During the discovery exercise, the government received 81 inputs from businesses and a further 51 inputs from individuals. "A range of reasons for the skills shortage were suggested," notes the government report (Cyber Security Skills: Business perspectives and Government’s next steps), "including the immaturity of cyber security as a ‘profession’, low take-up of STEM (Science, Technology, Engineering and Maths) subjects and limited awareness of cyber security as an interesting and rewarding career at all levels of the education system, and difficulty attracting female candidates."
But the responses also raise an associated concern: industry doesn't just need extra cybersecurity professionals, it needs an increased level of cybersecurity awareness in "those who create, purchase and use technology to reduce business vulnerability to cyber attack, and amongst company decision makers who are responsible for managing business risks."
Such a problem is best solved in the education system, with cyber awareness and cybersecurity part of the schools curriculum – and it is the government's intention to increase cyber awareness generally, while providing a better path toward a cybersecurity profession. What makes this government initiative different to other initiatives, and demonstrates its commitment, is a budget to train schoolteachers in security.
"What I find most interesting," comments Charles Sweeney, CEO at Bloxx, "is that teaching staff will also be given training. At the moment a lack of teacher awareness about the risks posed by things like anonymous proxies and malware is a serious concern given how commonplace the Internet is in today's classroom. Plugging this knowledge gap will go a long way to ensuring that the teaching environment is a safe one. It's great to see a government programme taking such a holistic view because in the fight against cyber crime knowledge really is power."
Paco Hope, principal consultant at Cigital, is also enthusiastic, provided this is just the beginning and the whole of government intentions. "In as much as government influences subjects (for example, equality, religion, history, STEM), I see this as just another change of emphasis," he told Infosecurity. "At the moment we teach nothing on this subject at all, and I think the government is right to nudge academia to address 'a genuine market need.' The government licenses and regulates various professions, usually via quasi-academic, statute-backed professional bodies (law, medicine, accounting, taxis, etc.). This is clearly not – yet – the case with cybersecurity. Long before regulation can be practical, we have to have a body of knowledge that is established and maintained. So these are the first baby steps towards professionalizing a career that is far from professionalized at the moment."
Hope, who was one of the authors of the BSIMM software security model, even has ideas on what can be done. You don't need to be taught the details of Red Hat version X security to get students' interest, he explained. "Simply adding concepts like confidentiality, integrity, and availability to any part of any relevant curriculum would be a huge step forward. Classrooms can discuss concepts like ‘privacy’ and show how technology can facilitate situations that we would never anticipate in the real world."
The weakness at the moment is that these concepts are not currently discussed on a formal basis with qualified teachers. "Consider," continued Hope, "we discuss things like enfranchisement in school (making sure all eligible citizens have the right and ability to vote). Do we talk about how cybercrime can disenfranchise or 'overenfranchise' groups of people? If we had been taught some of these concepts at school, then we might question the way some mobile apps work today."
Tackling the skills shortage in the schools is a slow process. But if the government gets it right now, in a few years time we will have more cybersecurity professionals defending a population with greater cybersecurity awareness.