In outlining its ‘National Cyber Security Strategy’ in November last year, the Government issued a stark warning that the cybersecurity skills gap “represents a national vulnerability that must be resolved.”
Yet this comes at a time when cyber has never been a more attractive industry to work in, with security professionals projected to enjoy the highest salary growth of any technology specialism in 2017. Every indication is that the industry will only continue to grow as the economy increasingly moves towards digital. So why is a booming industry with sky-rocketing salaries and excellent career prospects still failing to fill its existing vacancies?
The fashionable answer is that this is a supply-side problem, caused by academic institutions not producing enough computing graduates. However, what if it is not the education system but the employers hiring criteria that is the problem?
A recent survey shed light on the extraordinarily narrow job specs of many recruiters, with 40% still demanding a bachelor degree in a technical field as the minimum cybersecurity credential for entry-level positions. Yet prioritizing job applicants with techie degrees means fishing in very shallow waters; only 7% of our top Universities even offer an undergrad degree in cyber, and with far fewer women than men studying computing degrees, this effectively means that half the population rarely gets as far as the interview door. It is therefore unsurprising that not only is there a skills gap, but women comprise just 10% of the cybersecurity profession.
Many employers also list ‘experience’ as a requirement for cyber roles. This automatically excludes anyone who hasn’t already worked in cybersecurity, filtering out an enormous potential talent pool. It’s as if the aviation industry acknowledged it had a severe shortage of pilots coming through, but refused to hire anyone who was not already an experienced, qualified pilot.
If we are to provide a realistic solution to this urgent problem, cybersecurity employers must radically rethink their hiring checklists and the places they recruit from.
The largest ever survey of cybersecurity professionals ranked non-technical skills (such as risk assessment and management and analytical skills) higher than technical skills when recruiting mid or entry-level info security professionals. These are attributes often found in professions as diverse as the armed forces and law.
To put weight behind that claim, we have looked further afield than the average tech graduate, successfully transitioning military veterans into cyber careers through our academies. Out of the thousands of applications to the first SANS UK Cyber Academy, the final group selected for the course included several from outside the tech industry altogether, including a law graduate. Despite some having no technical backgrounds, they have gone on to work for the likes of NATO and General Electric.
To prove this theory at a national level, SANS was recently tasked by Government to partner them in launching the first ever ‘Cyber Retraining Academy’, which will specifically seek applications from people who have never worked in cyber. Applicants will be filtered using psychometric assessments developed to identify behavioral and cognitive traits that indicate high probability of success in the profession, then trained to be industry ready practitioners with immediately deployable skills.
We believe this offers a radically different recruitment model for the industry, which could help rapidly plug the skills gap and diversify the workforce, effectively condensing a typical graduate type training program into an intensive, immersive 10-week schedule.
This is something we have seen in other industries, with some businesses now recruiting using bespoke aptitude tests that not only widen their recruitment net but offer a far better guarantee of ‘culture fit’ than degrees or career experience.
We can do much more to give those starting out in security a firm foundation, ensuring those who undertake training are immediately deployable and add real value to the employers from the outset. Military veterans are one such group who often show the ideal attributes for a cybersecurity career, and providing hands-on ‘immersion training’ to turn them into professionals in a short space of time is essential. Offering people practical training can also increase employee retention and create more rounded qualified professionals with hands-on experience.
Ultimately, businesses must find innovative ways to recruit from outside their techie ‘comfort zone’ and draw a wider spectrum of people into the profession if we are to begin resolving the skills shortage.