Towards the end of 2018, research from global certification association (ISC)2 revealed that the cybersecurity industry is suffering from a workforce shortage of 2.9 million employees. That figure was staggeringly higher than the 1.9 million industry jobs shortfall that the same company had predicted in the 2017 iteration of its Cybersecurity Workforce Study. (ISC)2 did explain that it had introduced a new gap analysis methodology which accounted for such a large increase in just 12 months, but even if you took that huge jump out of the equation, all research points to the cybersecurity skills gap getting bigger, not smaller.
That is no real secret to the cybersecurity sector; neither is the fact that there is certainly no quick, easy fix. However, there are a few key areas where the problem has always stemmed from. One of those is the education system, and its failures to effectively prepare students for – and encourage them into – careers in cybersecurity.
Research from McAfee in 2017 discovered that 70% of British adults felt their education did not set them up with sufficient digital skills and knowledge of IT, with 88% saying they were not aware of the possibility of a career in cybersecurity when they were at school. Furthermore, one in five said they would have considered cybersecurity as a career if IT lessons had been more interesting.
Statistics like that paint a pretty clear picture of why the current cybersecurity skills gap is so large: it has been exacerbated by the education system.
“The industry must step up and play an active role in both shaping and delivering aspects of the curriculum”
Mixed Bag
In 2019, the standard of computing and IT tech teaching in education is still a bit of a mixed bag. On the one hand, “In schools, the ICT GCSE has a really good syllabus and, where it is being taught, it is generally very good,” says Ian Glover, president of CREST.
“It is criticized because of take up, but in reality, the number of schools capable of delivering it is still quite low,” he explains.
The number of code and technology clubs available in schools and through youth groups has increased significantly in recent years, Glover adds, and the UK university provision of cybersecurity courses from undergraduate through to PhD is world-leading and provides a good foundation of knowledge.
However, whilst recent improvements have been made in the standards of teaching at the foundational level, with more opportunities for students to get involved in various IT-related activities, it still does not appear to be leading education-leavers into cybersecurity jobs, and so the skills gap persists. Amanda Finch, CEO at the Institute of Information Security Professionals (IISP), argues a big part of the problem is a continued disconnect between what is being taught, and what employers in the tech space actually need to fill jobs.
“Too many courses are too narrow or simply a series of disconnected modules that do not harness the full potential of talented students,” she tells Infosecurity. “Courses need to be more focused on employer needs and less on ‘pure’ study, with little attention to business and people skills or real-world requirements. New recruits need to understand issues such as risk, project management and interdependencies with other areas of the business to be better equipped to hit the ground running.”
On top of that, there still needs to be clearer, better-defined and more accessible paths for careers in cybersecurity so that students can see the bright future the industry has to offer them.
“Career advisors, parents or guardians do not know about these new careers and cannot easily identify someone to help,” says Glover. “We need to bridge that gap. Failure to do this will only serve to widen the skills gap and put the UK at increased risk.”
This points to one inescapable truth: the industry must do more to invest in the current education system to help solve its own cybersecurity skills gap problem.
“We need more internships, placements, part-time courses and apprenticeships to promote the value of learning from experienced professionals”
The Kids are Alright
So where do you start with such a challenge? The crucial place to begin is with a focus on improving the quality and take-up of computing studies in schools.
Richard Yorke is CEO and co-founder of Deep3, a company which delivers mission-critical software in complex operational environments. He tells Infosecurity that “much more focus is required on inspiring children to take up the relevant subjects in the first place. Unfortunately, many companies take a short-term view and look for a direct return on investment for getting involved, which often misses the point.”
Yorke explains that a subject like computer science is unlike most, if not all, other subjects taught in schools. “The fundamental principles of how computers work haven’t changed but the way that related technology is used changes at an astonishing rate,” he says. “Therefore, in order for the subject to be relevant in the face of constant change and advances, the curriculum has to be constantly evolving and adapting as well. The industry must step up and play an active role in both shaping and delivering aspects of the curriculum.”
Teachers are passionate about bringing the subject to life, Yorke adds, but they need industry support to put these ideas into action and develop hands-on, repeatable content that inspires students to move from being users, excited by technology, to the builders and creators of technology for the future.
That is why Deep3 has involved itself in the NCSC’s Cyber Schools Hub since its inception last year. It has led on a number of initiatives, including working with head teachers and department heads to develop educational material and deliver lessons, and coaching GCSE computer science students. It has even taken part in a ‘Dragon’s Den’ session whereby students from years nine and 12 pitched ideas to a panel of industry professionals to obtain backing for their projects.
That sort of industry interaction and first-hand contact is what’s vitally needed, and can make a huge difference. “In terms of what can be achieved,” Yorke says, “we are confident that with the right backing and support from industry, more children will be inspired to take the subjects that underpin a career in technology and cybersecurity.”
Imagine (All the People)
It can also address another significant issue that plays a major role in the current skills crisis, which is the substantial lack of females choosing to study computer-related courses in schools, colleges and universities, and ultimately resulting in the drastically low numbers of women working in cybersecurity careers. The 2018 (ISC)2 Cybersecurity Workforce Study discovered that women make up just 24% of the cybersecurity workforce.
“We believe that by bringing the subject to life for kids at a young age, we can inspire more girls to get involved, stay with the subject and help address the huge problem we have with a lack of gender diversity in the industry,” Yorke says.
Finch agrees that this is particularly important. “We really do need to improve the gender balance in the industry,” she adds, “and while things are improving, we must address the legacy perceptions of the cybersecurity sector and encourage cultural and behavioral change.
“We need to sell the industry better and emphasize the importance and value of diversity. While some organizations are actively trying to address gender balance issues, it is patchy. For example, the problem is acute in SOCs but better in other niche roles where females can be in the majority.”
