It’s no secret that the UK is suffering from a so called skills shortage across many industries, but cyber security is one of the most impacted.
Approximately 697,000 businesses (51%) have a basic skills gap. That is, the people in charge of cyber security in those businesses lack the confidence to carry out the kinds of basic tasks laid out in the government-endorsed Cyber Essentials scheme, and are not getting support from external cyber security providers. The most common of these skills gaps are in setting up configured firewalls, storing or transferring personal data, and detecting and removing malware.Cyber security skills in the UK labour market 2022 Findings Report – Department for Digital, Culture, Media & Sport, UK Government
However, this problem is not exclusive to UK businesses. The World Economic Forum has stated that 60% of businesses would “find it challenging to respond to a cybersecurity incident owing to the shortage of skills within their team”. ISACA, an international association focused on IT governance, discovered that 69% of those businesses that have endured a cyber attack in the last year were either somewhat or significantly understaffed.
The effects of these attacks can be catastrophic, with staff shortages in these departments leading to systems that are misconfigured, improper risk assessments, lack of oversight and threat awareness, and deployments being rushed through without strict security measures in place.
So what can businesses do to better recruit, train and retain employees and professionals in cyber security? Well first, we need to understand what is causing the skills shortage in the first place:
Why is there a ‘skills shortage’ in cyber security?
Qualifications and training
Three-quarters of cyber firms (73%) have provided training for staff in cyber roles in the last 12 months, compared to 1 in 5 (21%) businesses outside the cyber sector according to the Cyber security skills in the UK labour market 2022 Findings Report. Relevant training within the cyber security industry remains much more common than in the wider private sector, however, the time taken to attend and deliver training is much higher than those of other industries and requires significant time investment across several years
For those outside the cyber sector, there’s a limited understanding and awareness of professional development pathways, relevant training, and a lack of emphasis on CPD (continued professional development) for those within cyber roles. The existence of low-quality cyber security training in the external training market also creates a challenge in distinguishing between good and bad quality training.
The COVID-19 pandemic has accelerated the use of digital tools in businesses and organisations across the globe now that end points have moved further afield. The progression in digitalisation has led to increasingly frequent, costly and harmful cyber incidents.
The global pandemic has proven just how interconnected all businesses and their subsequent departments are; increased digitalisation has propelled global businesses and the general population onto a whole new world of cyber threats and attacks.
Looking exclusively at the UK, there has been a record drop in EU immigration since Brexit. The number of EU citizens leaving the UK is at a 10-year high at over 130,000 citizens. There’s a clear requirement for more skilled workers within cyber security, but as businesses look towards a sea of continued uncertainty, employers have begun moving security functions and departments overseas or outsourcing to specified businesses.
Unfortunately, the Department for Culture, Media and Sport (DCMS) predicted these shortages would not improve, claiming there would be an annual shortfall of 10,000 new entrants to the cyber security industry. If this is the case, business defences will continue to weaken and become more exposed to threats and attacks.
How businesses can address the skills shortage in cyber security
Although there is no quick fix to the skills gap facing the cybersecurity industry, there are steps businesses can make:
Prioritise cyber security in wider-business decisions
The World Economic Forum discovered that although 92% of business executives agree that cyber resilience is integrated into risk management strategies at an enterprise level, only 55% of security-focused executives agreed with the same statement. Educating the wider business about the dangers of cyber security threats is important to protecting against incoming threats and attacks and building a cyber-resilient organisation.
Demand leadership support
84% of respondents say cyber resilience is considered a business priority in their organisation with support and direction from leadership, but a smaller number (68%) see cyber resilience as a major part of their overall risk management.Global Cybersecurity Outlook, World Economic Forum
It’s clear that many businesses still see cyber security as an afterthought, and explain they are not consulted in wider business decisions, creating misalignment between teams and priorities, and damages identification and mitigation of security risks and creating less secure decisions.
Understand that tech isn’t the answer
The ISACA survey we referenced earlier found that only 17% of businesses think artificial intelligence and machine learning will help resolve the skills gap. Technology seems to have aggravated the problem, in fact, with the average business now having between 20 to 70 different security solutions, creating an unnecessary stack of software to manage and maintain.
Not only this, but each tool requires specific training, wasting precious time and leading to ‘alert fatigue’ which can in turn create a high staff turnover, with 45% of those surveyed in ISACA’s report citing stress as a main reason for leaving. So how do businesses better recruit and retain cyber security professionals?
The key strategies currently are:
- Training existing non-cyber security team members
- Use of consultants and contractors
- AI and automation
- Upskilling existing cyber security professionals to meet the needs of the business
However these strategies can all be costly, and with inflation affecting budgets and a recession looking like it’s on the horizon, we’re expecting these methods to become less effective. Therefore, the key way your business can address its cyber security skills shortage is…
Address your recruitment strategy
Resolving pipeline challenges and going to market will be the most effective way to address the problems within your business. With ISACA’s report finding that 94% of job descriptions emphasise experience as essential, and 88% require certifications, hiring managers can be segmenting a huge portion of their audience and drastically reducing potential candidates.
But it’s not just hiring managers; there’s evidence that points to HR departments being partly to blame by being out of touch with hiring managers. A report by DCMS and Ipsos MORI discovered recruiters thought suitable candidates were being excluded from shortlists because of filtering processes performed by HR. Comparably, hiring managers have claimed that job postings have not been written to match the criteria needed to fulfil these roles, leading to ‘unicorn’ job postings.
To improve recruitment strategies, the goal must be to attract more individuals to the industry, to widen the understanding that aptitude and soft skills hold value, and improve communication between HR and the hiring manager. Fortunately, there are already steps being taken to benefit everyone.
The UK Cyber Security Council is creating dedicated cyber career pathways across 16 speciality areas which will clearly lay out the certifications and experience required for each role. The Chartered Institute of Information Security (CIISec) has also developed a cyber-skills framework with the aim to help recruitment and retention of cybersecurity professionals across work places.
How can Intaso help?
We understand that not every business has the same cyber security talent shortages and demands. With a vast array of experience, we have the expertise to offer a complete set of innovative talent solutions tailored to every organisation no matter what their security maturity.
Discover how we can help you build a team of trusted cyber security recruiters, or contact us today with your desired specifications.