The Joint Committee on the National Security Strategy recently warned that a lack of skilled cyber security workers could place UK critical infrastructure at risk of attack.
It noted that the shortage of deep technical expertise, as well as the huge number of vacant roles requiring even moderately specialist skills, is “one of the greatest challenges faced by the UK’s critical national infrastructure firms”.
This is a significant issue, and one that's facing all sectors. Studies from Cisco, ISACA and Symantec predict the industy's labour shortage to be in the millions. According to PwC, CEOs across the board view the existing skills gap and consequential cyber threat as their top concern - over Brexit, geopolitical uncertainty and over-regulation.
There are a number of areas companies can focus on that might help them narrow their skills gap. Breaking down organisational silos, sharing resources, harnessing new technology and giving employees the opportunity to retrain all have the potential to help. One of the more obvious – but perhaps overlooked – solutions is nurturing future talent from the huge pool of university graduates seeking employment.
Why graduate into cyber?
The Exabeam 2018 Cybersecurity Professionals Salary and Job Report shows that a career in cybersecurity offers many of the ‘traditional’ benefits graduates might seek – such as competitive salaries, long-term job security and satisfaction.
But a career in cyber security also offers other, more unique characteristics that may be particularly appealing to the younger generation of graduates. Cyber security professionals develop a distinctive mix of analytical, social and investigative skills, all while ‘fighting the bad guys’. This opportunity to ‘make a difference’ – to enjoy a purposeful career – may be exactly what many graduates are looking for.
With analyst firm Zion Market Research predicting the cyber security market will grow at a CAGR of 9.5% over the next few years – reaching more than $181 billion by 2021 – it could be the ideal time for recent graduates to enter the industry.
Also of interest: Fixing the UK cyber skills gap
Where to start?
Contrary to what many non-computer science graduates might think, you don’t need a background in security or IT to embark on a cyber security career path. For those with limited, or even no technical background, there are a number of initiatives designed to support a move into the industry.
The SANS Institute, for example, has created a ‘CyberStart’ programme. This offers a suite of challenges, tools and games designed to introduce young people to cyber security and help them gain foundational skills. The organisation also provides varied information on specific industry roles, why they make a difference and how you can qualify for them.
Professor Alan Woodward from the University of Surrey explains why personal attributes are the most important part of cyber security professionals. He says, “Careers in cyber security can take many forms: it is inherently a multi-disciplinary field. You will find that the most successful tend to have a particular approach rather than a specific set of technical skills. Most think laterally, out of the box and almost back to front. Although I’m an engineer, I find I enjoy taking things apart to find out how they work rather than necessarily building them—many professionals I come across in cyber security have these traits.”
Prof Woodward continues, “Having a good platform from which to launch your career in cyber security, and with the right approach to problem solving, you can quickly learn what you need ‘on the job’ with the right employer. Not only do these positions offer financial rewards, they present such a variety of opportunities that you will find the roles you have rewarding in many different ways.”
“Whereas many careers today take you into a sector where you are likely to operate for many years (unless you choose a radical career change), cyber security can see you work in just about any sector you can think of. Any organisation (public or private) that’s using information technology or has ‘smart’ devices needs the skills of cyber security specialists. If you like solving puzzles, if you like situations that can involve any combination of people, processes and technology, if you want a career that is rewarding in its broadest sense, then cyber security really is for you.”
Once established, there are a number of more advanced training opportunities cyber security professionals can take. Prof Woodward explains, “Undertaking an MSc, typical of these are those offered at the University of Surrey, can help you bolster your skills. It is worth looking for those departments, like the Surrey Centre for Cyber Security, that are approved by GCHQ as Academic Centres of Excellence, and/or have an approved MSc programme.”
Address the skills gap by addressing the gender gap
Exabeam’s survey also shows the percentage of women who work in cyber security is incredibly small — just 10 per cent. A worrying statistic for the cyber security industry, particularly as this falls below the already low number of women entering the tech industry overall. Women make up half of the UK population, but according to the WISE campaign, even just 15% of computer science graduates are women.
Supporting women in gaining skills in science, technology, engineering and maths (STEM) is an important step, but more needs to be done to encourage females to enter careers in the Security Operations Centre (SOC) if we are to address the cybersecurity gender gap.
Members of Women in Cyber Security include those women who are already leading the charge in cyber security. They have some excellent advice for those considering the career move.
Tania Ghods, security intelligence and operations consultant at IBM Security Services, advises women not to be afraid to take the leap. She says, “It’s important to remember that you do not need to qualify for every single bullet item in a job description. If you have the majority of the skills, apply. And if you don’t end up getting the position, at least you had practice interviews.”
Ruth Agosto, who works in security and compliance at KPMG, believes more women should become certified. “One of the most accepted certifications is Security + by CompTIA. The exam is not too expensive. This exam will cover the necessities needed for understanding the concepts used within SOC environments,” explains Agosto.
Lora Vaughn McIntosh, a VP who manages a SOC for Regions Bank, says, “Organisational culture is important to recruiting and retaining women, but it’s also important for career satisfaction and advancement. Finding a company with an open and supportive culture can ease many of the barriers to success.”
Kristina Greenshields is a recent graduate. She is currently in negotiations to become a cyber security administrator and has some advice for others in a similar position. She says, “I find that the more you talk to people – no matter who they are or where they work – you will always find someone who knows someone that is on a SOC team and knows of openings. The key is to ask questions and not be afraid to ask for a referral. Networking will always pay off. You’re not asking for a handout – you still have to prove yourself and you still have to do the work. I attend online job fairs and then follow those I speak with on LinkedIn.”
Forrester suggested in a recent report, that the lack of women in technology is due to ingrained long-standing biases and recruitment tactics that often fail to target and attract women. If companies are serious about closing their skills gaps, it’s about time they target the valuable, but as yet untapped resources available to them.