To kick off the New Year we interviewed Cyber Security Challenge UK CEO Colin Lobley and asked him about the challenges posed by the cyber skills gap and what advice he would give to people interested in getting into the cybersecurity sector.
Colin - It’s huge. The latest report from ISC2 places the gap at 2.93 million vacancies globally, with 63% of organisations saying they need more staff and 59% saying their business is at extreme or moderate risk due to cybersecurity staff shortage. Vacancies lead to vulnerabilities; vulnerabilities to incidents; incidents to even more demand for skilled professionals. The issue is in a loop and spiraling out of control. The skills shortage and lack of new entrants into the profession also leaves those already in cybersecurity overburdened and devoid of time to upskill and pursue management positions. This risks careers stagnating and driving people to leave it behind entirely. On top of this, salary expectations are increasing hugely in line with the high demand for experienced candidates.
The cost of hiring and maintaining a cyber security workforce is increasing to unsustainable levels for many businesses, who are then forced not to hire, or hire those without the necessary experience who are more affordable, which of course increases the risk to the company. And it isn’t just a lack of trained cyber security professionals putting pressure on the sector. The root cause of many incidents still resides in human error – not adhering to policies, not doing the basics such as routine patching, or being duped by ever-more sophisticated social engineering attacks, such as phishing.
Awareness and education needs to improve at an individual level, both at work and at home. Basic security hygiene can prevent a lot of incidents and significantly lessen the strain on the cyber security profession. There are signs of growth, but market demand is outstripping the supply of people and skills. Support for initiatives that are trying to address the skills gap and a step-change improvement in mainstream education is, therefore, more important now than ever.
Colin - For every new adversary or technology, there is an opportunity to learn. Every day, discussion evolves to include a new piece of technology, new ideas, the discovery of new criminal groups, a new connected product, all of which usually mean our attack surface has increased and criminals have more doorways to exploit. So, cyber security professionals need to have a broad set of skills as well as a passion to keep learning and collectively speed up industry debate.
Colin - I think the biggest hurdle is awareness and understanding. When I advised corporates, likening the desired outcome of their cyber security was often talked about in the same context as health and safety – policies, processes, culture, awareness, physical controls are second nature to us all. Risk is nothing new – even Neanderthal humans faced risks and learned how to control them.
Managing risk is learned but soon becomes almost instinctual. Crossing the road carries risk, we just know what to do. With the proliferation of digital society and digital operating models, we’ve introduced ourselves to a new risk.
There are plenty of things available to control that risk; too many people don’t understand what the risk is, suffer from “it won’t happen to me” syndrome, so either don’t know or don’t make the effort to manage the risk. Risk management and security as control mechanisms are viewed as sunk-costs to businesses, so the preference is to keep security spend low and invest elsewhere where ROI is easier to measure.
Colin - Businesses will find themselves in serious difficulty without the volume of skilled staff to build adequate resilience. They must also invest more time in understanding, and even before that, considering the risks of embracing new technologies into operating models. Too often, the need to factor in security by design is overlooked, and I believe this is due to lack of awareness, lack of skilled staff, and as a result of budget limitations. This culminates in the need for more investment in supporting how we address the cyber skills gap, including the education system in the UK.
We have such an amazing talent pool here in the UK, self-starters, self-learners and the Challenge is proud to have seen some of the candidates come through its ranks and then come back as assessors to represent their employers.
As 2019 begins, a new education year is in full swing with young people in particular making decisions that will lead them to their chosen career. The task we have is to encourage both those who know they have the talent and skills to suit a rewarding role in cybersecurity, as well as those who haven’t even considered it, to pursue this path.
Colin - Image and complexity. The industry has an enduring image of hoodie-wearing teenagers (typically boys) in a dark basement, tapping away on a computer. This is unhelpful in the extreme. Cybersecurity offers a whole host of fulfilling careers in both technical and non-technical fields. As an industry, we’ve done a poor job of defining cyber clearly – there are literally thousands of definitions in existence. It’s everything and nothing.
The majority think cybersecurity is just the new buzzword for IT security. But pick up a cybersecurity standard, and really it is a blueprint of how to build and maintain a resilient and sustainable business in today’s digital age. So, is every role in a business a ‘cyber’ role? Of course not. Should the CISO, a typical owner of these far-reaching standards, in fact, be the CEO? Of course not. But the market lacks clarity over what is and isn’t a cyber role. The word cyber encompasses many derivations and subsets of skills, but it struggles to shake a number of negative stereotypes.
This complexity means that, from an outsider’s perspective, it is very difficult to know where to start. Possibly one of the biggest questions I am asked is “Where do I start?” We need to speak the language of the outside world, de-jargon our career paths and support recruitment processes to identify and test candidates’ strengths and weaknesses, and use this to better match their skills to the growing number of vacant positions.
XQ: Thanks, Colin.
Cyber Security Challenge UK is a series of national competitions, learning programmes, and networking initiatives designed to identify, inspire and enable more people to become cybersecurity professionals.
Established to bolster the national pool of cyber skills, it offers a unique programme of activities to introduce sufficient numbers of appropriately skilled individuals to learning and career opportunities in the profession.
You can also follow the Cyber Security Challenge on Twitter:
https://twitter.com/Cyberchallenge - @Cyberchallenge