How Do You Solve A Problem Like The Cyber Security Skills Gap?

Almost half of UK businesses have a basic skills gap where cyber security is concerned, according to the latest Cyber Security Skills in the UK Labour Market report. This means that often, the people in charge of cyber security in those organisations don’t have the skills or confidence to carry out the basic tasks laid out in the government-endorsed Cyber Essentials scheme.

Since the pandemic, we’ve seen an enormous increase in the number of cyber attacks and actual breaches of organisations with the UK the third most attacked country behind the US and France.  

With attacks continuing to increase, the cyber skills gap is a worrying trend. It may come as a surprise to some people, but cyber security is not about technology – it's about people. It doesn’t matter what technologies or processes an organisation works with; it is crucial to get the human element of cyber right and organisations are struggling with this.

So, why is hiring into cyber security roles so difficult and what can organisations do to ensure they have cyber security covered from a people perspective?

A Balanced Approach To Hiring Into Cyber Security

Many organisations approach cyber security recruitment by focusing on candidates’ qualifications but relying on theoretical knowledge significantly limits the talent pool. There is an industry discussion taking place on qualifications versus experience versus talent with people debating whether certificates such as CISSP are important or not. However, cyber security isn’t a regulated industry at all; it isn’t the same as wanting to become a lawyer and needing to pass the bar – there is no equivalent industry benchmark in cyber security. Instead, there are a plethora of qualifications which some people set great store by, and others label as irrelevant because qualifications don’t tell you if a person would be good at cyber security. Cyber security job advertisements often state that 5 years’ experience is required in areas of cyber security which have only been around for 3 years. So, it is more important to find out how quickly a candidate grasps new ideas and discover if they are enthusiastic and motivated to keep up to date with industry trends and ways of working.

Of course, inexperienced people cannot be leading an incident response situation – that would be disastrous. But experienced people can work alongside inexperienced employees and guide them, giving them exposure to and experience of cyber incidents and how to solve them.

By hiring people for their abilities, not their experience and qualifications, and supporting them in the role, organisations can build effective cyber security teams.

Why Successful Organisations Need Specialist Skills

Cyber security has many fields of expertise and expecting someone to excel across all of them isn’t realistic. Additionally, you need different ways of thinking within an organisation if you want to stand a hope of managing the complex world of cyber security and actively recruiting and supporting neurodivergent people into cyber security roles can bring with it many benefits and competitive advantages – be it different skills, mindsets, or ways of working. 

Cyber security includes areas such as compliance and audit, risk assessment and management, penetration testing and security testing, security monitoring and defence, incident response, and cloud security etc. They are all different areas that people will be skilled in but within each of those domains, specific skill sets are required to solve the various challenges that arise. It would be unusual to find someone who was good at every aspect of cyber security. In fact, specialists are needed within a security operation centre as generalists can manage a team but if there’s an incident, you need people who can solve it quickly and competently.

The SANS Cyber Security Retraining Programme

The key to creating a great cyber security team is to recruit for the future by making sure you’ve got the people in place to be the backbone of your security expertise. These people may not be experienced from day one, but they will eventually get there. Retraining people to work in the cyber security industry is one way to address the cyber skills gap and e2e-assure has had great success working with the SANS Cyber Training Academy and hiring graduates from their programmes. 

SANS first partnered with the UK government to offer a cyber security retraining programme in 2015. The programme targeted and trained untapped talent to turn into SANS graduates ready for entry-level roles following an intensive 10-week course. Hiring graduates from the scheme helps organisations plug gaps in their cyber security team without having to rely on qualifications or experience. Of course, organisations do need someone who understands cyber security risk management to mentor and continue to train these new recruits on the job. 

Tapping Into A Variety Of Backgrounds

Graduates from the SANS retraining programme have very varied backgrounds with some people having no previous experience of working in cyber security or even in IT. Traffic wardens, retail assistants and former mariners have all passed through the academy with success and gone on to prove that a technical background is not necessary to becoming a cyber security professional. e2e-assure has hired several SANS graduates and worked to build the right working environment and company culture to make them and all new employees feel supported and secure. The company has even changed its HR and working practices to attract and retain the best talent.

Cyber security teams need people who have a real desire to learn, great problem-solving skills, attention to detail and curious minds. These are attributes which are very hard to teach. When organisations take a step back and focus on the people they are hiring, not expertise and qualifications, they stand a much better chance of finding the staff they need. 

Rob Demain is CEO of e2e-assure

You Might Also Read: 

The Cyber Skills Shortage Is Not Getting Any Better:

 

« Cyber Attacks Cause Catastrophic Business Loss
Who Was Responsible For Hacking Both IBM & Stanford University? »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

Qualitèsoft Technology

Qualitèsoft Technology

Qualitèsoft Technology is a leading Software Development and Quality Assurance organization. We specialize in Custom Development, Mobile Application, Software Testing and Quality Assurance.

AMETIC

AMETIC

AMETIC, is the Association of Electronics, Information and Communications Technologies, Telecommunications and Digital Content Companies in Spain.

Guidewire

Guidewire

Guidewire Cyence™ Risk Analytics is a cloud-native economic cyber risk modeling solution built to help the insurance industry quantify cyber risk exposures.

Cipher Tooth

Cipher Tooth

CipherTooth is a superior system for delivering secure content over the Internet.

Entersekt

Entersekt

Entersekt is an innovator in push-based authentication and app security.

SecLytics

SecLytics

SecLytics is the leader in Predictive Threat Intelligence. Our SaaS-based Augur platform leverages behavioral profiling and machine learning to hunt down cyber criminals.

Swiss Cyber Storm

Swiss Cyber Storm

Swiss Cyber Storm is a non profit organization hosting the international Swiss Cyber Storm Conference and running the Swiss part of the European Cyber Security Challenges.

ENLIGHTENi

ENLIGHTENi

ENLIGHTENi are the platform to develop next-gen talent in Technology, Risk, and Cybersecurity. Our mission is to develop next-gen talent through challenge-based learning and team collaboration.

Global EPIC

Global EPIC

Global EPIC is an international cybersecurity initiative designed to combat growing world challenges by facilitating global collaboration in the field of cyber security.

Kiuwan

Kiuwan

Kiuwan provide software security solutions with SAST and SCA source-code analysis that fit into your DevOps process.

Informatics International

Informatics International

Informatics is a leading ICT provider in Sri Lanka, providing cutting-edge software & infrastructure solutions and services including cyber security.

Asimily

Asimily

Asimily’s IoMT risk remediation platform holistically secures the mission-critical healthcare devices that deliver safe and reliable care.

Beyon Cyber

Beyon Cyber

Beyon Cyber offer a complete portfolio of advanced solutions & services for cyber security in Bahrain.

Sirti

Sirti

Sirti is Italy's leading technology company in the design and production of network infrastructures and telecoms system integration.

ITRM

ITRM

ITRM are one of the UK’s top managed service providers and offer a range of award-winning IT solutions, from ad-hoc consultancy to cyber security.

Gcore

Gcore

Gcore is an international leader in public cloud and edge computing, content delivery, hosting, and security solutions.