How Do You Solve A Problem Like The Cyber Security Skills Gap?

Uploaded on 2022-07-20 in JOBS-Training, JOBS-Careers, FREE TO VIEW

Almost half of UK businesses have a basic skills gap where cyber security is concerned, according to the latest Cyber Security Skills in the UK Labour Market report. This means that often, the people in charge of cyber security in those organisations don’t have the skills or confidence to carry out the basic tasks laid out in the government-endorsed Cyber Essentials scheme.

Since the pandemic, we’ve seen an enormous increase in the number of cyber attacks and actual breaches of organisations with the UK the third most attacked country behind the US and France.  

With attacks continuing to increase, the cyber skills gap is a worrying trend. It may come as a surprise to some people, but cyber security is not about technology – it's about people. It doesn’t matter what technologies or processes an organisation works with; it is crucial to get the human element of cyber right and organisations are struggling with this.

So, why is hiring into cyber security roles so difficult and what can organisations do to ensure they have cyber security covered from a people perspective?

A Balanced Approach To Hiring Into Cyber Security

Many organisations approach cyber security recruitment by focusing on candidates’ qualifications but relying on theoretical knowledge significantly limits the talent pool. There is an industry discussion taking place on qualifications versus experience versus talent with people debating whether certificates such as CISSP are important or not. However, cyber security isn’t a regulated industry at all; it isn’t the same as wanting to become a lawyer and needing to pass the bar – there is no equivalent industry benchmark in cyber security. Instead, there are a plethora of qualifications which some people set great store by, and others label as irrelevant because qualifications don’t tell you if a person would be good at cyber security. Cyber security job advertisements often state that 5 years’ experience is required in areas of cyber security which have only been around for 3 years. So, it is more important to find out how quickly a candidate grasps new ideas and discover if they are enthusiastic and motivated to keep up to date with industry trends and ways of working.

Of course, inexperienced people cannot be leading an incident response situation – that would be disastrous. But experienced people can work alongside inexperienced employees and guide them, giving them exposure to and experience of cyber incidents and how to solve them.

By hiring people for their abilities, not their experience and qualifications, and supporting them in the role, organisations can build effective cyber security teams.

Why Successful Organisations Need Specialist Skills

Cyber security has many fields of expertise and expecting someone to excel across all of them isn’t realistic. Additionally, you need different ways of thinking within an organisation if you want to stand a hope of managing the complex world of cyber security and actively recruiting and supporting neurodivergent people into cyber security roles can bring with it many benefits and competitive advantages – be it different skills, mindsets, or ways of working. 

Cyber security includes areas such as compliance and audit, risk assessment and management, penetration testing and security testing, security monitoring and defence, incident response, and cloud security etc. They are all different areas that people will be skilled in but within each of those domains, specific skill sets are required to solve the various challenges that arise. It would be unusual to find someone who was good at every aspect of cyber security. In fact, specialists are needed within a security operation centre as generalists can manage a team but if there’s an incident, you need people who can solve it quickly and competently.

The SANS Cyber Security Retraining Programme

The key to creating a great cyber security team is to recruit for the future by making sure you’ve got the people in place to be the backbone of your security expertise. These people may not be experienced from day one, but they will eventually get there. Retraining people to work in the cyber security industry is one way to address the cyber skills gap and e2e-assure has had great success working with the SANS Cyber Training Academy and hiring graduates from their programmes. 

SANS first partnered with the UK government to offer a cyber security retraining programme in 2015. The programme targeted and trained untapped talent to turn into SANS graduates ready for entry-level roles following an intensive 10-week course. Hiring graduates from the scheme helps organisations plug gaps in their cyber security team without having to rely on qualifications or experience. Of course, organisations do need someone who understands cyber security risk management to mentor and continue to train these new recruits on the job. 

Tapping Into A Variety Of Backgrounds

Graduates from the SANS retraining programme have very varied backgrounds with some people having no previous experience of working in cyber security or even in IT. Traffic wardens, retail assistants and former mariners have all passed through the academy with success and gone on to prove that a technical background is not necessary to becoming a cyber security professional. e2e-assure has hired several SANS graduates and worked to build the right working environment and company culture to make them and all new employees feel supported and secure. The company has even changed its HR and working practices to attract and retain the best talent.

Cyber security teams need people who have a real desire to learn, great problem-solving skills, attention to detail and curious minds. These are attributes which are very hard to teach. When organisations take a step back and focus on the people they are hiring, not expertise and qualifications, they stand a much better chance of finding the staff they need. 

Rob Demain is CEO of e2e-assure

You Might Also Read: 

The Cyber Skills Shortage Is Not Getting Any Better:

 

« Cyber Attacks Cause Catastrophic Business Loss
Who Was Responsible For Hacking Both IBM & Stanford University? »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

Securezoo

Securezoo

Securezoo's mission is to simplify and enhance information security by providing trusted security guidance, products, and information to small and mid-sized businesses and security professionals.

Grimm Cyber

Grimm Cyber

GRIMM makes the world a more secure place by increasing the cyber resiliency of our client’s systems, networks, and products.

Fox-IT

Fox-IT

Fox-IT prevents, solves and mitigates the most serious cyber threats with smart solutions for governmental bodies, defense, law enforcement, critical infrastructure, banking and large enterprises.

Cyber Security Specialists

Cyber Security Specialists

Cyber Security Specialists Limited provide Security services across a wide range of markets, from multi-national Corporate Organisations and Government Agencies, through to smaller Businesses.

Hivint

Hivint

Hivint is a new kind of Information Security professional services company enabling collaboration between our clients to reduce unnecessary security spend.

Spire Solutions

Spire Solutions

Spire Solutions is the Middle East & Africa region’s leading cybersecurity solution provider and value-added distributor (VAD).

National Cyber Security Agency (NACSA) Malaysia

National Cyber Security Agency (NACSA) Malaysia

NACSA is the leading government agency in Malaysia responsible for the development and implementation of national cyber security management policie and strategies.

Center for Research on Scientific & Technical Information (CERIST)

Center for Research on Scientific & Technical Information (CERIST)

CERIST is a scientific and technical research centre with activities focused in the area of networks, information systems and IT security.

Approachable Certification

Approachable Certification

Approachable Certification is a UKAS accredited certification body offering down-to-earth and competitively priced audits against ISO Management Systems standards.

Cloudentity

Cloudentity

Cloudentity combines Identity for all things with API and Application security in a unique deployment model, combining cloud-transformation and legacy systems.

Cyber Security Courses

Cyber Security Courses

Cyber Security Courses was formed to help students in the UK find cyber security courses online.

Axio Global

Axio Global

Axio is a leading cyber risk management SaaS company. Our Axio360 platform gives companies visibility to their cyber risk, and enables them to prioritize investments to protect their business.

IDX

IDX

IDX is the leading consumer privacy platform built for agility in the digital age.

Jericho Security

Jericho Security

Jericho Security is on a mission to defend the world from the new threats of generative AI cyber attacks.

Var Group

Var Group

Var Group is one of the main partners for innovation in the ICT sector in Italy.

FoxPointe Solutions

FoxPointe Solutions

FoxPointe Solutions is a full-service cyber risk management and compliance firm.