Britain's Workforce Has Too Few High Level Cyber Skills

Uploaded on 2019-11-15 in JOBS-Training, JOBS-Careers, FREE TO VIEW

The UK government recently announced its second audit into the state of the country’s cyber security workforce. 
 
Ipsos MORI and the Institute of Criminal Justice Studies at the University of Portsmouth carried out the survey of private businesses, public sector organisations and charities which focus on issues around the employment and training of cyber security professionals. 
 
The 2019 survey highlights the persistent threat of cyber attacks facing businesses and charities with around a third of businesses (32%) and a fifth of charities (22%) having suffered a cyber breach or attack in the past 12 months. This represented a significant fall in the number of businesses identifying breaches (down from 43% in 2018, and 46% in 2017). The charities result was similar to 2018.
 
The audit looks to build on the findings of its first report, published last year, which revealed that more than half of all UK businesses had a “basic technical cyber security skills gap”. 51 per cent, for example, admitted they weren’t confident in carrying out a cyber security risk assessment, while 47 per cent lacked confidence in developing security policies.
 
The capacity for more high-level technical tasks was even more problematic, with around three in five businesses unconfident in their ability to conduct penetration testing or perform forensic analysis of their own data. 
 
The previous audit also found that just under half of all businesses felt they were insufficiently skilled to deal with a cybersecurity breach or attack. This is particularly worrying when you consider the risks that they face. One report found that UK businesses faced an average of around 146,000 attempted attacks between April and June this year, one every 50 seconds.
 
The hope is that this year’s audit will find an improved situation. Otherwise, the way in which businesses recruit and train cybersecurity professionals is in urgent need of change.
 
Among organisations identifying breaches or attacks, the most common types identified are phishing attacks, identified by 80% of businesses and 81% of charities, followed by instances of others impersonating an organisation in emails or online (28% of businesses and 20% of charities) and viruses or other, spyware or malware, including ransomware attacks (identified by 27% of businesses and 20% of charities).
 
This year’s survey shows that cyber security is a growing priority for senior management, with over three-quarters of UK businesses (78%) and charities (75%) saying that cyber security is a high priority for their senior management. This is a significant increase since 2018 when these proportions were 74% for businesses and 53% of charities. According to last year’s audit, 46 per cent of businesses write the term “cyber security” into IT job descriptions. This may prove limiting to the performance of these employees, however, and could even jeopardise an organisation’s security. 
 
After all, just as there’s no one single type of cyber attack, there is no one single type of cyber security professional. An expert in digital forensics, for example, may not be so knowledgeable when it comes to web or application security. Indeed, a tendency toward generalisation may be contributing to the current skills gap. While it’s encouraging that almost a third of businesses have tried to recruit for cyber security roles over the last three years, deeply embedded legacy processes often drive the requirement for a more culturally astute solution.
 
It’s of course perfectly natural for HR teams to be involved in the hiring of cyber talent. But an absence of specialist technical knowledge can mean that, when filtering candidates, they can be over-dependent on formal accreditation and certifications. 
 
Reflecting this change in attitudes, there have also been shifts in action taken in this latest survey: 
  • More businesses (57%, vs. 51% in 2018) and charities (43%, vs. 27% in 2018) update their senior management on actions taken around cyber security at least once a quarter.
  • Both businesses (27%, vs. 20% in 2018) and charities (29%, vs. 15% in 2018) are more likely to have had staff attend any kind of cyber security training in the last 12 months.
  • Written cyber security policies are more common both among businesses (33%, vs. 27% in 2018) and charities (36%, vs. 21% in 2018). 
Insights from the qualitative interviews suggests that GDPR has encouraged many organisations over the past year to engage formally with cyber security for the first time, and others to strengthen their existing policies and processes. However, the survey also shows that there is more that organisations can do to protect themselves from cyber risks.
 
This includes important actions which are still relatively uncommon, such as board-level involvement in cyber security, monitoring suppliers and planning incident response.
 
