Maksim Kabakou - Fotolia

Security Think Tank: Building the cyber workforce we need

The UK’s new National Cyber Strategy is clear in its ambitions, but to fulfil them, we must double down on appropriate skills development, says ISACA director Mike Hughes

On 15 December 2021, the UK government launched the National Cyber Strategy 2022 in Birmingham. Cabinet Office minister Steve Barclay set out how the strategy will ensure that the UK remains confident, capable and resilient in this fast-moving digital world; and how the UK will continue to adapt, innovate and invest in order to protect and promote its interests in cyber space.

This strategy builds on, and takes forward, the good work started by its predecessor, the National Cyber Security Strategy, which ran from 2016-2021.

You may have noticed one key change from the previous strategy. The word “security” is missing from the new strategy. This is because the new strategy also covers the use of technology in the cyber and digital age, to help all organisations, even the smallest, to embrace these technologies to support and help deliver their business goals and objectives and be competitive in a global marketplace; as well as helping organisations to understand their business risks of operating in the cyber and digital world and protecting them from the cyber threat.

The UK government is backing up the ambitions it has articulated in the strategy by committing £22bn on research and development and putting technology at the heart of our plans for national security.

The strategy sets out five pillars:

  • Pillar 1: Strengthening the UK cyber ecosystem, investing in our people and skills and deepening the partnership between government, academia and industry.
  • Pillar 2: Building a resilient and prosperous digital UK, reducing cyber risks so that businesses can maximise the economic benefits of digital technology, and citizens are secure online and confident that their data is protected.
  • Pillar 3: Taking the lead in the technologies vital to cyber power, building our industrial capability and developing frameworks to secure future technologies.
  • Pillar 4: Advancing UK global leadership and influence for a more secure, prosperous and open international order, working with government and industry partners and sharing the expertise that underpins UK cyber power.
  • Pillar 5: Detecting, disrupting and deterring our adversaries to enhance UK security in and through cyber space, making more integrated, creative and routine use of the UK’s full spectrum of levers.

These pillars set out the UK government’s ambitions to be the global leader in the cyber and digital world, but it all depends on having individuals with the right skills, in the right numbers, in the right places, and that we have the means to continue to develop these individuals.

It is widely recognised that there is a worldwide shortage of cyber security skills. The new strategy expands into the need for a wider range of skills: digital transformation, risk management, technologies such as blockchain, artificial intelligence, integration with operational technologies – not to mention the future technologies that we don’t yet know about.

Where are we going to get these skillsets to satisfy this growing global demand?

I want to focus on the Strategy’s Objective 2 of Pillar 1, which sets out to “enhance and expand the nation’s cyber skills at every level, including through a world-class and diverse cyber security profession that inspires and equips future talent”.

A key component of the previous strategy, which was successfully delivered, was the establishment of the UK Cyber Security Council. The Council’s formation project was led by the UK’s Cyber Security Alliance, on behalf of the Department for Digital, Culture, Media and Sport (DCMS) and the National Cyber Security Centre (NCSC). The Alliance is collaboration of a number of cyber-related professional bodies, including ISACA, the IET and WCIT.

Read more about the UK Cyber Security Strategy

The UK Cyber Security Council has been established as the self-regulatory body for the country’s cyber security profession. It develops, promotes and stewards nationally recognised standards for cyber security in support of the government’s National Cyber Strategy to make the UK the safest place to live and work online.

This includes exploring how we develop the workforce for the current and future needs for a highly skilled cyber and digital workforce.

We have training and certification providers such as ISACA, Crest, BCS, (ISC)² and CompTIA, which provide certifications once an individual is in the workforce, such as ISACA’s CISM (Certified in Information Security Management). This is helpful for continued career development, but we need to get the right individuals into the education system, building foundational skills, so they can be a productive member of the workforce from day one.

While a lot of effort is focused in the Strategy on over-16 training, where there are already courses supplied by a range of academic and apprenticeship programmes, we need to do much more work with under-16s to raise awareness of the diverse careers available in the cyber and digital world, so that when they get to choose their options, they consider the STEM (science, technology, engineering and maths) subjects, which set them on the right path.

There is some activity in this area, but it needs a more coordinated approach and funding. Activities include:

  • NCSC has its Cyber First programme.
  • DCMS has Cyber Explorers (announced in the Cyber Strategy), an online training platform that will teach young people cyber skills in the classroom.
  • The Security Awareness Specialist Interest Group (SASIG), a voluntary group, is bringing employers and potential employees together through its SkillsFest.
  • Independent charities, such as Cyber Girls First, which raises awareness of the varied career opportunities and motivates and encourages prospective practitioners to make the first steps.

We also need to look at diversity. A career in cyber brings many opportunities to individuals who may have found it difficult to enter more traditional careers.

We then look at the vast source of potential individuals in “back-to-workers” and those who have a career but are looking for a change of direction.

So, we have a huge source of potential cyber and digital entrants – we just need the right education, training, career paths, and so on. We also need to look at coaching and mentoring, helping to support and guide these individuals in the first steps, and early days, in their cyber and digital careers.

The professional bodies have their role to play here, and ISACA has started this process. ISACA’s established certifications, such as CISM, CRISC and CISA, require an exam pass and up to five years’ accredited experience. ISACA has more recently established entry-level certificates (ITCA) that provide foundational skills on a number of IT topics, as well as credentials (CET) in emerging technologies such as artificial intelligence, internet of things and blockchain, that are standalone, but if combined with CISM, CRISC and CISA, can create even more holistic professionals in an emerging technology adoption era.

ISACA has also started a mentoring programme, which sees experienced members mentor new entrants. Some other professional bodies are building similar programmes.

To build the cyber and digital workforce we need now and for the future, to help deliver on the UK’s Cyber Strategy, a collaborative and a coordinated approach is required: government, professional bodies, training providers, high schools, further education colleges, universities and industry as a whole all have a role to play.

The power to create the sustainable workforce we need is in all of our hands.

Mike Hughes is the director of relationships for ISACA Central UK and is a past ISACA global board director. His day job is a director for Prism RA Group, a technology and cyber governance, risk, compliance and security consultancy. He is also a non-executive director of Cyber Q Group, a business resilience specialist. Hughes is also a member of the Institute of Directors.

Read more on Regulatory compliance and standard requirements

Data Center
Data Management