festival, which has just been put back to 13th May because of the period of mourning for the Duke of Edinburgh, will be the largest Cybersecurity Skills event before the new Cyber Security Council becomes fully operational and creates a web of partnerships with training providers, recruitment agencies and employers groups.
I am due to help introduce a round table at 11.00 a.m. titled “Where can we find and attract new talent?”. I plan to leave it to the other speakers to answer the question. My aim is to set the scene, including why you need to listen carefully to what they have to say.
I have been involved, off and on, with studies and programmes to address the digital shortages of the day since the mid-1970s. There has never been a shortage of talent, only of employers willing and able to do work with and through competent education and training providers to identify and harness the talent available. There have been sporadic short-term exercises at times of crisis (e.g. in the early 1980s or during the run-up to Y2K). None was sustained for long enough to achieve lasting change.
I therefore brought over forty years of hindsight and prejudice, alias experience, to help interpret the three DCMS reports published during the run up to the launch of the Cyber Security Council:
In a previous blog I summarised the report on the Cyber Security Supply Sector. I had planned to add relevant material from the other two reports into the blog on the current state of cybersecurity policing structures and skills partnership which I update regularly with new material. But I ran out of time after adding material on how to check the accreditations of training providers and qualifications of individuals or reporting, plus the latest guidance with regard to child safety.
Instead I have produced a quick digest, below, of the implications of the DCMS reports for those looking for talent to meet their own needs.
This focuses on the answers to five questions:
- What is the current recruitment pool?
- What skills does it have?
- What is the shortfall? – qualitative (technical and/or soft skills) and quantitative (numbers)
- What is the current throughput? – via which pipelines
- Where and how should YOU look for the skills YOU need?
For those who wish to read the conclusions first I will give five “teasers” to the “answers”?
- Most “professionals” work for a small number of large security providers and agencies whose needs are different to most of YOU.
- Many, even graduate/certificated “professionals”, are largely self-taught with regard to most of the skills in current demand.
- There are many different shortfalls but the biggest is for graduates with 3 – 5 years experience. They do not exist in the numbers sought.
- Whichever talent pipeline you look at, the throughput is currently about half that needed. Most, but not all, could be rapidly expanded.
- Trawl your users and their children, in partnership with trusted local training providers and your regional Cyber Resilience Centre.
The Current Labour Market
The cybersecurity recruitment pool covers five main groups (although the reports group them into three):
- 46,700 in “core roles” (professional/technical with a cyber-security job title such as “penetration tester”) with Cyber Security Suppliers
- 11,800 in “core roles” in the public sector (GCHQ, MoD Civilians and rest of Central/Local Govt, NHS etc.)
- 39,500 in “core roles” with (usually large) private sector users, e.g. banks, defence, aerospace, retail etc.
- 8,700 in “cyber-enabled roles” (requiring recognised skills, e.g. network engineer”) the public sector.
- 64,300 in the private sector in cyber enabled roles.
The report on cybersecurity skills in the UK labour market includes much larger numbers but these refer to those “responsible” for cyber in the 1.4 million SMEs with less than ten employees and no full-time in-house digital staff. Most have had little or no cyber- security training.
The employment of full time cyber professionals/technicians is concentrated in a relatively small number of large employers. 40% are employed by GHCQ, MoD and those cybersecurity product and service suppliers (about 150) with teams large enough for in-house training programmes to be realistic. Around 20 large telco, defence, consulting, product, service and/or outsourcing operations employ nearly 30% of the total. Half of that total has been recruited from a previous role in cyber security. About one in five is a career starter. Half, however, work in organisations too small to employ and supervise more than a couple of trainees.
Diversity is fashionable. 32% of cyber sector firms say they have made changes to recruit more women, 25% for ethnic diversity, 19% for physical disability and 15% for neurodiversity. But only 16% of current employees are women, 17% from ethnic minorities, 9% disabled and 10% neurodivergent. This compares to 48%, 12%, 14% and unknown (for neuro divergency) for the UK workforce as a whole. The cyber workforce appears to be more ethnically diverse than the workforce as a whole but almost all are from cultures which have valued mathematics and cryptography for a millennium longer than the West. Few of them are in senior positions.
The reports comment on the value of neurodiverse talent but there is little mention of the need to ensure individuals have mangers who understand their ongoing needs. including for access to pastoral and clinical care. Hence the value of outsourcing to virtual CISO services, like those provided by the skills incubators organised by the Cyberhub Trust or IASME, which provide the support and structure needed by the unrecognised Alan Turings of today.
