Cyber skills gap: Cybersecurity skills gap leaves one in four organisations exposed

A lack of the right cybersecurity professionals is forcing companies to rely more on technology, which may compromise a business' security. Cyber security and business protection recruitment agency Acumin has published a report that investigates the shortage of cyber security skills in organisations. Reasons for the shortage include the continuing lack of women in the workforce, a heavy reliance on qualifications rather than a demonstration of skills and companies being reluctant to put near-qualified individuals into positions and allow them to grow through experience. According to the report, the presence of women in cybersecurity has been estimated at around 11% and females workers are often paid less than their male counterparts. Acumin stated that raising their pay may attract the right talent to organisations, which is critical for securing their future. The report also underlined that individuals who have core competencies for cybersecurity work don't necessarily seek out professional qualifications. It added that not everyone who has passed a qualification test will be good at the job and some may come undone when confronted with a real-world problem. In order to close the gap, Acumin suggests starting with a broad and diverse pool of candidates for each position including people with little or no formal education and then present them with real-world problems. This benefits the company as it will "weed out hires who lack the necessary experience" and allow candidates to properly demonstrate their skills. The report also underlined the importance of building incentives within the organization in order to attract and retain employees. This includes ensuring that a company offers upward mobility to female employees, which will help with employee retention and distinguish the company from competitors.

16/05/2017: Did lack of security workers worsen ransomware attack? The ransomware attack that spun out of control across the world over the past week may have been exacerbated by a lack of cyber security experts.

"There is a struggle to find talent necessary to make judgements about the efficacy of cybersecurity controls," Sean Joyce, a principal at PricewaterhouseCoopers LLP's advisory practice, told the Wall Street Journal.

Part of the problem may be the failure of companies to see the value of investing in those with security skills, with Joyce saying CFOs find it difficult to quantify the risks of such attacks, but even when companies want to hire more security staff, it's difficult because of a lack of appropriately trained staff. While that may sound unsurprising in underfunded public organisations such as the NHS, the ransomware also successfully knocked out networks belonging to companies from Telefonica to Renault.

A study by Brocade last month revealed that one in four IT departments felt they couldn't deliver on current business demand down to lack of skills, with 54% concerned about a lack of skilled talent to choose from. A report from Frost and Sullivan suggested there will be 1.5 million unfilled security jobs by 2020. Research from ESG showed 45% of organisations surveyed believed cybersecurity shortages were a problem, while 40% of staff said the skills gap had already impacted their organisation.

What can be done? Marc Van Zadelhoff, general manager of IBM Security, suggests in the Harvard Business Review that the industry stop limiting hires to those with four-year degrees in computer science. IBM has tested that by creating a class of "new collar" jobs, finding the right people and training them on the job.

"Some characteristics of a successful cybersecurity professional simply can't be taught in a classroom: unbridled curiosity, passion for problem solving, strong ethics, and an understanding of risks," he wrote. "People with these traits can quickly pick up the technical skills through on-the-job training, industry certifications, community college courses, and modern vocational and skills education programs." It's worked for IBM, making up a fifth of its cybersecurity hires in the US since 2015.

That's helped by training younger students in cyber skills, he noted, and here in the UK, one government scheme hopes to see 5,700 teenagers trained in security within the next five years. The high-profile success of the self-taught 22-year-old security researcher who helped stop the ransomware attack last week may help encourage others to step into the industry, though the invasive reporting by tabloids who outed his identity after he asked for privacy may discourage others.

17/01/2017: UK's cyber skills gap is one of the world's worst

UK businesses may be at risk of increased cyber threats in the coming years due to a severe shortage of skilled cyber security experts, according to job search website Indeed.

Britain's digital security skills gap is now ranked as the second worst in the world, according to Indeed data comparing employer demand and the number of people searching for roles.

The number of job searches for cybersecurity roles reached just 31.6% of the number of jobs posted to the website, making Britain's skill gap second only to Israel.

Increasing numbers of cyber threats in the UK has led to a surge in demand for skilled cyber security applicants, leading to a 31.9% rise in the number of advertised roles between 2014 and 2016.

"2016 saw a spate of big corporations - and even the US electoral process - suffer high-profile data breaches, but beyond the headlines, cybercrime is a threat to orgranisations of all sizes," said Mariano Mamertino, EMEA economist at Indeed.

"As cyber attacks increase in scale and sophistication, British employers are racing to recruit staff with the skills and experience needed to protect their vital data," added Mamertino.

Britain's skills gap grew by 5% during the 2014 to 2016 period, a number only exceeded by Brazil and Canada, according to Indeed's statistics. Meanwhile, Ireland has managed to attract a surge in applicants thanks to a booming technology sector, shrinking its skills gap by 14%.

Network security expertise topped the most sought after skills by employers, accounting for 223% more job postings than mobile security. But the fastest growing sector of job searches was cloud security, rising 139% over the same period.

"Sadly the supply of skilled workers isn't keeping up with employer demand, and Britain's cyber security skills gap is getting worse," added Mamertino.

Amazon Web Services (AWS) announced the creation of its re:Start programme last week to help re-skill out of work young people and military veterans to take on digital roles. Starting in March, AWS plans to train 1,000 candidates for roles in entry level technology positions, alongisde industry partners such as ARM, SAGE and Cloudreach.

However the problem is approaching its crisis point, according to Mamertino, and British businesses will be put at risk if the expertise cannot be sourced to deal with modern security threats.

A report published in June 2016 warned that the skills gap could widen following the Brexit vote, as companies may find it more difficult to attract the oversees talent needed to fill roles, increasing the demand for homegrown talent.

"This should serve as a wake-up call to Britain's tech sector - it must pull together to up-skill and attract more people into cybersecurity roles," added Mamertino.

Zach Marzouk

Zach Marzouk is a former ITPro, CloudPro, and ChannelPro staff writer, covering topics like security, privacy, worker rights, and startups, primarily in the Asia Pacific and the US regions. Zach joined ITPro in 2017 where he was introduced to the world of B2B technology as a junior staff writer, before he returned to Argentina in 2018, working in communications and as a copywriter. In 2021, he made his way back to ITPro as a staff writer during the pandemic, before joining the world of freelance in 2022.