The Cyber Skills Gap

According to several recent studies there are more cyber security jobs going unfilled than there are people on the planet, and the gap is widening! Cyber skills are in high demand, more so than ever before.

More and more organisations are taking note of ‘cyber’ and the need to do ‘cyber security’. However there is very much a finite pool of talent, and once you scratch the surface a much smaller pool of skilled resources from which to draw from. That’s if the hiring organisation know what skills to look for in the first place!

This will naturally lead to skilled resources being in far greater demand and thus being able to price most organisations out of the market by commanding significant salaries, whilst less rich organisations will be left fishing in a pool or less skills rich talent.

So how can we go about bridging this gap?

For me there are a few themes that are pertinent to follow, aside from looking for the panacea of a deeply technical security evangelist, or of course hiring a continual stream of very skilled and very expensive consultants! There aren’t many of either of them available! Expensive yes, but truly skilled?

The skills are available…

Firstly, you do have skilled resources available to you. They are just not badged as ‘cyber’ professionals or even security professionals. There are a raft of strong technologists out there. Think system, software, hardware engineers. Think OS, networks, coding, development, testing. Those who have truly cut their teeth in technology. Who have a thorough understanding of how IT actually works.

You could argue that they don’t know security, or worse still cyber, but actually you will find that good techies will have an understanding of security. Aside from this it is far easier to layer security on top of a good technical foundation than it ever is to teach technology to a security theorist!

My advice is to look at your technical resources and explore the possibility of repositioning them into a security focused role. I would especially concentrate on the type of techie who will investigate a non-impacting log entry to the nth degree, just because it annoys them!

A good techie is often a good problem solver! They enjoy it! Cyber has a whole raft of problems to solve!

Someone with a strong technical foundation will find it far easier to pick up an understanding of new technologies and frameworks as they have already got the groundwork in place. Equally they will a lot of the prerequisites for some of the deep technical security courses available.

This pool of resource is not being tapped into enough!

My advice here is that it is far easier to secure systems and services if you actually understand how they work. It’s also far easier to investigate problems therein if you have this base technical knowledge. Cyber has a heavy slant of technology underpinning it. I would focus on technologists first and security second. Simply because the second cadre of people is a much smaller pool and often lacking in the base technology foundation.

Your interview approach for this resource should include serious technical security questions. In part to assess their depth of knowledge and understanding, also to see where they can make educated assertions, but also to see where their ceiling lies and if they are open to admitting their limitations. You don’t want a blagger, believe me!

The young apprentice…

The above serves well in bringing some experienced hires, albeit not all security purists. However you should also look to grow your talent pool. The young Jedi’s in the making.

At the lower end of the scale you have the classic apprentice. Look for people with STEM qualifications, and also those who like to tinker. Those who play with hardware or software in their spare time. People who show an aptitude for technology and problem solving (yes those two again!).

These young people are sponges! Your job is to fill those sponges with practical application of their fledgling skills; widening their knowledge and understanding; embedding security principles and building their base foundations. You want to embed these apprentices with your experienced heads.

They will have a vertical learning curve, as not only are you introducing them into the depths of cyber security and technology, but also introducing them to the wonders of the workplace and all that that entails.

You will need to invest heavily in these people, both in terms of a comprehensive training regime and your time and effort. They are the most cost effective resource in terms of salary, but also the largest overhead. If you get the balance right you can really mould the cyber security experts of the future!

The key, as with any training regime, is to ensure they consolidate their textbook learning with the ‘shop floor’ experience of that subject matter.

You need to develop their competence. Don’t expect miracles from day one, it just won’t happen, but if they display the right aptitude then you will accelerate their learning curve and value to your capability.

My view with cyber apprentices is to expose them to the hands on technology and security teams alongside their formal training path with continual review points. Also, set them specific and stretching tasks that forces them work individually and as teams, to research and learn outside of formal training and develop strong self-organisation skills.

It is important also to focus on the softer skills. Communication, presenting, engagement, dealing with challenge etc.