Outside the cyber sector, 45% of all organisations with anyone responsible for cybersecurity have only a single individual. The situation is, of course, worst for those with fewer than ten staff but 29% of organisations with 10 – 49 staff have only one. 23% of those with 50 – 249 staff have only one. 11% of those with more than 250 staff have only a one. And 84% of the total are not full time on their cybersecurity -related roles. Most had cyber added to existing roles, with no formal training. 8% were recruited internally from a non-cyber role into a cyber-specific role. 2% were recruited from a previous cyber security role in another organisation. 1% are graduate trainees or apprentices.
What skills does the workforce have?
Most of the analyses are of the core skills needs of the cyber security supply sector, as opposed to those of users, large or small.
33% of staff with Cyber security suppliers had a general computer science/ IT degree, 27% a specialist degree in cyber security, 11% had qualified via a cyber or other apprenticeship role. 51% had some form of technical accreditation, including CISSP (38%), CISM (14%), CREST (12%), Certified Ethical Hacker (12%). (11%) and/or one of over 30 other cyber qualifications. 65% of employers in the cyber security sector thought they knew their training needs very well.
The pattern outside suppliers may, however, be very different. In the 7,900 (ISC)² members of its UK chapters have CISSP (out of 148,000 members world-wide). But, globally, over 500,000 individuals have Comptia Security + . This was not mentioned in the survey of cyber security sector employers but appears to be the most qualification among those supporting SMEs, whether direct or along supply chains.
Analysis of the recruitment market (via Burning Glass) indicates 8,000 postings per month for non-core roles, compared to only 3,000 per month for core professional and technical roles. How far this reflects numbers needed, recruitment channels or difficulty in recruitment is unclear.
Where is the shortfall?
47% of cybersecurity suppliers reported technical skills gaps including:
- Incident management, investigation and digital forensics 41%
- Assurance, audits, compliance and testing 37%
- Cyber security research 36%
- Threat assessments and information risk management 32%
- Cybersecurity governance and management 31%
- Implementing Secure Systems 22%
- Operational security management 21%
- Business resilience 19%
Only 31% reported soft skills gaps but the shortage (63%) was “senior staff” (3 – 5 years experience), not apprenticeships or junior staff. The shortage of those for whom more than five years experience was wanted was also very much less.
Technical skills were of less concern to users. They were more concerned with gaps in soft skills, such as:
- Carrying out a cyber security risk assessment 45%
- Developing cyber security policies 43%
- Preparing training materials or sessions 42% (this rose to 57% among those in education and training and appears to reflect a wider shortage of competent trainers)
- Writing or contributing to a business continuity plan 39%
- Carrying out a data protection impact assessment 39%
- Communicating cyber security risks to directors, trustees or senior management 25%
The gaps in numbers
The overall growth in demand (across all sectors) is estimated to have risen at 14% p.a. since 2016 before falling to 9% in 2020 with the impact of Covid. This implies a growth of 12,000 p.a. to meet expected demand – unless this is impacted by factors such as automation and labour costs.
There is an estimated attrition (retirement and/or movement to other roles) of approximately 4% p.a.. This gives an estimated outflow of 5,500.
This indicates a need for 17,500 new entrants p.a. to meet growth expectations. Meanwhile analyses based largely on Burning Glass data indicate a current shortfall of over 33,000 online job vacancies and (ISC)2 estimates a UK workforce gap of c. 27,400.
The current throughput, numbers and sources
.Currently there are c. 7,500 new entrants p.a.,
- 2,000 cybersecurity graduates (undergrad and masters) from a current throughput of 3,360 from 83 institutions.
- 2,000 computer science graduates from current throughput of 30,886 from 128 institutions.
- 2,500 from current career conversion, re-training, or other routes:
- Students with relevant A Level/NVQ qualifications moving into further or higher courses.
- Retraining from other occupations, such as law enforcement
- Veterans, e.g. via the Career Transition Partnership (total throughput 8,000 out of 15,000 leaving the armed forces each year), SaluteMyJob etc.
- MoD staff and military personnel via the Defence Academy Cyber Foundation Pathway
- Transfers from other IT professional roles
- Alternative talent pools: neurodiverse groups, returners and rehabilitated offenders.
- 1,000 cyber-security apprenticeships (currently 600 but doubling year on year).
Overall there is a shortfall of 10,000 p.a. additional to those needed to address the current perceived shortage.
The DCMS reports contain detailed analyses covering roles, career pathways, HE and FE courses and apprenticeship programmes and throughput (including by University and standard) , sources, demography (including age, gender and ethnicity) and destinations of students and salaries.
- 41% of cyber sector employers have staff with computer science degrees, 35% with cyber security degrees and 13% with cyber security apprenticeships.
