alphaspirit - Fotolia
Plugging the security skills gap
Government is doing its bit to raise the profile of the need for more cyber security skills but the IT industry is also picking up the baton and working hard to improve the situation
The cyber security skills gap is getting wider and the pressure on firms and governments to protect data continues to mount. The attacks are becoming more complex and with ransomware, GDPR and brand reputations on the line the stakes are getting ever higher. That’s the bad news, but there is plenty being done to try and tempt more people into a security career and the industry has taken up the challenge of increasing the number of people manning the data protection barricades.
It is not just a question of reaching out to young people and getting them interested but the industry is also looking to get other groups, that have been perhaps ignored in the past, to undergo training and join the ranks of skilled professionals.
That is going to take a bit of time and the pressure is being felt in the market right now as firms of all shapes and sizes struggle to get hold of qualified staff.
"Organisations now recognise the need to invest heavily in security. Yet when day rates for cyber security experts hit £1,400, the industry clearly has a massive problem regarding supply and demand. And while it is fair to say that the escalation in cyber threats has created an unprecedented need for individuals with skills, talent and experience, it is chronic under-investment in training and education that is at the heart of the skills shortage problem,” said Paul German, CEO, Certes Networks.
“The UK used to lead the world in cyber security expertise. Now, Government representatives are travelling to countries across the globe – including some that are flagged as ‘questionable’ by our security services - in the hope of attracting essential start up expertise and skills. And with the proposed National College of Cyber Security sited at Bletchley Park now not likely to open before 2019, home grown talent is simply not being developed,” he added.
German blames a number of factors for getting us into this position, including the outsourcing trend of a decade ago that saw large numbers of technical experts ‘TUPE’d’ across from public sector to private sector organisations. That meant that a history of training, education and skills development was lost and as those people leave the industry their skills have not been replaced.
The DevOps challenge
One of the biggest problems with security is that the world doesn't stand still. When it comes to DevOps there is plenty of work still to be done, according to Greg Day, VP & CSO, EMEA, Palo Alto Networks.
"There can be a communications gap within organisations that hampers the development and execution of effective systems and processes to prevent cyber-attacks. Talking to businesses, we also recently found that nearly three quarters of businesses are or plan to move to DevOps yet there is a clear gap in those that understand DevSecOps or how prevention needs to be integral to how apps are created and updated continuously," he said.
"Aside from an understanding of cybersecurity technology, businesses are looking for people with strong process, creative and investigative, analytic skills in cybersecurity. What’s become evident is that there is no obvious source for this with some coming to us with formal qualifications, while other great talent does not," he added.
"We have worked on developing challenges - such as or cyber range exercises - to test people in real world scenarios. In these we can evaluate the potential for grace under pressure and intellectual adaptability to how some attacks can change course and approach suddenly and without warning. At the same time, we have an academic program (our Cybersecurity Academy) which is designed both to help academic students gain real world experience, but also ensure we help academia ensure they have current and relevant content for students in a very dynamic space," he added.
Getting some fresh blood into replace those outgoing experts is a challenge for the IT industry and one that is focusing plenty of minds.
“A common misconception in the cyber security world is that the only jobs available are for those with computer science degrees or coding qualifications. While those are extremely valuable positions with gaps that urgently need filling, they aren’t the only positions in need of talented individuals,” said Cath Goulding, Head of Cyber Security at Nominet.
“The trouble is, cyber security vacancies are opening up faster than the talent emerges. As schools begin to teach computer skills and coding, we risk overlooking the other key roles within the industry,” she added “For example, we are in desperate need of auditors, policy makers and generalists in the cyber field. Key skills for a CISO include strong communication skills and an ability to translate complex cyber issue into corporate risk. It requires intelligent, educated people who are creative, and are able to apply critical thinking to solve problems. Of course, an interest in cyber security is key, but a degree in STEM - for certain positions - isn’t a prerequisite.”
There have been many criticisms of the traditional education model, with courses failing to teach the skills needed, and the training that is being offered being largely provided by vendors, and as a result providing certifications based on a limited number of products.
“The only way organisations will be able to address the huge demand for cyber security skills will be to take control and invest. And that means shifting away from outsourcing and a reliance upon expensive contractors towards re-insourcing key services, including security: the onus is now on companies to build up their own expertise in-house,” said German.
“At the same time, the IT industry needs to step up and invest in training – true, agnostic training, not product specific, ersatz sales education. If the next generation of cyber security individuals are going to be able to make the right decisions, they need an excellent grounding in security – from compliance to standards, including GDPR, PCI and ISO 27001. It is only with that in-depth understanding of end to end security issues that individuals will be able to create a robust security infrastructure supported by the right product choices,” he added.
