How Do You Solve A Problem Like The Cyber Security Skills Gap?

Uploaded on 2022-07-20 in JOBS-Training, JOBS-Careers, FREE TO VIEW

Almost half of UK businesses have a basic skills gap where cyber security is concerned, according to the latest Cyber Security Skills in the UK Labour Market report. This means that often, the people in charge of cyber security in those organisations don’t have the skills or confidence to carry out the basic tasks laid out in the government-endorsed Cyber Essentials scheme.

Since the pandemic, we’ve seen an enormous increase in the number of cyber attacks and actual breaches of organisations with the UK the third most attacked country behind the US and France.  

With attacks continuing to increase, the cyber skills gap is a worrying trend. It may come as a surprise to some people, but cyber security is not about technology – it's about people. It doesn’t matter what technologies or processes an organisation works with; it is crucial to get the human element of cyber right and organisations are struggling with this.

So, why is hiring into cyber security roles so difficult and what can organisations do to ensure they have cyber security covered from a people perspective?

A Balanced Approach To Hiring Into Cyber Security

Many organisations approach cyber security recruitment by focusing on candidates’ qualifications but relying on theoretical knowledge significantly limits the talent pool. There is an industry discussion taking place on qualifications versus experience versus talent with people debating whether certificates such as CISSP are important or not. However, cyber security isn’t a regulated industry at all; it isn’t the same as wanting to become a lawyer and needing to pass the bar – there is no equivalent industry benchmark in cyber security. Instead, there are a plethora of qualifications which some people set great store by, and others label as irrelevant because qualifications don’t tell you if a person would be good at cyber security. Cyber security job advertisements often state that 5 years’ experience is required in areas of cyber security which have only been around for 3 years. So, it is more important to find out how quickly a candidate grasps new ideas and discover if they are enthusiastic and motivated to keep up to date with industry trends and ways of working.

Of course, inexperienced people cannot be leading an incident response situation – that would be disastrous. But experienced people can work alongside inexperienced employees and guide them, giving them exposure to and experience of cyber incidents and how to solve them.

By hiring people for their abilities, not their experience and qualifications, and supporting them in the role, organisations can build effective cyber security teams.

Why Successful Organisations Need Specialist Skills

Cyber security has many fields of expertise and expecting someone to excel across all of them isn’t realistic. Additionally, you need different ways of thinking within an organisation if you want to stand a hope of managing the complex world of cyber security and actively recruiting and supporting neurodivergent people into cyber security roles can bring with it many benefits and competitive advantages – be it different skills, mindsets, or ways of working. 

Cyber security includes areas such as compliance and audit, risk assessment and management, penetration testing and security testing, security monitoring and defence, incident response, and cloud security etc. They are all different areas that people will be skilled in but within each of those domains, specific skill sets are required to solve the various challenges that arise. It would be unusual to find someone who was good at every aspect of cyber security. In fact, specialists are needed within a security operation centre as generalists can manage a team but if there’s an incident, you need people who can solve it quickly and competently.

The SANS Cyber Security Retraining Programme

The key to creating a great cyber security team is to recruit for the future by making sure you’ve got the people in place to be the backbone of your security expertise. These people may not be experienced from day one, but they will eventually get there. Retraining people to work in the cyber security industry is one way to address the cyber skills gap and e2e-assure has had great success working with the SANS Cyber Training Academy and hiring graduates from their programmes. 

SANS first partnered with the UK government to offer a cyber security retraining programme in 2015. The programme targeted and trained untapped talent to turn into SANS graduates ready for entry-level roles following an intensive 10-week course. Hiring graduates from the scheme helps organisations plug gaps in their cyber security team without having to rely on qualifications or experience. Of course, organisations do need someone who understands cyber security risk management to mentor and continue to train these new recruits on the job. 

Tapping Into A Variety Of Backgrounds

Graduates from the SANS retraining programme have very varied backgrounds with some people having no previous experience of working in cyber security or even in IT. Traffic wardens, retail assistants and former mariners have all passed through the academy with success and gone on to prove that a technical background is not necessary to becoming a cyber security professional. e2e-assure has hired several SANS graduates and worked to build the right working environment and company culture to make them and all new employees feel supported and secure. The company has even changed its HR and working practices to attract and retain the best talent.

Cyber security teams need people who have a real desire to learn, great problem-solving skills, attention to detail and curious minds. These are attributes which are very hard to teach. When organisations take a step back and focus on the people they are hiring, not expertise and qualifications, they stand a much better chance of finding the staff they need. 

Rob Demain is CEO of e2e-assure

You Might Also Read: 

The Cyber Skills Shortage Is Not Getting Any Better:

 

« Cyber Attacks Cause Catastrophic Business Loss
Who Was Responsible For Hacking Both IBM & Stanford University? »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

Tresorit

Tresorit

Tresorit helps teams to collaborate securely and easily by protecting their data with end-to-end encryption.

Varonis

Varonis

Varonis provide a security software platform to let organizations track, visualize, analyze and protect their unstructured data.

Lookout

Lookout

Lookout is the data-centric cloud security company that uses a defense-in-depth strategy to address the different stages of a modern cybersecurity attack.

Nimbusec

Nimbusec

Nimbusec scans your website around the clock and informs immediately if it has been hacked or manipulated

Bulletproof Cyber

Bulletproof Cyber

Bulletproof offer a range of security services, from penetration testing and vulnerability assessments to 24/7 security monitoring, and consultancy.

KZ-CERT

KZ-CERT

KZ-CERT is the national Computer Emergency Response Team for Kazakhstan.

Haystax Technology

Haystax Technology

Haystax’s security analytics platform applies artificial intelligence techniques to identify and prioritize threats in real time.

AFCON Control & Automation

AFCON Control & Automation

AFCON is a leading global provider of software solutions and services for the smart management of Control & Automation systems in the age of Digital Transformation.

Nouveau

Nouveau

Nouveau Solutions is a specialist IT managed services company with a strategic focus on delivering cloud, infrastructure, compliance, network and security solutions.

Tetrad Digital Integrity (TDI)

Tetrad Digital Integrity (TDI)

TDI is a world-class consulting firm offering cybersecurity services to government agencies and commercial clients around the world.

CYMOTIVE Technologies

CYMOTIVE Technologies

Combining Israeli cyber innovation with a century of German automotive engineering. CYMOTIVE operates under the assumption that connectivity is a game changer for the automotive industry.

RealTyme

RealTyme

RealTyme is a secure communication and collaboration platform with privacy and human experience at its core.

Oasis Technology

Oasis Technology

Oasis Technology are experts in cyber security. In addition to pioneering the game-changing TITAN anti-hacking device, we provide extensive cyber security consulting services.

Prescott

Prescott

Prescott acts as your guiding light in the preparation for your CMMC assessment and long after by governing your cybersecurity practice.

HaystackID

HaystackID

HaystackID provides industry-leading computer forensics, eDiscovery, and attorney document review experts to help with complex, data-intensive investigations and litigation.

Alpha Echo

Alpha Echo

Specialising in security advice and enterprise-wide Cyberworthiness, Alpha Echo helps Australia deliver on cyber outcomes at a military grade level.