Following the launch of the Cyber Retraining Academy, Stephen Jones, UK MD at SANS Institute, argues that, if we are to provide an immediate resolution to the cyber security skills gap, recruiters must prioritise psychometric testing and high-speed training over ‘career experience’
In outlining its ‘National Cyber Security Strategy’ last week, the Government issued a stark warning that the cyber security skills gap “represents a national vulnerability that must be resolved.” Industry have echoed that sentiment , with 77% of UK Chief Information Officers (CIOs) now saying they will face more security threats in the next five years due to the skills shortage.
Yet this comes at a time when cyber has never been a more attractive industry to work in, with security professionals projected to enjoy the highest salary growth of any technology specialism in 2017. With business and Government met with the unfortunate reality of a projected increase in cyber-attacks in line with a growing shortage of the talent needed to stop them, it has been suggested that the cyber security industry could be worth $175 billion by 2020.
Over a third of UK CIOs are planning to hire more cyber professionals this year alone, and every indication is that the industry will only continue to grow as the economy increasingly moves towards digital.
So why is a booming industry with sky-rocketing salaries, excellent career prospects and a clear desire to hire, still failing to fill even its existing vacancies?
The fashionable answer is that this is a supply-side problem, caused by the shortcomings of schools, colleges and traditional academic institutions to turn out enough computing graduates. Yet what if it is not the education system, but the employers hiring criteria that is the problem?
The belief that the education system is the main cause of our woes is connected to the fact that cyber security employers continue to lean towards seeking people with technical backgrounds. A recent survey shed light on the extraordinarily narrow job specs of many recruiters, with 40% still demanding a bachelor degree in a technical field as the minimum cyber security credential for entry-level positions.
However, prioritising job applicants with technical degrees means fishing in very shallow waters; there is a stark shortage of computing graduates and only 7% of our top Universities even offer an undergraduate degree in cyber security. And with over 17,000 fewer women than men choosing to study computing subjects, this also effectively means that half the population rarely gets as far as the interview door. It is therefore unsurprising that not only is there a skills gap, but women comprise just 10% of the cyber security profession.
Many employers also demand ‘hands-on experience’ as a requirement for cyber roles. Yet this automatically excludes anyone who hasn’t worked in the cyber security profession, filtering out an enormous potential talent pool at the first hurdle. It is as if the aviation industry acknowledged it was suffering a severe shortage of pilots coming through, but refused to hire anyone who was not already a qualified pilot from an elite flight school.
If we are to provide a realistic solution to this urgent and pressing problem, cyber security employers must radically rethink their hiring checklists and entry tests and the places they recruit from.
The largest ever survey of cyber security professionals ranked non-technical skills (such as risk assessment and management; communication skills and analytical skills) higher than technical skills when recruiting mid to entry-level cyber security professionals. These are attributes often found in professions as diverse as the armed forces and the legal profession. Cyber security is an increasingly multidisciplinary profession requiring diverse skillsets, yet the industry’s hiring criteria is still far too focused on people with technical degrees and backgrounds.
To put weight behind that claim, we have looked further afield than the average technology graduate, successfully transitioning military veterans into cyber careers through our academies and, out of the thousands of applications to the first SANS UK Cyber Academy, the final group selected for the course included several from outside the tech industry including a law graduate. Despite some having no technical background, they have gone on to work in cyber security roles for the likes of NATO and General Electric.
To prove this theory at national level, SANS has been recently tasked by Government to partner them in launching the first ever ‘Cyber Retraining Academy”, which will specifically seek applications from those who have never worked in cyber.
Applicants will be filtered using psychometric assessments developed to identify behavioural and cognitive traits that indicate high probability of success in cyber security, then trained to be industry ready practitioners with immediately deployable skills that will set them on a path to become seasoned/skilled cyber professionals of the future.
We believe this offers a radically different recruitment model for the industry, which could help plug the skills gap and diversify the workforce in quick time, effectively condensing a typical graduate type training programme into an intensive, immersive 10-week schedule.
This is something we have seen in other industries, with some businesses now recruiting using bespoke aptitude tests that not only widen their recruitment net but offer a far better guarantee of ‘culture fit’ than degrees or career experience.
We can do much more to give those starting out in security a firm foundation, ensuring those who undertake training are immediately deployable and add real value to the employers from the outset.
Military veterans are one such group who often show the ideal attributes for a cyber security career, and providing hands-on ‘immersion training’ to turn them into professionals in a short space is a must.
Offering people practical training can also increase employee retention and create more rounded qualified professionals with hands-on experience. Ultimately, businesses must find innovative ways to recruit from outside their techie ‘comfort zone’ and draw a wider spectrum of people into the profession if we are to begin resolving the skills shortage.