How Do You Solve A Problem Like The Cyber Security Skills Gap?

Uploaded on 2022-07-20 in JOBS-Training, JOBS-Careers, FREE TO VIEW

Almost half of UK businesses have a basic skills gap where cyber security is concerned, according to the latest Cyber Security Skills in the UK Labour Market report. This means that often, the people in charge of cyber security in those organisations don’t have the skills or confidence to carry out the basic tasks laid out in the government-endorsed Cyber Essentials scheme.

Since the pandemic, we’ve seen an enormous increase in the number of cyber attacks and actual breaches of organisations with the UK the third most attacked country behind the US and France.  

With attacks continuing to increase, the cyber skills gap is a worrying trend. It may come as a surprise to some people, but cyber security is not about technology – it's about people. It doesn’t matter what technologies or processes an organisation works with; it is crucial to get the human element of cyber right and organisations are struggling with this.

So, why is hiring into cyber security roles so difficult and what can organisations do to ensure they have cyber security covered from a people perspective?

A Balanced Approach To Hiring Into Cyber Security

Many organisations approach cyber security recruitment by focusing on candidates’ qualifications but relying on theoretical knowledge significantly limits the talent pool. There is an industry discussion taking place on qualifications versus experience versus talent with people debating whether certificates such as CISSP are important or not. However, cyber security isn’t a regulated industry at all; it isn’t the same as wanting to become a lawyer and needing to pass the bar – there is no equivalent industry benchmark in cyber security. Instead, there are a plethora of qualifications which some people set great store by, and others label as irrelevant because qualifications don’t tell you if a person would be good at cyber security. Cyber security job advertisements often state that 5 years’ experience is required in areas of cyber security which have only been around for 3 years. So, it is more important to find out how quickly a candidate grasps new ideas and discover if they are enthusiastic and motivated to keep up to date with industry trends and ways of working.

Of course, inexperienced people cannot be leading an incident response situation – that would be disastrous. But experienced people can work alongside inexperienced employees and guide them, giving them exposure to and experience of cyber incidents and how to solve them.

By hiring people for their abilities, not their experience and qualifications, and supporting them in the role, organisations can build effective cyber security teams.

Why Successful Organisations Need Specialist Skills

Cyber security has many fields of expertise and expecting someone to excel across all of them isn’t realistic. Additionally, you need different ways of thinking within an organisation if you want to stand a hope of managing the complex world of cyber security and actively recruiting and supporting neurodivergent people into cyber security roles can bring with it many benefits and competitive advantages – be it different skills, mindsets, or ways of working. 

Cyber security includes areas such as compliance and audit, risk assessment and management, penetration testing and security testing, security monitoring and defence, incident response, and cloud security etc. They are all different areas that people will be skilled in but within each of those domains, specific skill sets are required to solve the various challenges that arise. It would be unusual to find someone who was good at every aspect of cyber security. In fact, specialists are needed within a security operation centre as generalists can manage a team but if there’s an incident, you need people who can solve it quickly and competently.

The SANS Cyber Security Retraining Programme

The key to creating a great cyber security team is to recruit for the future by making sure you’ve got the people in place to be the backbone of your security expertise. These people may not be experienced from day one, but they will eventually get there. Retraining people to work in the cyber security industry is one way to address the cyber skills gap and e2e-assure has had great success working with the SANS Cyber Training Academy and hiring graduates from their programmes. 

SANS first partnered with the UK government to offer a cyber security retraining programme in 2015. The programme targeted and trained untapped talent to turn into SANS graduates ready for entry-level roles following an intensive 10-week course. Hiring graduates from the scheme helps organisations plug gaps in their cyber security team without having to rely on qualifications or experience. Of course, organisations do need someone who understands cyber security risk management to mentor and continue to train these new recruits on the job. 

Tapping Into A Variety Of Backgrounds

Graduates from the SANS retraining programme have very varied backgrounds with some people having no previous experience of working in cyber security or even in IT. Traffic wardens, retail assistants and former mariners have all passed through the academy with success and gone on to prove that a technical background is not necessary to becoming a cyber security professional. e2e-assure has hired several SANS graduates and worked to build the right working environment and company culture to make them and all new employees feel supported and secure. The company has even changed its HR and working practices to attract and retain the best talent.

Cyber security teams need people who have a real desire to learn, great problem-solving skills, attention to detail and curious minds. These are attributes which are very hard to teach. When organisations take a step back and focus on the people they are hiring, not expertise and qualifications, they stand a much better chance of finding the staff they need. 

Rob Demain is CEO of e2e-assure

You Might Also Read: 

The Cyber Skills Shortage Is Not Getting Any Better:

 

« Cyber Attacks Cause Catastrophic Business Loss
Who Was Responsible For Hacking Both IBM & Stanford University? »

CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

Council of European Professional Informatics Societies (CEPIS)

Council of European Professional Informatics Societies (CEPIS)

CEPIS is the representative body of national informatics associations throughout Europe and represent over 450,000 ICT and informatics professionals in 32 countries.

Logpoint

Logpoint

Logpoint is a creator of innovative security platforms to empower security teams in accelerating threat detection, investigation and response with a consolidated tech stack.

DataVisor

DataVisor

DataVisor is a big data fraud detection and anti-money laundering solution.

National Cyber Security Centre (CNCS) - Portugal

National Cyber Security Centre (CNCS) - Portugal

CNCS is the operational coordinator and Portuguese national authority in cybersecurity working with State entities, and digital service providers

Armadillo Sec

Armadillo Sec

Armadillo provide penetration testing and vulnerability assessment services.

Smokescreen

Smokescreen

Smokescreen's IllusionBLACK employs deception technology to detect, deflect and defeat advanced hacker attacks.

Awen Collective

Awen Collective

Awen Collective develops software-based tools for performing Digital Forensics, Incident Response and Cyber-Crime Investigation.

Aporeto

Aporeto

The Aporeto platform protects cloud applications from attack by authenticating and authorizing all communications with a cryptographically signed identity assigned to every workload.

Red Points

Red Points

Red Points protects your brand and content in the digital environment.

C5 Capital

C5 Capital

C5 Capital is a specialist investment firm that exclusively invests in the secure data ecosystem including cybersecurity, cloud infrastructure, data analytics and space.

SAFECode

SAFECode

SAFECode is a global industry forum where business leaders and technical experts come together to exchange insights on creating, improving, and promoting effective software security programs.

Arkphire

Arkphire

Arkphire provide solutions across every aspect of IT to help your business perform better.

Core to Cloud

Core to Cloud

Core to Cloud provide consultancy and technical support for the planning and implementation of sustainable security strategies.

Sitehop

Sitehop

Sitehop is a cybersecurity technology company developing and supplying FPGA hardware-enforced cyber security solutions for networks.

PCCW Global

PCCW Global

PCCW Global is a leading communications service provider, offering mobility, voice and data solutions to multinational enterprises, telecomms partners, cloud and application service providers.

Bleach Cyber

Bleach Cyber

Bleach Cyber helps small businesses with an affordable and user-friendly solution for managing cloud security.