Sergey Nivens - Fotolia

UK education system exacerbates cyber skills gap

Security industry needs to get involved to raise awareness of cyber security career opportunities, say commentators

UK school education is providing insufficient IT skills and little to no insight into careers in cyber security, according to research by security firm McAfee.

A poll of 2,000 UK-based respondents found that 70% of British adults feel their school education did not set them up with sufficient digital skills and knowledge of IT. This was more prevalent among older respondents, with 83% of adults over 65 saying so, compared with 59% of 18 to 24-year-olds.

However, a large majority of respondents (88%) said they were not aware of the possibility of a career in cyber security when they were at school.

This finding highlights the importance of implementing realistic career-led IT education to encourage younger generations to enter this field, the survey report said.

According to the latest Global information security workforce study by information security certification body (ISC)2, the projected 1.8 million shortfall in cyber security professionals by 2022 is 20% higher than a five-year forecast previously published by the organisation in 2015. And in Europe, the shortage of cyber security professionals is expected to be about 350,000 by 2022.

The McAfee survey showed that the gender gap begins at school, with 61% of male respondents saying they were aware of the option of a career in cyber security, compared with only 39% of female respondents.

The gender gap was also reflected in the fact that girls accounted for just 20% of entries for the new computer science GCSE.

In March this year, former GCHQ director Robert Hannigan called on every UK organisation to do more to encourage women into the information security profession in the face of a growing skill shortage.

“If we are not tapping into women, we are depriving ourselves of a massive talent pool,” he told the CyberUK conference in Liverpool.

In the UK, the proportion of women in cyber security stands at just 8%, and men earn an average of 15.5%, or about £11,000, more than women in the sector, according to (ISC)2’s study.

Read more about information security skills

The McAfee survey shows a clear link between school IT lessons and interest in cyber security roles, with more than one in five respondents saying they would have looked into cyber security as a career if IT lessons had been more interesting at school, and a further 15% saying they would definitely have considered a cyber security career if they had had more interesting IT lessons classes.

Nick Viney, vice-president consumer at McAfee, said this insight into the widespread uninspiring view of careers in cyber security makes it clear that fixing the cyber skills gap will require more than an updated curriculum.

“However, teachers are not to blame,” he said. “Our sector needs to attract new talent, but that won’t happen if the industry cannot convey the wide variety of available job opportunities or the fast-paced and challenging nature of careers.

“The view of cyber security needs to change at a national level. While updates to the curriculum could help plug the skills gap and inspire a new generation of cyber experts, it won’t come into effect straight away. Instead, we need to foster new education models and accelerate the availability of training opportunities for all.”

Despite the rapid increase in potential cyber security jobs in the UK, combined with generous salaries and a shifting threat landscape, the survey shows that most UK adults have a mundane view of the profession.

Almost half (47%) think of “managing IT systems to keep data safe” when asked what a career in IT security involves – demonstrating a widespread view of IT as a reactive, slow-paced sector.

But McAfee’s recent Disrupting the disruptors, art or science? report on the role of cyber threat hunting shows an increased focus on automated technology and proactive threat hunting.

Human-machine teaming

In fact, 68% of organisations say better automation and threat hunting procedures are how they will reach leading capabilities. According to McAfee, the rise in human-machine teaming means successful cyber security teams are three times as likely to automate threat investigation, allowing up to 50% more time for the team to undertake actual threat hunting.

Despite this shift in the cyber security industry, the survey shows that fewer than one in 10 respondents are aware of the more engaging aspects of IT security. Proactively hunting for cyber threats includes following clues and personal hunches based on studies of adversaries’ tactics, techniques and procedures, and working quickly to keep pace with cyber attacks.

Raj Samani, chief scientist and fellow at McAfee, said cyber attacks are the future of crime. “As more businesses take this on board and realise that mitigating attacks is not outside their control, we will see a rise in the importance placed on threat hunting at an enterprise level,” he said.

“Protecting data and correcting systems after an attack is no longer sufficient. Business must be prepared to proactively seek out and detect any threats. It’s a fast-paced industry and we sorely need a new generation of threat hunters to come through and ensure the UK retains its place as a key – and secure – market for digital business.”

According to Samani, cyber criminals are devising varied, sophisticated attacks to weaponise data and systems. “It’s time to brush away the tired old image of IT professionals forced to spend their time just changing passwords and managing systems,” he said.

“In the light of the current cyber criminal trends, it takes inspired, innovative cyber security professionals to proactively find emerging threats and beat criminals at their own game. The education system plays a key role in inspiring the threat hunters of tomorrow, but the industry also needs to get involved to ensure young people are aware of the amazing career opportunities available in our sector today.”

Read more on Hackers and cybercrime prevention