Closing the cybersecurity skills gap

Closing the cybersecurity skills gap
(Image credit: Shutterstock)

When most people thinking of cybersecurity and cybercrime the first thing they might think of is antivirus software or even anti-malware software. Yet how many of the students who collected their GCSEs or A Levels in the summer will know what a CISO is? A cryptographer? A threat hunter? A malware analyst? A penetration tester? 

The latter may elicit giggles, but all of these absolutely essential job roles in IT security are likely to be met with blank faces by the vast majority of students starting to think about their future career.

Despite the UK’s cybersecurity sector being worth over $5 billion and widely regarded as the largest in Europe, it suffers from a real (and growing) scarcity of talent. More than half of all businesses and charities are facing a basic technical cybersecurity skills gap, falling to 18% in the public sector. 

We hear so much about how the younger generation are inseparable from their devices and can master new technologies and apps far faster than their older peers. At the same time, we also hear about (or experience) the damage of data breaches and hacks to personal accounts, companies, and national infrastructure.

In this current digital-first climate, why then are we not seeing more young people pursue careers in IT security? This is even more puzzling when we consider the rising cost of a university education and growing scrutiny of the value of degrees. To put it in perspective: the average annual salary for jobs in cybersecurity is £72,500, a good deal more than the average grad salary of £23,000. It’s not only our young people who are potentially missing out – but the UK economy too.

About the author

James Lyne is the CTO at the SANS Institute.

A threat to national security?

I can’t think of one business in the UK that isn’t reliant on technology and doesn’t participate in our digital economy in some shape or form. This means that every organisation is also at risk of something going wrong somewhere; data breaches and hacks (both internal and external) can affect us all. 

A lack of specialised skills in the IT service management sector will negatively impact the UK’s ability to defend itself against increasingly sophisticated threats. This fact hasn’t gone unnoticed by the UK government. At the end of last year, the then Minister for Digital and the Creative Industries, Margot James, highlighted cybersecurity as ‘a top priority for the government - it is central not only to our national security but also fundamental to becoming the world’s best digital economy.’ 

Recognising the skills gap, the government launched an Initial Cyber Security Skills strategy, promising £2.5 million in funding to establish a UK Cyber Security Council to develop a skilled workforce for the future. This is a positive move, but it isn’t only the task of the government to address the skills shortage. In August of this year the Government appointed the Institution of Engineering and Technology (IET) as the lead organisation to design and deliver the new UK Cyber Security Council, so we wait to see what changes this will bring. 

Taking collective responsibility

The responsibility for closing the skills gap and promoting cybersecurity as a rewarding, beneficial and highly-valued career choice does not fall to a single party. Instead, it must be the work of stakeholders from multiple areas: government and private investors, the cybersecurity industry, education, trade bodies, not-for-profit organisations, IT department heads and HR.

Importantly, these parties mustn’t wait for the problem to become even worse before they address it, or be too reliant on encryption software. It’s already pretty acute, and with the ramifications of Brexit still not fully understood, further brain-drain from the UK back to Europe is a real possibility. The time to act, therefore, is now. 

Firstly, there must be more awareness among companies – of all sizes and operating across all sectors – of the importance of investing in security talent. According to a DCMS survey released earlier this year, the average cybersecurity team in the UK is made up of just two employees. It stands to reason that over half of organisations, according to the same report, aren’t confident in dealing with a cybersecurity attack. 

The UK’s National Cyber Security Centre is a good first port-of-call for addressing this, featuring free resources for companies looking to boost their security capabilities. Creating more job roles and elevating the status of cybersecurity within a business is all well and good, but the talent must come from somewhere. The answer lies in the nation’s schools and colleges.

Back to school

To return to one of the questions asked at the outset (why are we not seeing more young people pursue careers in IT security?): young people can’t pursue careers they don’t know exist or that don’t appeal. Children grow up learning about traditional job roles such as doctors, dentists and nurses, and (by social media osmosis) less traditional ones like influencers and vloggers. We also need to improve gender diversity in IT.

The rewards of cybersecurity must therefore be championed at an early age and integrated into the curriculum in much the same way as subjects like English, Maths and Drama are. These are widely-recognised subjects of university and further study, so why can’t we highlight IT security as a similarly viable path?

We’ve already seen some success with this approach, with the government-backed Cyber Discovery programme now just starting its third year. Nearly 50,000 students aged 13 to 18 have taken part in the first two years, following the launch of the free cybersecurity training programme. 

Taking place in homes and schools up and down the country, Cyber Discovery uses gamification to teach and demonstrate the basics of cybersecurity (including areas like forensics, coding and cryptography) in a safe, challenging and fun way. Importantly, it provides enough of a challenge for teens who want to test their skills in real-world scenarios to stop them getting into trouble testing them out for real without permission.

Filling the gap

By 2021, there’ll be a predicted 3.5 million unfilled cybersecurity positions worldwide, according to Cybersecurity Ventures. We naturally need to ensure that the proportion of empty roles in the UK is as small as possible. However, we also have a wider responsibility to ensure that the global cybersecurity industry is buoyant, diverse, and sustainable. 

Technology and the internet are universal, and it’s crucial that cyber talent is similarly unrestricted by borders. Education on the importance of the sector should start at an early age (with public and private sector buy-in), and continue with ongoing investment in in-house and outsourced IT talent across all industries.


James Lyne is the CTO at the SANS Institute.

James Lyne

James Lyne is the CTO at the SANS Institute.

He is the Global Head of Security Research at Sophos, one of the worlds largest security firms. He is a security researcher in topics ranging from malware (malicious code like viruses or trojans) to hacking. He loves to take time to rip things apart and build live working demonstrations. He is passionate about sharing amazing developments in technology and security challenges with the world and spend much of his time on a stage or delivering impromptu lectures to willing victims in coffee shops. He loves to find ways to simplify topics, make them accessible and entertaining. He takes great pride in not just being a talking head but being able to do his own presentations, research and being a senior director. Sometimes people are 'surprised' he is technical, which is fun. Been on TV a few times, Newsnight, Sky, Bloomberg etc. Presented on the TED main stage at Long Beach. Frequent keynotes at industry events. Certified instructor for SANS. He does professional public speaking when someone wants to do something awesome, fun and memorable. He gets around. If you spot him on your travels come and say hello.