mnovelo - Fotolia

Security skills gap will take a decade to fill

The British education systems cannot move fast enough to address the security skills crisis, and in the absence of government action increased reliance on automation may be the least worst solution

It will take the best part of a decade to identify and train appropriate talent to address the cyber security threats that organisations face today, according to digital resilience and risk modelling specialist RedSeal.

Almost 18 months on from the release of a damning parliamentary security strategy report that called for the government to urgently address the skills crisis in cyber security, RedSeal said the government had failed to make training opportunities a priority, and that a deepening talent gap had the potential to cause “irreparable damage” to British businesses.

“Across the industry, we have drained the talent pool for security professionals,” said the firm’s chief technology officer, Mike Lloyd. “The UK’s education system can help, but not quickly – professionals agree that it takes about 10 years of real-world experience to develop the skills needed to combat today’s threats, so we’re facing a sustained drought for talent.

Automation can help, but cannot replace human intuition and insight. We have to build hybrid teams, combining computers for all the drudge work so that the few human analysts can focus on the security tasks that matter.”

RedSeal enlisted Atomik Research to undertake fieldwork in June 2019. It questioned more than 500 CIOs and senior IT professionals from across the UK, unearthing major concerns that the skills shortage was reaching crisis point.

Over 75% of respondents said they struggled to find cyber security professionals with the necessary expertise to combat organised online crime. Three-quarters said their ability to recruit skilled professionals from outside the UK was being hindered by Brexit, and 95% believed that if the UK does leave the EU, the skills gap will widen.

“It takes about 10 years of real-world experience to develop the skills needed to combat today’s threats, so we’re facing a sustained drought for talent”
Mike Lloyd, RedSeal

Among the study’s other findings, 81% of respondents said they had suffered some kind of cyber security breach within the past 12 months, but 40% said their business did not have a plan in place to respond to an incident, largely due to an inability to plan effectively.

“Further and higher education in cyber security needs continuing support to keep pace with the ever-changing threat landscape that UK business is facing right now. There is a shortage of professionals with cyber security skills in the UK, which means engaging young people and mid-career changers in developing skills and knowledge through high-level technical and computing education is more important than ever before,” said Peter Komisarczuk, head of the information security department at Royal Holloway University of London.

“There are significant career opportunities in cyber security – the average annual salary for jobs in cyber security is £72,500 and we are seeing our graduates getting significantly more than the average graduate salary of £23,000 on leaving with their degree. Moreover, the potential to contribute to economic growth is huge, as well as support UK business against a very real cyber threat.

“There are some great schemes encouraging younger people to pursue a career in information security, such as CyberFirst which provides excellent opportunities for 11-17-year-olds to develop skills and knowledge, as well as a bursary scheme for undergraduate students,” said Komisarczuk.

Read more about IT skills

Content Continues Below

Read more on IT risk management

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

The ten year gap exists only because the providers of technology products and services are expecting the UK Universities and Colleges to provide the necessary skills when they are (and are likely to remain) geared to providing background education. Those who have a problem should be retraining existing staff (and/or users with the necessary aptitude) using training providers like Blue Screen IT (who run the pilot Plymouth Cyberhub, combining skills incubator and local access SOC and virtual CISO service). 99.5% of organisations do not need rounded security professionals. They need competent technicians with, for example the relevant CompTIA certifications. These can be acquired within three months using a programme of intensive blended learning and work experience in the SOC. AWS, CISCO, CompTIA, ISACA, ISC2 and Microsoft are all involved in the exercise to clone the approach in Essex, Birmingham, Cardiff and Manchester but on-site and in-house equivalents are also available from Blue Screen and from training only providers like Firebrand and QA.       
I should have added that, for those with an immediate need for intensive hands-on short course modules, out of season hotel rates in Plymouth are much lower than London, Bristol, Birmingham, Leeds or Manchester. Those for hotels adjacent to the University Science Park (home of the pilot skills incubator) can be are even lower.