Fixing the Cyber Security Skills Shortage

Paul German

Paul German

Attitudes towards security continue to harden, with terrorism, geopolitical uncertainty and cyber threats now joining over-regulation in the top four threats posed to business growth prospects in PwC’s 2018 CEO Survey. This shift is reflected by the language now used publicly – by Government and business leaders alike – as highlighted by the UK’s defence minister Gavin Williamson CBE recently confirming that sponsored cyber attacks on the UK’s infrastructure could cause economic chaos. After endemic under-investment in skills development for over a decade, Paul German explains why now is the time for a significant change in approach in order to safeguard businesses.

Organisations now recognise the need to invest heavily in security. Yet when day rates for cyber security experts hit £1,400, the industry clearly has a massive problem regarding supply and demand. While it’s fair to say that the escalation in cyber threats has created an unprecedented need for individuals with skills, talent and experience, it’s chronic under-investment in training and education that’s at the heart of the skills shortage problem.

The UK used to lead the world in cyber security expertise. Now, Government representatives are travelling to countries across the globe – including some that are flagged as ‘questionable’ by the Security Services – in the hope of attracting essential start-up expertise and skills. With the proposed National College of Cyber Security sited at Bletchley Park now not likely to open at any point before 2019, home grown talent is simply not being developed.

So what has gone wrong? The ramifications of the massive spike in outsourcing a decade ago are now being felt. When huge swathes of technical experts were transferred across from public sector to private sector organisations under the TUPE Regulations, a history of training, education and skills development was lost. These individuals are now leaving the industry in swathes and their skills have never been replaced. The end result is escalating demand and a pool of resources that continues to shrink by the day.

Flaws in the current model

There are so many flaws in the current model. Frankly, the industry is appalling at selling itself and inspiring the next generation by demonstrating that IT can be an exciting and financially rewarding career. In addition, across the past decade training has become almost exclusively product-focused, with vendor ‘academies’ teaching individuals about specific product sets rather than security framework requirements. It’s a move that has further weakened the depth of expertise offered by any one individual.

This approach is simply not sustainable for IT providers or organisations desperate to access essential cyber security skills. Right now, the small pool of talent is being touted around at ever higher rates by recruitment firms, making essential cyber security unaffordable for all but the largest and most successful businesses.

Taking control and investing

The only way organisations will be able to address the huge demand for cyber security skills will be to take control and invest. That means shifting away from outsourcing and a reliance upon expensive contractors towards re-insourcing key services, including security. The onus is now on companies to build up their own expertise in-house.

At the same time, the IT industry needs to step up and invest in training. Truly agnostic training, not product-specific, ersatz sales education. If the next generation of cyber security individuals are going to be able to make the right decisions, they need an excellent grounding in security – from compliance to standards, including the EU’s General Data Protection Regulation, the PCI DSS and ISO 27001. It’s only with that in-depth understanding of end-to-end security issues that individuals will be able to create a robust security infrastructure supported by the right product choices.

From vendor agnostic training through to a commitment to inspire the next generation to join the industry in the first place, everyone demanding a solution to today’s cyber security skills shortage needs to step up and become part of the solution, not the problem.

Paul German is CEO of Certes Networks

About the Author
Brian Sims BA (Hons) Hon FSyI, Editor, Risk UK (Pro-Activ Publications) Beginning his career in professional journalism at The Builder Group in March 1992, Brian was appointed Editor of Security Management Today in November 2000 having spent eight years in engineering journalism across two titles: Building Services Journal and Light & Lighting. In 2005, Brian received the BSIA Chairman’s Award for Promoting The Security Industry and, a year later, the Skills for Security Special Award for an Outstanding Contribution to the Security Business Sector. In 2008, Brian was The Security Institute’s nomination for the Association of Security Consultants’ highly prestigious Imbert Prize and, in 2013, was a nominated finalist for the Institute's George van Schalkwyk Award. An Honorary Fellow of The Security Institute, Brian serves as a Judge for the BSIA’s Security Personnel of the Year Awards and the Securitas Good Customer Award. Between 2008 and 2014, Brian pioneered the use of digital media across the security sector, including webinars and Audio Shows. Brian’s actively involved in 50-plus security groups on LinkedIn and hosts the popular Risk UK Twitter site. Brian is a frequent speaker on the conference circuit. He has organised and chaired conference programmes for both IFSEC International and ASIS International and has been published in the national media. Brian was appointed Editor of Risk UK at Pro-Activ Publications in July 2014 and as Editor of The Paper (Pro-Activ Publications' dedicated business newspaper for security professionals) in September 2015. Brian was appointed Editor of Risk Xtra at Pro-Activ Publications in May 2018.

Related Posts