They’ve passed the theory…

There are a raft of university and vocational courses that have a cyber or security slant. There is also a raft of difference in the type of graduate coming off those courses. They are not all the same and they are not all producing the same calibre of talent into the workplace. They are a valuable pool of resource available to you.

It is worthwhile looking into the actual course material being covered by these graduates, especially the depth or breadth. Are you getting someone with a burgeoning knowledge that is a mile wide and an inch deep or with depth in a particular subject? The broader the subjects covered the more likely that the graduate will be more of a theorist than having practical depth.

Similar to the apprentices you will generally be exposing these people to the workplace for the first time, albeit they should be a more mature person and hopefully find that transition easier.

Regardless of the course depth that they undertook it is unlikely that they will have practical application of that knowledge on the technology that you actually use and certainly not with the foibles of that technology use in your organisation and the business drivers behind it.

There is a still a massive amount of learning that these graduates requires. I’m a big fan of using their first year to get hands on with technology. Doing a tour of duty with the actual build, development and run teams. Really bridge the gap between academic learning and application thereof.

You’ll need to develop their understanding of your business and its purpose, as with any new recruit, but for me the practical application comes first for someone coming into a cyber security role.

Short term gain…

Alongside graduates is the oft overlooked resource of the industrial placement. The gap year! There are pros and cons with this. You will get someone with some practical and theoretical knowledge, if again you look at the course outline they are studying. However, you will only get the resource for a relatively short period of time, and no guarantee that once they’ve graduated that they will come knocking on your door for a job, if that is you have one to offer in another year of so’s time.

This resource is best used for specific tasking that relates to their core learning to date. They are not there to do the filling and act as a gopher, but in a bi-directional relationship with you to fulfil short term needs for you and your capability whilst also bu8ilding upo0n their academic learning to date.

They are again a heavy overhead and you should clearly plan their activities, and those activities must have value to you, otherwise you are just fulfilling the job of a teacher and getting little in return.

You will also need to have existing staff on hand to help when required, though ideally you want this to be light touch.

If you work closely with you local educational facilities (universities etc.) they you can build up a good relationship with them to make this an ongoing regime, but also to feedback into their courses as to where they are deficient, or where they might want to focus more heavily to produce graduates with more practical skills for the workplace.

You’ve got warm bodies, what next?

It’s all well and good to get bums on seats and warm bodies, but that is where the learning begins. With all of the above resources you will need to invest in training, both formal and on the job. It is important to develop regimes to build, consolidate and expand the knowledge of each of these resources and tailor training and practical application thereof.

I’ve heard several organisations actually back away from investing in training as they feel they are training people up for their next employer. In other words once they are trained they will leave. Unfortunately to a certain extent that is true. Actually it is regardless of whether you get them qualifications of note or even on the job practical experience. Cyber sells, people will become more valuable commodities and some will leave. Deal with it!

If you are not going to invest in your people then you are not investing in your security. Your job is to sufficiently challenge them and provide the right environment that will keep them engaged and with you for longer. Give them experience of the differing aspects of your cyber security capability. Keep them fresh. You can’t just shake the magic money tree and break your pay scale to retain people, so you need to find other ways of retaining your recruits. Job satisfaction and engagement is a key driver in that. Give them exposure to the wider business, senior stakeholders. Make sure they understand their value to the organisation and have an affinity with it.

It is imperative that you actually undertake succession planning and build in knowledge sharing into the way you build your team and bring your new recruits on. It is no good having obvious points of failure. Where you have experts you need to buddy them with junior recruits to ensure that their experience and knowledge is actually transferred through on the job shadowing and working.

For me a large part of managing that natural churn is to treat it almost as a conveyor belt. You should ideally be running 2/3 heads over your optimal body count. Not everywhere will work like that, but you should build that into your business case for building and developing your cyber security capability and the skilled workforce that drives it.

Regardless you should ensure that you have many pools to fish in to secure future resource, but recognise that all come with an overhead, unless you have a magical cyber pool brim full of seriously skilled, low cost, workers.

I do believe that the cyber security skills gap does exist, but there is more than one way to skin a cat!