We have heard an awful lot in the past four or five years about the fact that there simply aren’t enough people with the right level and type of skills to meet the ever-increasing demand for cyber security professionals. This isn’t an issue that is going to go away anytime soon thanks to faster than ever advances in the technologies we use both as businesses and consumers, and to cyber criminals taking advantage of this constant state of flux and the inherent weaknesses in the software of many of the IT systems and services we use on a day-to-day basis.
The advent of all this big new technology has had a knock-on effect on both working practices and business processes, as well as, crucially, the skills needed to manage the security of these ever-changing technologies. Combine this with rapid shifts in globalisation, demographics, work styles and work sourcing and the way in which companies manage their businesses is radically transforming. These shifts, including the widespread use of cloud and off-site networks, open up new vectors of risk and potential threats and attacks, that companies must keep on top of.
Perhaps as a result of all this change, the good news is that we are beginning to see some organisations finally recognising the need to develop less experienced staff in security skills in order to help solve the skills gap. They are doing this by both transitioning more general IT staff to security and by bringing in new, inexperienced talent and helping them develop the skills and experience needed to take on security roles. This might also include offering apprenticeships to allow employees without experience to study for their qualifications while learning job-specific skills within the company they’re working for.
Talent training initiatives
SANS has been involved in a number of initiatives in recent years to help grow the pipeline of new cyber security talent entering the profession. One of the most exciting is Cyber Discovery, an extracurricular training programme consisting of both an online game platform and face to face training, developed and delivered by SANS for the UK government. The programme provides hundreds of hours of challenges and teaching to educate teenagers about the skills needed to be a cyber security expert. Cyber Discovery was launched as part of the UK’s National Cyber Security Strategy and sits within the CyberFirst portfolio of skills development initiatives. Over the three years it has been running over 60,000 13-18-year-olds have taken part in the initial phase, with those with the most aptitude taking part in the gaming, teaching and elite phases.
SANS has also run two Cyber Retraining Academies, designed to bring people into the industry who have no previous experience of cyber. The second of these, run in 2017, was funded by and run for HM Government. Candidates took an aptitude test which determined who might have the ‘way of thinking’ that would enable them to succeed in the world of cyber security. Successful candidates then underwent an intensive 10-week programme which introduced general cybersecurity principles and built foundation and knowledge across a wide breadth of security topics. At the end of the 10 weeks the participants took industry-accredited GIAC qualifications and were assisted in finding employment in the industry. Most went into cyber security roles and we’ve recently hosted a reunion where we found out where they all are now. Many have already had huge success in their new careers and are in exciting cyber roles.
Those who took part came from diverse backgrounds, including the military and law enforcement as well as a bartender, a professional gamer, a journalist, and a psychiatrist to name just some. The beauty of the Academy was in finding people from ordinary walks of life, anywhere other than cyber in fact.
Employee security awareness is key
Last but not least, we are also finally seeing more companies beginning to invest in security awareness training programmes. This is critical, both for the security of every organisation and for general security hygiene among consumers – who also work in organisations and can transfer the skills they have learnt to the home environment too. In the past, organisations and their security teams have often perceived employees as the weakest link, without investing in properly training them to recognise security threats. Instead companies have traditionally invested almost entirely in using technology to secure technology, ignoring the human side. What little training most organisations have done has been too technical and complex. Proper security awareness training requires simplifying security for people and reaching out to them in their terms. This is something that organisations are starting to do and as more and more recognise its value we will see an impact across the board.