Tackling the UK’s cyber-security talent crunch

Many organisations neglect practical training in their workforce development strategies, resulting in significant skills gaps. Haris Pylarinos at Hack The Box argues that gamified training, that adapts to evolving cyber-security threats, will improve technical skills

 

Recent data from the UK government’s Cyber Security Skills in the UK Labour Market 2024 report reveals a worrying shortfall in essential technical skills across businesses. 44% of businesses have basic technical skills gaps, while 27% struggle with advanced skills, such as penetration testing.

 

This gap poses serious challenges for the security readiness of organisations nationwide, as threats and risks continue to escalate. For instance, the recent CrowdStrike outage created some vulnerabilities that hackers were able to exploit during cyber-attacks. Skills and cyber-resilience are essential to help tackle these kinds of challenges.

 

The skills gap demands a comprehensive approach that integrates hands-on upskilling, strategic workforce development, and leadership alignment with cyber-security objectives for businesses to succeed.

 

Head in the sandbox

One of the primary reasons for the ongoing skills gap is the lack of prioritisation of cyber-security within many organisations. Organisations often face the challenge of competing priorities, limited budgets, and difficulty in fully understanding the critical importance of cyber-security investment at the board level.

 

Executive board members can be disconnected from cyber-security teams, only seeing the results of a successful breach rather than the work and investment needed to build a secure, resilient, and high-performing cyber-team. CISOs have a difficult job of demonstrating the results of cyber-security investment and the need for budget allocation for practical upskilling.   

 

Traditional training methods do not equip professionals with the real-world experience needed to handle live incidents. The dynamic nature of cyber-security threats requires continuous upskilling, but many organisations encounter difficulties in providing the teams with the training needed to effectively address the skills gap.

 

Equally hiring processes can look at industry certifications, and practical experience gained from CTFs or hacking competitions rather than traditional degrees.

 

Moreover, the rapid pace of technological advancements has outstripped the ability of many organisations to keep their teams up to date. AI is both a help and a hindrance, enabling simple tasks to be automated but also helping hackers sift through algorithms quickly and effectively. 

 

Mind the gap

To close the cyber-security skills gap, organisations must implement comprehensive cyber-security readiness programmes that go beyond basic training. These programmes should be designed to build practical skills through hands-on experience, ensuring that employees are equipped to handle the realities of modern cyber-security threats.

 

One effective method is the incorporation of gamified learning experiences. By making learning interactive and engaging, and by simulating real-world scenarios, upskilling helps to improve the retention and application of knowledge. This approach not only makes upskilling more enjoyable but also more effective, as employees are more likely to remember and be ready to make a difference in their organisation’s security posture.

 

Additionally, organisations should regularly assess their teams’ skills and knowledge, identifying gaps and areas for improvement. This allows for targeted workforce development that addresses specific needs, rather than a one-size-fits-all approach. By tailoring upskilling to the individual, organisations can ensure they create high-performing teams that are well-prepared to tackle the unique challenges they may face.

 

Raising awareness with the board 

Ensuring that the C-suite is aligned with the organisation’s cyber-security needs and threats is an important factor in bridging the skills gap in cyber-security. CISOs are under increasing pressure but are not always heard when it comes to business priorities and vulnerabilities until it is too late.

 

By embedding it into the core of the business strategy, it becomes integral to the organisation’s overall resilience and long-term success. This shift ensures that cyber-security is seen not just as a technical concern, but as a critical component of sustainable growth and risk management.

 

When senior executives are engaged and educated about the risks and consequences of a lack of cyber-skills, they are far more equipped to act decisively. Cyber-security should not be treated as an afterthought, but more a business-critical issue that safeguards assets and data.

 

Equipping CISOs and their teams with the right tools and upskilling programmes ensures not only the safety of the organisation but also prevents burnout and fatigue within security teams—problems that are costing businesses millions globally in preventable incidents.

 

Crisis simulation

Crisis planning is one of the most common methods of preparing for the worst-case scenario. However, the current structure of crisis simulations limits their effectiveness in preparing teams for evolving threats and for wider organisational cooperation.

 

Without regularly testing plans in a way that runs through the whole process from practical breaches to the responsibilities of each team member, looping in legal teams, and communication to customers, regulators, and media partners means that crisis planning becomes meaningless, or a tick box exercise. 

 

Regular and business-relevant crisis simulations are essential for business success. It gives confidence to teams, a way of finding business flaws, and where skill gaps need plugging.  These simulations provide a safe environment in which to test skills, identify weaknesses, and develop strategies for improvement.

 

The lessons learned from these simulations can then be integrated into ongoing upskilling and workforce development plans, ensuring that skills gaps are continuously addressed, and that the organisation remains prepared for any eventuality. 

 

Preparing for the future

For businesses to succeed, they need to prioritise cyber-security. This means not just hiring a team of professionals but actually understanding their role in the business, what they are protecting, and where departments need to connect and build resiliency.

 

By prioritising hands-on, practical upskilling, aligning the C-suite with cyber-security objectives, and regularly testing and refining skills through crisis simulations, organisations can begin to close the gap and improve their overall security posture.

 

The evolving threat landscape demands that businesses take a proactive approach to cyber-security, ensuring high-performing cyber-teams, equipped with the skills needed to protect against increasingly sophisticated attacks. By addressing the skills gap head-on, organisations can not only improve their security but also position themselves as leaders in the field, capable of navigating the challenges of the digital age.

 

---

 

Haris Pylarinos is Founder and CEO of Hack The Box

 

Main image courtesy of iStockPhoto.com and Liubomyr Vorona