Who will protect the UK’s critical infrastructure? Finding the cyber security experts of the future
Organisations are finding it’s difficult, and expensive, to attract and retain the right people and they’re under increasing pressure to develop their capability and expertise from a talent pool that’s being tapped by a growing sector.
Providing national resilience and protecting our critical national infrastructure (CNI) are the areas of most concern. It’s a problem described by the Joint Committee on National Security Strategy as a top-tier national security threat because we’re facing a growing number of cyber-attacks on industrial control systems and operational technology (OT). The adoption of new technology that links IT and OT, and the convergence of digital and physical (sometimes referred to as the Fourth Industrial Revolution) presents many benefits but also carries significant risks and exposes our networks, systems and devices to new threats.
The shortfall in the number of people with the skills we need to address these concerns is measured in unfilled cyber job positions, anecdotal surveys, and industry reporting. Is the figure we arrive at precise? Perhaps not. But a wide range of industry partners, including cyber and tech organisations, acknowledge there’s an issue – demand continues to exceed supply.
So why is the sector struggling to keep up? And could we solve the problem if we changed the way we attract and develop people with cyber skills?
It will always be easier and cheaper to follow a well-trodden path than explore the unfamiliar. But this approach is neither effective nor efficient. The status-quo revolves around repeating earlier approaches and an almost sole focus on recruitment through traditional channels. Current or potential cyber skills exist far more broadly than many recruitment strategies care to venture.
The ‘must-have’ skills highlighted in advertisements, are in many cases, an unnecessarily exhaustive and prescriptive list of role requirements, qualifications and experience, rather than a true representation of what is needed.
The UK Government is working with industry and academia to change this through groups such as the Cyber Growth Partnership, which provides strategic oversight to government with the aim of growing a vibrant cyber sector. Importantly, attempts are being made to look at new routes to attract talent including mid-career transition and the creation of a Cyber Council to help professionalise the sector.
Organisations must be more creative in their attempts to attract and develop talented people and explore non-linear channels. For example, there may be myriad opportunities for cross-skilling and upskilling existing employees.
In addition to cross skilling, there is a captive market which can be targeted through the existing and growing framework of apprenticeships. Suitable, not just for those at the start of their career, apprenticeships (including those at degree level and beyond) offer holistic upskilling across cyber and surrounding digital technologies. This delivers a unique development opportunity to consistently upskill in a technical and academic manner whilst consolidating this learning with experience in the workplace.
Diversity & Inclusion (D&I) will form an essential part of the future of the sector. But this should be led by cultural ethos, not corporate social responsibility objectives. There is clear business benefit: diverse teams are more productive, creative and effective, and offer different approaches and solutions. Groups such as NeuroCyberUK7 are playing an important role in evolving the sector through their work to achieve neurodiverse inclusion and there are positive steps being taken to encourage more women, mid-career transfers, ex-service personnel and other underrepresented groups into cyber.
Of course, it is difficult to discuss cyber security without considering the impact that the COVID-19 pandemic has had on the workforce and demand for skills. A drastic increase in remote working has led to an increased requirement for different approach to cyber security considering systems are no longer being accessed primarily from corporate offices. Alongside this comes a unique chance to utilise this new workplace dynamic to reach out to a previously untapped skills resource from those in geographically diverse areas, or those who require a more flexible working pattern.
If we remain on our current path, we won’t be able to fill the skills gap. Instead, we have an opportunity to re-evaluate our culture and ambitions and be clear on what defines cyber and the characteristics we need from people to benefit the sector. We must think differently to ensure we enrich the sector with the skills for the future and give people the chance to further, as well as establish, their career as part of a healthy and sustainable ecosystem.