Alternate Education Paths
On a governmental level, there is increasing scrutiny of our education system and its ability to support those who choose alternate career paths. According to the UK Institute for Fiscal Studies, less trodden yet in-demand new career paths are seriously underfunded. The cyber industry is one of the greatest exponents of this lack of funding. It is growing in both demand and complexity, yet even university courses related to it receive less funding when compared to their traditional counterparts. It would come as no surprise to find that non-traditional educational paths receive even less government attention. 

 This hole in state funding is made worse by the realisation that government spending per higher education students has fallen since 2010, and it is no higher today than it was a quarter of a century ago. 

Creativity and Self-Learning
The lack of educational investment is driving companies to upskill their workforces in other ways. This means training staff on the job or finding alternative routes to upskill their teams. Many training courses tend to be largely classroom based. 
They offer a tried-and-tested approach, but the prescriptive style of teaching employed doesn’t provide the hands-on rigour required to test and push high-performing cyber security professionals.
 
The inquisitive nature of the industry and the ‘hacking’ ethos associated with it has provoked a move to more on-the-job training. In this instance, professionals are able to see first-hand how destructive many threats can be and pick them apart to find out exactly how they operate. This approach also involves a crucial element that a traditional classroom lacks: creativity.
 
The number of businesses reporting cyber incidents rose from 45 per cent in 2018 to 61 per cent in 2019. There is a clear requirement to address the gap in educational funding, as well as the change in cultural mindset required to protect UK businesses. 
 
New Statesman:       IPSOS:
 
You Might Also Read: 
 
Closing The Skills Gap Starts At School:
 
 
 
« The Future Of Cybersecurity Jobs
A Cyber Security Audit »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

KFSensor

KFSensor

KFSensor is an advanced 'honeypot' intrusion and insider threat detection system for Windows networks.

sic[!]sec

sic[!]sec

sic[!]sec provide products and services for web application security.

Korea Information Security Industry Association (KISIA)

Korea Information Security Industry Association (KISIA)

KISIA is a non-profit organization for the information security industry in Korea.

Canadian Security Intelligence Service (CSIS)

Canadian Security Intelligence Service (CSIS)

CSIS collects and analyzes threat-related information concerning the security of Canada in areas including terrorism, espionage, WMD, cybersecurity and critical infrastructure protection.

ETAS

ETAS

ETAS (formerly Escrypt) is a pioneer and one of today’s leading solution providers for embedded IT security.

Seqrite

Seqrite

Seqrite offers a highly advanced range of enterprise and IT security solutions to protect your organization's most critical data.

Accertify

Accertify

Accertify is a leading provider of fraud prevention, chargeback management, and payment gateway solutions.

Shieldfy

Shieldfy

Shieldfy is a cloud-based security shield for your website to protect it from cyber attacks and malwares.

Hack The Box

Hack The Box

Hack The Box is an online platform allowing you to test your penetration testing skills and exchange ideas and methodologies with thousands of people in the security field.

ISMS Accreditation Center (ISMS-AC)

ISMS Accreditation Center (ISMS-AC)

ISMS-AC is the national accreditation body for Japan. The directory of members provides details of organisations offering certification services for ISO 27001.

ERI

ERI

ERI is the largest fully integrated IT and electronics asset disposition provider and cybersecurity-focused hardware destruction company in the United States.

FoxTech

FoxTech

FoxTech is an independent, friendly and deeply specialised cyber security company in the UK, with expertise spanning decades of Public Sector and Government services.

Ministry of Electronics & Information Technology (MeitY)

Ministry of Electronics & Information Technology (MeitY)

The Ministry of Electronics & Information Technology is an executive agency responsible for IT policy, strategy and development of the electronics industry.

Information Security Officers Group (ISOG)

Information Security Officers Group (ISOG)

ISOG's mission is to strengthen information security through awareness and education programs, promoting community and fellowship among information security leaders.

Central Intelligence Agency (CIA)

Central Intelligence Agency (CIA)

The CIA is an independent agency responsible for providing national security intelligence to senior US policymakers. This includes cyber security related activities.

Plex IT

Plex IT

Plex IT provides managed IT services to organisations along with managed security services.