Earlier this year, the National Audit Office (NAO) warned that the UK’s critical infrastructure is vulnerable to cyber-attacks in part because of a lack of experts able to thwart threats.
“The UK lacks technical skills,” it said, adding that “the current pipeline of graduates and practitioners would not meet demand.” The NAO suggested that it could take up to 20 years to close the IT security skills gap.
The government appears to share the NAO’s concerns, with ministers Michael Gove and David Willetts telling Computing back in September how the coalition plans to promote IT security best practice through the revised national curriculum.
Some experts, however, believe efforts to boost cyber security education ignore a more fundamental problem. One such critic is Vicki Gavin, head of business continuity and information security at The Economist, who argues the shortage is largely down to unrealistic recruitment criteria.
“I think there are a lot of really bad recruiters out there, because I have got a fantastic team and I have never had any problems finding high-quality skilled staff – and I don’t pay more than the rest of the people on the street, in fact I probably pay less,” she said.
Gavin said employers who struggle to find staff always seem to want to find someone “with enough experience to sink a ship”, and that this is unnecessary.
“They completely forget that all these hard skills they are looking for can be learned, and that there are hundreds of thousands of people out there with the right soft skills, ready and willing to learn,” she said.
But Wayne Grundy, managing director of the cyber protection practice at professional services firm Alvarez & Marsal, believes that building strong digital defences requires personnel with years of experience in information security.
“I’ve got people on my team with 10 years’ experience, and the idea that you can learn on the job when you’re working against people who have expert teams of hackers with a potentially unlimited budget from certain countries, is not something I would agree with,” he said.
But The Economist’s Gavin insisted that even technical skills can be learned on the job. “Have you ever met a security person that didn’t learn [technical skills on the job]? This is not a skill that somebody is born with,” she said.
Lack of leadership
Putting the issue of the value of on-the-job training to one side, Grundy argued that one of the main reasons for the skills gap identified by the NAO is that many organisations still do not see the need for developing their own specialist cyber security teams.
“Companies haven’t realised they need someone to lead in cyber security. CEOs will look at the board and give the role to the person who is most interested in technology and that might not be the right approach at all,” he explained.
One firm that is trying to nurture cyber security talent both internally and externally is Deloitte. The professional services firm has launched a master’s degree in cyber security at Leicester’s De Montfort University, and is hiring as many of the graduates as it can. Meanwhile, existing staff are being trained in such cyber security skills as penetration testing, incident response and forensics.
So what skills does someone need to become a cyber security professional?
James Nunn-Price, head of UK cyber security at Deloitte, said that while skills such as reverse engineering code and cryptography are important, there is a growing need for candidates who can communicate effectively.
“We find out whether an applicant is good at interacting and consulting,” he said. “The security people end up in a bunker because no one knows what they are saying. In the last two years there has been a huge shift, and now those people with security skills need to be able to explain to stakeholders what a problem is in simple terms,” he said.
Nunn-Price said organisations increasingly need “interpreters” who can work alongside more technical staff to explain the nature of cyber threats to the business.
With Gavin, Grundy and Nunn-Price all identifying contrasting causes for what the NAO sees as a looming cyber skills crisis, it may well be that a solution will require action from a range of sectors: government, educators, consultancies and, perhaps most importantly, end-user organisations themselves.
Computing and QA Training's Securing Talent campaign aims to raise awareness of the growing need for people with cyber security skills in industry and government, and for clearer pathways into the cyber security profession.
By eliminating high entry costs for big data analysis, you can convert more raw data into valuable business insight.
A discussion of the "risk perception gap", its implications and how it can be closed