BT has taken an approach that is driven by providing the best skills, rather than something proprietary, and has teamed up with Royal Holloway to provide a structure to a degree apprenticeship scheme that gives the lucky individuals who get on the course a chance to come out with independent qualifications that will stand them in good stead for the future.
The company has a large dedicated cyber security practice, staffing 2,600 experts and in recent years has been providing degree apprenticeships with De Montfort university. For this year’s intake the firm is offering a full degree cyber apprenticeship – Cyber Security Technical Professional degree apprenticeship – partnering with Royal Holloway. Saana Makijarvi, Strategic Resourcing Lead for BT Security, said that it has just completed the first three year programme with a number of apprentices that have been getting an education alongside working for the telco giant and has been pleased with the results.
“Apprenticeships are hugely important,” she added “It is about strategic resources and we want to take a lead on cyber security skills.”
The firm provides very high levels of support for those who get onto its scheme with days off for studying and blocks away at college as well as time spent gaining practical skills on the job. At the end of the process the apprentices have the skills needed not just to help BT with current issues but with the knowledge and skills to react to the changing security landscape.
BT has been one of the pioneers of the degree apprenticeship approach and Makijarvi is pleased with the results: “It is an excellent way to get more people in the industry and develop it and improve it and it is about shaping the programmes in the right way.”
The industry can expect to see a lot more degree apprenticeship schemes as they manage to provide both a robust education and the real life experience that means those skills can be applied to practical situations.
“Degree apprenticeships are an excellent way for individuals to pursue a degree, alongside their day- to-day job, for employers to develop a more skilled workforce and for those employers who pay into it, an opportunity to make use of the levy payments that have been made. In the ever-growing field of cyber security, a degree apprenticeship is an ideal means of growing capacity and resilience in the workforce, as the work based nature of apprenticeships means that the currency of the work undertaken is as up to date as it can be, more so than in a traditional full-time degree,” said Arden University’s Dr Benjamin M. Silverstone - Programme Leader (Degree Apprenticeships and Quantitative Business).
For that approach to work there will need to be more BT like employers keen to follow that route and provide the support and environment that will help students.
“If your employer has a payroll large enough to pay into the apprenticeship levy, then they will fund 90% of the apprenticeship programme. If your employer does not pay into the levy, then some universities have access to government funding to cover the whole amount of the programme. The most important part is finding a good degree apprenticeship provider to work with,” he added.
Regardless of what approach is taken there is still an issue attracting the right people and employers are having to be creative in the way they reach out to emerging talent.
"Many of the cyber security companies we speak to recognise that in order to grow, they have to use increasingly innovative recruitment strategies to identify and attract new talent,” said Simon Newman, Chief Strategy Officer at London Digital Security Centre.
"At LDSC, we have successfully established partnerships with a number of academic institutions. One aspect of this is mentoring students interested in pursuing a career in cyber security. We also involve students in delivering our 'In The Community' events where we accompany officers from the Metropolitan Police in visiting small businesses across London to help them reduce their vulnerability to cyber crime,” he added.
"In terms of apprentices, LDSC has recently used the Tech City Stars scheme. We've just placed our first apprentice in their first full-time role,” Newman pointed out.
For Ryan Weeks, CISO at Datto, the key is to engage with emerging talent that comes straight out of university at a stage when the skills are still being developed.
“A member of my team or I will attend career fairs, speak at classes and participate in information security competitions. This allows us to provide mentoring opportunities and build networks of high potential candidates that we work to bring into our internship programme. Many candidates see the value in working with companies that are interested in investing time to build their skills and support their future success,” he said.
“The key to a successful internship is to offer a candidate work that addresses a real-world business problem, rather than a limited, sandboxed project. This helps them get excited about the company, their role, and the team they work with, as well as giving them a true feel for what it’s like to be in a full-time position,” he added.
Students looking to get a career in cyber security should be talking to university career services departments and Head of schools to understand what internship opportunities are available to them. They should also monitor school and Internet job boards as such internships are frequently advertised in a similar way to full-time roles, advises Weeks.
The number of schemes is increasing and the determination to try to crack the security skills gap is clear to see out there in the industry. 80% of firms can’t find qualified staff to fill cyber security positions, according to CyberEdge’s 2018 Cyberthreat Defense Report. That is just one recent stat trying to put a number to a problem. What is clear is that there are thousands of vacancies out there and there is still lots of work to do to fill them.
Degree apprenticeships are made of two distinct parts, the degree itself and then the other activities that make up the rest of the apprenticeship itself. There is the benefit of not having to worry about University fees or finding a job at the end of it, if you prove to be valuable to the employer.
The other main benefit is the structure of the apprenticeship, which is fresher than other existing degrees and has often had the input of a number of different firms. At Arden University the apprenticeship standard represents current thinking on industry needs from a variety of different employers such as Accenture, BT, Capgemini and IBM. Other employers, including PWC and Santander were also involved in making sure the programme delivered.