Comment: Is there a skills gap in infosecurity, or just a lack of engagement?

Infosecurity companies need to ask themselves whether the problem lies with the recruitment process itself rather than the candidate pool
Infosecurity companies need to ask themselves whether the problem lies with the recruitment process itself rather than the candidate pool
James Lyne, Sophos
James Lyne, Sophos

The UK is facing a growing cybersecurity recruitment crisis that could ultimately put our personal information, our businesses and our national security at risk. As demand for cybersecurity expertise grows, the size of the talent pool from which IT security companies can pluck new employees is proving inadequate.

A recent survey by the SANS Institute of UK cybersecurity professionals revealed more than 90% have had difficulty filling vacancies. This worrying trend comes at a time when the need for skilled professionals is at its highest and only likely to increase in the future. What is more, the diminishing numbers of students taking both GCSE and A Level ICT shows we need to act now to avoid a worsening problem.

In light of this potential crisis, infosecurity companies need to ask themselves whether the problem lies with the recruitment process itself rather than the candidate pool. Do we need to reassess what we look for in new candidates and whether there’s a more relevant approach to attracting the right talent? I believe what the SANS Institute survey really highlights is not a lack of ability in the UK but an outdated approach to recruitment, and lack of engagement with our amateur cybersecurity community.

This is the thinking behind the UK Cyber Security Challenge that launched last month and in which Sophos has been heavily involved. The challenge aims to identify the next generation of cybersecurity professionals through a series of national competitions. With more than 3300 people signed up after the first week, we can be sure the interest is there.

It is hoped that the Challenge will help Sophos and other industry employers widen the pool of talent and turn this initial interest into real candidates. But the UK’s problems run pretty deep, starting in schools. Information security is not a recognised skill amongst education decision-makers, and it is difficult to get the subject on their agenda.

Industry certificates are aimed more at university students or graduates. Furthermore, it is often difficult to identify relevant job references on candidates' CVs because few jobs are similar, making it tricky to assess a candidate’s suitability in a cybersecurity role. The result is that many people end up in the industry almost by accident rather than following a recognisable career path. As a consequence many in the industry, including myself, are pushing for more development of security expertise in the curriculum.

I got into IT security at a very early age after it was suggested to me by a teacher whose husband worked in the industry. She saw my passion for problem solving and math, and I luckily ended up in a position where I found out how interesting security can be in a real environment.

Unfortunately my story is the exception rather than the rule. The future of our industry cannot rely on teachers’ awareness of career opportunities in cybersecurity and ability to direct students who show potential. What we need is a new way of reaching the widest possible range of people to fill the increasing need for cybersecurity specialists. Most importantly, we need to demonstrate why this career path is interesting, rewarding and very necessary to the future protection of the UK.

At Sophos we have a lot of experience recruiting new people into the sector. We have learnt that like cybersecurity jobs themselves, finding the right person to fill a role is an art rather than a science. The range of skills required means there is no single way to become a good cybersecurity specialist and it’s up to us to get out into the job community, identify the talent and sing the praises of our profession.

Sophos has employed people from backgrounds as diverse as biologists studying genetic codes, to chefs. While their academic background didn’t necessarily scream malware analyst, our recruitment process is geared at identifying key problem-solving skills and a real aptitude for technology.

To further broaden our recruitment pool, we use a range of mechanisms – like social media – to reach candidates, as well as presenting at universities and other relevant security forums. By reaching out to the talent in the education system and online, we are giving ourselves a better chance of finding people with the ability to take our industry forward.

It is in this vein that Sophos got involved in the UK Cyber Security Challenge. We see the challenge as a working demonstration of this approach and its immediate success shows that if we do things differently we can grab attention from the right people, and drive a real change in the cybersecurity profession.

The aforementioned SANS Institute research also revealed that 60% of industry leaders foresaw an increase in the demand for experts as a result of growing security attacks. By acknowledging that the current approach no longer fits the audience we need to reach, and by taking steps in new directions – for example the Cyber Security Challenge – Sophos is part of a progressive community that is adapting in preparation to meet this test head on by finding new ways to engage the talent we know is out there.

Dr James Lyne is the senior technologist at security firm Sophos. In his current role, Lyne is focused on the five-year technology strategy at Sophos in the office of the CTO. Working with key business and technology trends and combining a detailed knowledge of threats, he extrapolates from the modern world of threat protection to explore the future of security and technology requirements. Aside from technology strategy, Lyne frequently engages with customers and industry forums to evangelize the security problem domains.

What’s hot on Infosecurity Magazine?