How Do You Solve A Problem Like The Cyber Security Skills Gap?

Uploaded on 2022-07-20 in JOBS-Training, JOBS-Careers, FREE TO VIEW

Almost half of UK businesses have a basic skills gap where cyber security is concerned, according to the latest Cyber Security Skills in the UK Labour Market report. This means that often, the people in charge of cyber security in those organisations don’t have the skills or confidence to carry out the basic tasks laid out in the government-endorsed Cyber Essentials scheme.

Since the pandemic, we’ve seen an enormous increase in the number of cyber attacks and actual breaches of organisations with the UK the third most attacked country behind the US and France.  

With attacks continuing to increase, the cyber skills gap is a worrying trend. It may come as a surprise to some people, but cyber security is not about technology – it's about people. It doesn’t matter what technologies or processes an organisation works with; it is crucial to get the human element of cyber right and organisations are struggling with this.

So, why is hiring into cyber security roles so difficult and what can organisations do to ensure they have cyber security covered from a people perspective?

A Balanced Approach To Hiring Into Cyber Security

Many organisations approach cyber security recruitment by focusing on candidates’ qualifications but relying on theoretical knowledge significantly limits the talent pool. There is an industry discussion taking place on qualifications versus experience versus talent with people debating whether certificates such as CISSP are important or not. However, cyber security isn’t a regulated industry at all; it isn’t the same as wanting to become a lawyer and needing to pass the bar – there is no equivalent industry benchmark in cyber security. Instead, there are a plethora of qualifications which some people set great store by, and others label as irrelevant because qualifications don’t tell you if a person would be good at cyber security. Cyber security job advertisements often state that 5 years’ experience is required in areas of cyber security which have only been around for 3 years. So, it is more important to find out how quickly a candidate grasps new ideas and discover if they are enthusiastic and motivated to keep up to date with industry trends and ways of working.

Of course, inexperienced people cannot be leading an incident response situation – that would be disastrous. But experienced people can work alongside inexperienced employees and guide them, giving them exposure to and experience of cyber incidents and how to solve them.

By hiring people for their abilities, not their experience and qualifications, and supporting them in the role, organisations can build effective cyber security teams.

Why Successful Organisations Need Specialist Skills

Cyber security has many fields of expertise and expecting someone to excel across all of them isn’t realistic. Additionally, you need different ways of thinking within an organisation if you want to stand a hope of managing the complex world of cyber security and actively recruiting and supporting neurodivergent people into cyber security roles can bring with it many benefits and competitive advantages – be it different skills, mindsets, or ways of working. 

Cyber security includes areas such as compliance and audit, risk assessment and management, penetration testing and security testing, security monitoring and defence, incident response, and cloud security etc. They are all different areas that people will be skilled in but within each of those domains, specific skill sets are required to solve the various challenges that arise. It would be unusual to find someone who was good at every aspect of cyber security. In fact, specialists are needed within a security operation centre as generalists can manage a team but if there’s an incident, you need people who can solve it quickly and competently.

The SANS Cyber Security Retraining Programme

The key to creating a great cyber security team is to recruit for the future by making sure you’ve got the people in place to be the backbone of your security expertise. These people may not be experienced from day one, but they will eventually get there. Retraining people to work in the cyber security industry is one way to address the cyber skills gap and e2e-assure has had great success working with the SANS Cyber Training Academy and hiring graduates from their programmes. 

SANS first partnered with the UK government to offer a cyber security retraining programme in 2015. The programme targeted and trained untapped talent to turn into SANS graduates ready for entry-level roles following an intensive 10-week course. Hiring graduates from the scheme helps organisations plug gaps in their cyber security team without having to rely on qualifications or experience. Of course, organisations do need someone who understands cyber security risk management to mentor and continue to train these new recruits on the job. 

Tapping Into A Variety Of Backgrounds

Graduates from the SANS retraining programme have very varied backgrounds with some people having no previous experience of working in cyber security or even in IT. Traffic wardens, retail assistants and former mariners have all passed through the academy with success and gone on to prove that a technical background is not necessary to becoming a cyber security professional. e2e-assure has hired several SANS graduates and worked to build the right working environment and company culture to make them and all new employees feel supported and secure. The company has even changed its HR and working practices to attract and retain the best talent.

Cyber security teams need people who have a real desire to learn, great problem-solving skills, attention to detail and curious minds. These are attributes which are very hard to teach. When organisations take a step back and focus on the people they are hiring, not expertise and qualifications, they stand a much better chance of finding the staff they need. 

Rob Demain is CEO of e2e-assure

You Might Also Read: 

The Cyber Skills Shortage Is Not Getting Any Better:

 

« Cyber Attacks Cause Catastrophic Business Loss
Who Was Responsible For Hacking Both IBM & Stanford University? »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

TÜV SÜD Academy UK

TÜV SÜD Academy UK

TÜV SÜD offers expert-led cybersecurity training to help organisations safeguard their operations and data.

A10 Networks

A10 Networks

A10 Networks is a leader in application networking, helping organizations of all sizes to accelerate, optimize and secure their applications.

Qualitest Group

Qualitest Group

Qualitest is the world’s largest pure play Quality Assurance and software testing company.

Finjan Holdings

Finjan Holdings

Finjan solutions are aimed at keeping the web, networks, and endpoints safe from malicious code and security threats.

maCERT

maCERT

maCERT is the national Computer Emergency Response Team for Morocco.

TitanHQ

TitanHQ

TitanHQ offers ultimate protection from internet based threats and powerful Web filtering functionalities to SMBs, Service Providers and Education sectors around the World.

GovCERT Austria

GovCERT Austria

GovCERT Austria is the Austrian Government Computer Emergency Response Team. Its constituency consists of Austria's public administration.

Jumio

Jumio

Jumio’s end-to-end identity verification and authentication solutions fight fraud, maintain compliance and onboard good customers faster.

Dellfer

Dellfer

Dellfer secures connected cars and other IOT devices through Intrinsic protection, enabling the most sophisticated cybersecurity attacks to be seen instantly and remediated with precision.

CyCognito

CyCognito

CyCognito empowers companies to take full control over their attack surface by uncovering and eliminating the critical security risks they didn't even know existed.

Billington CyberSecurity

Billington CyberSecurity

Billington CyberSecurity is a leading, independent education company with an exclusive focus on cybersecurity.

Great American Insurance Group

Great American Insurance Group

Great American's Cyber Risk Division offers cyber solutions for small and medium-sized businesses.

Orpheus Cyber

Orpheus Cyber

Orpheus Cyber provides predictive and actionable intelligence to our clients - enabling them to anticipate, prepare for and respond to the cyber threats they face.

Oivan

Oivan

Oivan harnesses the strengths of the web, mobile, cloud, cybersecurity, and blockchain technologies to help our clients to launch transformative digital services.

Tenable

Tenable

Organizations around the world rely on Tenable to help them understand and reduce cybersecurity risk across their attack surface—in the cloud or on-premises, from IT to OT and beyond.

nodeQ

nodeQ

At nodeQ, we are pioneering the future of computer networks, leveraging our deep expertise in quantum communication, artificial intelligence, and software-defined networking.

DeepTempo

DeepTempo

At DeepTempo, we build AI models and related software that protect enterprises and service providers from sophisticated cyber threats.

Cyber Nations

Cyber Nations

Cyber Nations is a global program designed to engage 100,000 African, Caribbean and Canadian learners to be trained in cybersecurity with a path to employment.