- Half have tried to recruit externally for cyber roles in the past two years. Half of these used recruitment agencies (half specialist, half generalist), a third used social networks (such as Linked In), a third used word of mouth.
- 10% had University Partnerships and/or Graduate Schemes. Only 5% had school or college partnerships.
- Only 4% reported problems recruiting apprentices, 22% had problems recruiting entry level graduates and junior staff, 63 % had problems recruiting senior staff (3 – 5 years experience), 33% principal level staff (6 – 9 years) and 13% Director Level (10years or more).
- Meanwhile 85% of those for whom cyber was one role among several came from another part of the business.
The peak demand is for Graduates with 3-5 years experience and specific professional/technical certifications
58% of job postings for core roles and 51% for cyber-enabled ask for 3 – 5 years experience. Only 16% of those for core roles and 10% of those for cyber-enabled roles ask for more experience.
90% of ads for core roles and 78% of those for cyber enabled roles ask for graduates or post graduates.
Analysis of UK Job adverts for “core roles” indicates demand for specific qualifications ranging from 36% for CISSP, 23% CCNP, 22% CCNA, 19% CISP, 8% CISA, to 2% for GCIA and only 1% for CompTIA Security + .
The reports do not mention global data ranking demand for digital qualifications (including non-cyber, like ITIL). This indicates a very different ranking: CCNA, CISA, CCNP, CISM and Comptia Security + .
The difference probably reflects that between the needs of cybersecurity suppliers with teams of “core” professionals/technicians (as covered by the surveys and analyses quoted) and the needs of users whose “cyber enabled” staff have multiple roles. The needs of the latter are not reported.
Is the 3 – 5 year shortfall causes by low salaries for graduates?
Cyber Security has a premium of 29% over IT salaries as a whole in job adverts (Page 66 Cyber Security Skills in the UK labour market 2021). Meanwhile, according the HESA University Graduate Outcome data (table on page 39 of Understanding the Cyber Recruitment Pool) cyber security graduates are paid less than computer science graduates. This may explain why more cybersecurity and computer science graduates do not do not embark on cybersecurity careers – and have to be attracted in by premium salaries later on.
There were differences of opinion among those interviewed regarding the shortage (quantity and quality) of talent available and of the specific skills needed but consensus regarding the low level of technical skills compared to demand, particularly with regard to penetration testers and firewall engineers.
The most common title in job adverts is “Security Engineer 34%, compared to 3% for trainee/apprentice or 2% for penetration tester.
Recommended short term actions included more internal on the job training by employers of those with complementary IT skills. Longer term more bespoke FE courses and apprenticeships are required.
The other reported barriers to entry included poor awareness of career opportunities and unsuitable recruitment methods. There was no reference to salary or other terms and conditions.
It was said that government action to increase education and information on cyber security in schools could help and there was positive comment on Cyberfirst , including for its materials targeted at specific audiences. I personally like “Laura’s Story” which I found via the Cyberhub Trust website .
Geographic and Sector Differences
Analyses of job postings for core skills indicate that the London hot spot may be cooling while that North West, M4 Corridor and West Midlands hot spots are consistent and/or growing.
Local hot spots include Reading, Basingstoke, Cheltenham, Bristol, Leeds, Edinburgh, Leamington Spa, Barrow-in-Furness, Belfast and Bath. IT and Cyber businesses account for 23.5% of adverts, consultancy for 17.7% and Finance for 13.8%. Retail is only 3.4% and Manufacturing 1.3%
And what about outsourcing?
Around half of small (54%), medium (58%) and large businesses (51%) plus 57% of the public sector outsource at least part of their cybersecurity. This rises to 2/3 in finance and insurance. The failure of micro businesses to do so is almost certainly because they cannot find affordable and trustworthy providers. Hence the importance of the Cyber Resilience Centre plans to address this problem.
Obvious actions for those looking for talent include:
- Review the salaries you offer to Cybersecurity and Computer Science Graduates – unless your policy is to pay more for those implementing security by design. If you are worried about losing those you train, consider using training/apprenticeship contracts.
- Trawl for talent among those who understand the business: whether your own users or those of your customers. There is anecdotal evidence that cyber sector suppliers are increasingly doing this.
- Use the talent pipeline partnerships being hosted by the Cyber Resilience Centres to upgrade existing staff, “try before you buy” those on local training programmes, and secure your SME supply and distribution chains.
- Use the work experience components of schools, university and college programmes and integrated programmes like the cyberhubs to “try before you buy” with regard to your own recruitment and organise affordable virtual CISO support.
P.S. The ten recommendations at the end of the report Understanding the Cyber Recruitment Pool are excellent and I will comment on them elsewhere, but time is NOT on YOUR side. Above is a cut down version for YOU, this spring.