How can we reduce the skills gap to improve cyber-defences?

Recent high-profile hackings have propelled the cybersecurity skills gap firmly into the public eye and prompted significant efforts to educate the next generation. Whether via Computer Science GCSE’s, NCA-sponsored cyber-challenges or data breaches themselves, this previously marginal topic has entered the mainstream. But despite the attention and investment it has received, concerns around a skills shortage have far from disappeared, with a recent survey showing that 30% of IT security professionals cited a lack of qualified staff in their business as a significant challenge. Clearly current initiatives aren’t doing enough to promote the industry, with a shortage of 1.5 million IT security professionals predicted by 2020.

With many claiming a direct correlation between a widening skills gap and an increase in data breaches, action needs to be taken to ensure that with an ever-evolving threat, global cyber-defences remain proactive rather than reactive. Whilst this is not an issue that is likely to be solved overnight, there are some key steps that can be taken in order to lessen the void between the supply of and demand for cybersecurity professionals.

Developing the right talent

As alluded to above, there has been a significant attempt to integrate cybersecurity into mainstream curriculums at institutions of all levels. This is something that should continue in order to raise the profile of the industry and must not be held back by the notion that there is a shortage of educators with the appropriate knowledge to prepare the next generation of cybersecurity professionals.

Government attempts to shrink the cybersecurity skills gap extend beyond the realms of traditional education and target multiple generations. For example, IT security initiatives such as the Cyber First scheme launched earlier this year aim to identify talent through competitions and also offer financial assistance. Another initiative saw the announcement of a £1 million scheme to help SME’s boost their cybersecurity.

We have also seen that more than half of UK companies would consider hiring ex-hackers to boost their cyber-security. Whilst ‘converting’ hackers would be greatly beneficial to the industry and can help to ensure that businesses have insights into the cutting edge tactics employed by hackers, it must not come at the expense of investing in the education of future generations or indeed a business’s own staff. With security threats constantly diversifying, to take the foot off the pedal of education initiatives would only serve to widen the skills gap further.

Creating an industry structure

What’s clear is that an assortment of disassociated initiatives will not necessarily provide a long-term career framework for aspiring cybersecurity professionals. Developing a coherent structure is vital in order to allow them room to grow and advance in different directions.

A significant obstacle is that the industry has yet to present a clear picture of the skillset required, due to the immaturity and diversity of the sector. If businesses are not defining a consistent model of the skills they are looking for, it is difficult to identify the gaps that need to be addressed. An important remedy to this is to standardise job titles and roles, which often differ from country to country and even organisation to organisation. This would help to create a defined framework, allowing businesses to recruit based on a uniform set of skills and expectations. Progress has been made towards this with the launch of the ISSA Cybersecurity Career Lifecycle, which has begun to establish standardised definitions of cybersecurity roles.

Initiatives such as the ISSA career lifecycle are important first steps in boosting global industry co-operation, but alone it is not enough. The battle to solve the skills shortage and keep up with rapidly advancing cyber-threats must be a proactive, industry-wide effort. Cyber-attacks are only set to become more widespread and our best bet is to work together to counter the problem. By continuing the education drive, clearly defining job roles and collaborating as an industry, we can begin to bridge the perilous skills gap putting our data and infrastructure at risk.