It’s not just gender diversity that must be addressed though, as another issue to solve is the industry's need for more individuals with ranging skill sets that encompass more than tech knowhow.
“For example, historians can make great intelligence analysts and behavioral psychology is becoming ever more important in understanding peoples’ interactions with the online world. It’s not all about understanding TCP/IP and encryption!” argues Finch.
“Many organizations looking for talent are often less interested in technical or academic qualifications, but rather they are looking for the right attitude and intellectual curiosity. Many of their best practitioners are self-taught.”
Therefore, much more must be done to communicate to schools, universities, teachers and students that, with demand for new recruits increasing in both breadth and number, there really are roles for everyone.
This is something that Fujitsu is seeking to tackle with its recently announced partnership with University Technical Colleges (UTCs) and the launch of the UTC Cyber Security Group, aimed at helping to prepare students aged 14-19 for future careers in cybersecurity.
As part of that initiative, the information and communication tech provider will work alongside UTCs and security and private sector organizations to equip students from various backgrounds with the cyber-skills needed to succeed in information security roles and further education.
“With a particular focus on students that might not have considered a cybersecurity profession, the UTC Cyber Security Group will connect the industry to an untapped pool of talent in order to encourage more students to develop their cybersecurity capabilities,” explains Rob Norris, vice-president of enterprise and cybersecurity, Fujitsu EMEIA.
Nine to Five
When it comes to facilitating entry into cybersecurity jobs, improvements are also needed. For example, higher up the education ladder, Finch believes that more should be done in the sector to work directly with colleges and universities to tap into the talent coming out of these establishments. After all, students leaving these institutions are also leaving education behind them and looking to take their first steps in the working world – that’s a crucial time to be actively engaging with them to set them on a path to a career in cybersecurity.
“We need more internships, placements, part-time courses and apprenticeships to promote the value of learning from experienced professionals,” Finch argues. “There should also be more recruitment events and other direct contact with employers.”
This appears to ring true. Mark Tucker is due to graduate with a BSc in Computer and Cyber Forensics from a UK university this year. He tells Infosecurity that whilst there was “some interaction with industry” during his course, he feels there should have been more.
“I do feel there could and should have been better ties and interaction with the industry more specifically focused on the cyber courses,” he explains.
“There were interactions [with industry organizations] such as three-day cyber-workshops taking place on campus, which have been excellent learning experiences. However, mostly the same few organizations have been featured throughout the three years, it would have been nice to have a bit more variety.”
He believes this would have proven valuable to him during his course, which was very good at “covering themes and theories about the industry,” but had less of the “hands-on experience” and industry interaction which could have better-prepared him to hit the ground running in a job role.
Clearly, there is a lot to do to address the skills gap crisis. There are some organizations in the sector already putting a firm foot forward in working with academia to help address the issues at hand, and the aforementioned are not alone in their fine work. Unfortunately though, as Finch points out, when taking into consideration the wider industry, this is still “the exception, rather than the rule.” Why is that? Why is it the few, and not the many, doing the type of work that has the potential to help turn things around?
“If we do not work more with education at all levels, the industry will not have access to the talent it requires at the scale it needs”
Moneytalks
A major contributing factor here is the incentive issue, Finch explains. Sacrificing time to visit schools and colleges, training teachers, taking on interns, offering work placements, participating in workshops and challenges – they all come at a cost.
“Larger organizations are generally better able to absorb this,” she says. “They can also take a longer-term view while fulfilling their corporate responsibilities and promoting the organization as an employer of choice, as well as getting the opportunity to spot rising stars.”
Conversely, smaller organizations tend to have less bandwidth and therefore need greater financial incentives and structured schemes to encourage them to get involved.
“Building some formality that is not too onerous would help employers understand what is expected and a financial contribution would offset the overhead,” Finch adds. “Students would experience the opportunities and responsibilities while gaining valuable first-step work experience that employers are always seeking. So, it is a win-win for both sides.
“It all comes back to integrating employers and academia so that there is a closer relationship and there needs to be more incentives for employers to provide work experience, day release and to pay interns – so that they are not just for the ‘rich kids.’” The responsibility for this really starts with bodies such as the Chambers of Commerce to build these communities and relationships locally, Finch believes.
Long Way to Go
Thus far, the industry’s report card for its work in engaging with the education system to fix the problems that have exacerbated the skills crisis would probably read something like ‘C+…shows promise, but must do better.’ Some companies in the industry should be praised for their recent efforts to affect change, but the good work of a few will not solve the problem faced by the majority and there is a long way to go.
“Our collective cybersecurity needs rely on having a strong and robust talent pipeline,” says Mark Cox, head of communications UK at Lockheed Martin, a global security and aerospace company that has recently been working with educational bodies to promote STEM subjects through engaging opportunities with young people.
Ultimately, until the industry skills gap is closed significantly, then all companies operating in the cybersecurity and tech sectors should be taking a proactive role in investing in education, not just some. It starts with supporting education to redefine what is being taught in schools and colleges so it is engaging and directly relevant for real-world job roles, and it progresses through to not only effectively communicating the opportunities and options of modern-day careers in cybersecurity, but providing more effective, accessible and hands-on routes into them for education-leavers of varying gender, backgrounds and skills.
“This is a challenge for the industry,” admits Cox, “particularly because of the length of time and investment industry needs to provide to children’s education from the moment they enter primary school through to their later study and career decision-making years.”
The industry has no option but to rise to that challenge though. “The industry is in direct competition with other more established professions at a time when the demographic of available young people is reducing,” concludes Glover. “If we do not work more with education at all levels, the industry will not have access to the talent it requires at the scale it needs.”