In recent years, cybersecurity as a profession has found itself at a crossroads. Since its origins in the 1980s, practitioners have drifted into computer security, information security or cybersecurity from other disciplines and professions – mainly IT and engineering, but also mathematics, audit, psychology, administration and linguistics – as well as entering through more academic or formal routes.
However, with the exponential increase in cybersecurity threats and attacks, the demand for cybersecurity professionals can no longer be met by practitioners drifting in from other disciplines or by limiting the choice to those lucky enough to have been able to pursue an MSc course. Consequently, the profession has found it difficult to respond, leading to the widely accepted skills shortage.
What is needed are mechanisms to enable the profession to nurture and ‘grow’ practitioners in much more diverse ways, in addition to welcoming migrants from other professions. Whilst action has been initiated to address this in some areas, we need to recognize that it will take a few years before some of these initiatives bear fruit. So, what are the key issues relating to reducing the skills shortage?
First of all we need to educate and train students at all levels as cybersecurity practitioners. The National Cybersecurity Centre, in its former incarnation as CESG, set the ball rolling by accrediting a range of degree programs in cybersecurity at both Bachelor and Masters levels. Complementing these, the Tech Partnership (formerly e-Skills UK) developed cybersecurity apprenticeship and degree apprenticeship programs, working with organizations such as the IISP, ISC(2), BCS, CREST and others.
These initiatives are critical parts of the campaign to address this skills shortage, but more needs to be done to teach the skills and equally importantly, the ethics of cybersecurity within secondary education, or even earlier. We also need to build security modules into more general courses in technology field like application development or hardware design.
Most of the current initiatives in cybersecurity project the discipline as almost exclusively technical. Whilst technical skills are undoubtedly important, such a narrow focus is damaging and dangerous. It perpetuates the myth that cybersecurity is the preserve of the male ‘geek’. In reality, cybersecurity is a much broader church covering issues such as audit, compliance monitoring, threat intelligence, incident management, education and training, and culture change.
Each of these require significantly different and possibly broader sets of skills from those of the deeply technical specialist. Developing diversity in the profession is critically important and there is much, much more to do in this space as part of the broadening out and expansion of the industry.
The other thing that needs to be recognized is that cybersecurity is a ‘profession of professions’, as concluded in a study run by the Information Assurance Advisory Council (IAAC). The flow of professionals from other disciplines into cybersecurity remains an essential part of the picture. The cybersecurity profession needs IT professionals, engineers, auditors and legal professionals to recognize and accept that they are ‘dual-hatted’ as cybersecurity professionals who themselves play a part in protecting information and data.
There may be turbulent waters to sail through and many challenges ahead, but if that is the price to pay to achieve better outcomes in cybersecurity then so be it.