Is Standardisation Of The Cybersecurity Profession A Good Thing?
As a profession, cybersecurity has continually morphed and evolved in response to technological change. From the days of safeguarding mainframes and perimeterised networks through to the demands of securing deperimeterised cloud-based environments today, a host of specialisms have emerged and some have even converged, such as DevSecOps, illustrating that the industry is highly flexible and adaptive.
But the current skills shortage indicates that market can’t always keep pace. The 2022 Cybersecurity Skills Gap report found half of organisations globally are looking for cloud security specialists and the gap is widening. The Department for Digital, Media Culture and Sport (DCMS) initially estimated there would be an annual shortfall of 10,000 entering the cybersecurity sector but revised that last year to 14,000. This suggests there may well be some disparity between the skills being acquired versus those needed which is backed up by another DCMS report which found the single most common reason cited for being unable to fill vacancies was a lack of technical skills and knowledge.
Part of the problem comes down to that very flexibility we referred to before. The sector has evolved and expanded making it very difficult to identify the skillsets, qualifications and experience needed for particular roles. There’s a great deal of obfuscation and confusion and this in turn prevents individuals from working their way up the ladder to their career goal.
Pathways To Success
To help address this issue, the UK Cyber Security Council has been tasked with establishing the Cyber Pathways Framework. This will map out 16 careers as well as establishing a universally recognised professional standard which will allow practitioners to be certified at either Associate, Principal or Chartered level across those specialisms. Achieving the Council’s professional standard will provide practitioners with an independent seal of approval, with their status recorded on a secure register of practitioners and cybersecurity professionals will be able to register for accreditation later this year.
Effectively, the framework will standardise routes across the profession for the first time, providing some much-needed clarity on how you can progress from your current position through to the lofty heights of CISO.
It’ll provide baselines for achieving Associate, Principal or Chartered level across those 16 specialisms which will be rigorously assessed, with ISACA, for instance, due to oversee the chartered Audit and Assurance specialism.
In doing so, it will put the industry on a par with the legal and accountancy sectors as a profession in its own right.
However, formal standardisation of the sector does of course introduce some elements of rigidity, and this can cause problems. For instance, one of the reasons why companies are finding it so difficult to fill cybersecurity vacancies is that there’s an over emphasis on qualifications, with hirers looking for specific certifications when selecting candidates. The most commonly requested certification is the Certified Information Systems Security Professional (CISSP) with 39 percent of postings asking for this during 2022. When Chartered status was initially proposed, it was thought it could be used to help screen applicants, but this means there’s a danger it may see hirers further whittle down the list of applicants they are willing to consider.
Tapping Into New Talent
With insufficient entrants to the profession, realisation is dawning that hirers will have to cast their nets more widely and rethink their recruitment drives. As it turns out, 46 percent of the current cybersecurity workforce entered their current role from a non-cyber role and there’s now much more emphasis on helping applicants with the right aptitude and soft skills, such as communication and problem solving, to upskill.
Diversity drives are also helping to open up the industry and, after training, flexible working and certifications, DEI initiatives are the next highest investment companies are making to try and close the workforce gap. There’s undoubtedly untapped talent here, with minorities still under-represented in the industry. In 2022, a quarter of the workforce came from ethnic backgrounds, 22 percent were female, 10 percent were neurodivergent and 8 percent were disabled. However, according to a report on Understanding the Cyber Security Recruitment Pool, minority candidates have felt pushed out of the industry because “it’s too difficult to progress”.
So, the question is with the cyber pathways cater for both these pools of talent or will it reinforce the status quo? It’s great that the Chartered status will elevate the profession and recognise high achievers but we also need to consider that only 14 percent of ethnic minorities, 13 percent of women, six percent of neurodivergent and three percent of disabled professionals are in senior cyber roles. What we don’t want to do is create a new glass ceiling.
The Cyber Pathways Framework and Chartered status are welcome developments. But we need to ensure they’re inclusive and provide a means to attract and funnel new talent into the profession as well.
Jamal Elmellas is COO of Focus-on-Security
You Might Also Read:
More Women Needed In Cyber Security:
___________________________________________________________________________________________
If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.
- Individual £5 per month or £50 per year. Sign Up
- Multi-User, Corporate & Library Accounts Available on Request
- Inquires: Contact Cyber Security Intelligence
Cyber Security Intelligence: Captured Organised & Accessible