'It's a mess' - Calls made for cyber industry to do more in tackling security skills shortages

Business leaders tell CRN that companies must offer more training to close security skills gap

'It's a mess' - Calls made for cyber industry to do more in tackling security skills shortages

Cyber firms must commit to training more new staff to address the ongoing cybersecurity skills shortages in the job market, business leaders have told CRN.

According to the International Information System Security Certification Consortium's Cybersecurity Workforce Study for 2020, 3.1m cybersecurity professionals are needed to address the worldwide skills shortage.

And cyber companies themselves are affected by the shortages, with the UK government's Cybersecurity Skills in the Labour Market 2021 report finding that 40 per cent of cyber firms have seen job applicants that lacked the "necessary technical skills" required for roles.

While both of these figures were down from the previous year's studies, suggesting the shortages and skill gaps are decreasing, the pandemic has posed new problems for businesses as the shift to remote working caused new threats to surface.

Recent cyber-attacks, such as the one carried out on Kaseya's VSA tool which in turn impacted more than 1,000 businesses worldwide, have demonstrated the danger businesses are facing, even tech companies themselves.

And with the cyber threat landscape continuing to evolve, those in the tech industry say more needs to be done by cyber businesses to address the skills gap that still exists today.

CRN spoke to three business leaders to get their thoughts on the job market and what needs to change…

What does the cybersecurity job market look like in the pandemic?

The Cybersecurity Skills in the Labour Market 2021 report carried out on behalf of the government found 47 per cent of cyber firms have faced problems with technical cybersecurity skills gaps, whether that be among existing staff or job applicants.

And Ian Brown, who is the executive chairman of cybersecurity firm Integrity360 and has worked with other tech companies like SecureData in the past, said he still sees a "colossal" shortage of cyber skills in the job market.

"There's just not enough people available because what's really happened, especially over the last five years but probably starting about 10 years ago, the purification of cyber-attacks, the amount of cyber-attacks, the amount of hacking has just gone through the roof," he explained.

Brown added that the shortage of cyber skills has led to the inflation of wages in the industry, claiming he has seen salaries double "because someone's got desperate" to fill a role, and that there are "just not enough people coming into the industry".

In a recent study, Gartner ranked relative supply for cybersecurity positions as ‘very low' in the UK at just 10 candidates per opening and expects hiring staff to be ‘moderately difficult'.

Image
Figure image
Description

Marc Sumner, the CEO of IT recruitment agency Robertson Sumner, said the lack of skills in the market has created a "dogfight for talent" which sees tech companies take cybersecurity talent from each other, which he believes has been worsened by the pandemic.

"It's damaging the industry because every company in the channel is poaching from everyone else," he said.

"We've got a security vendor with 30 roles and we're struggling to get four or five people in there, so you can imagine how disappointed we are. It's as basic as the volume of people coming into the industry, that's the challenge we've got."

But while the move towards remote and hybrid working has increased the cyber threat, it has also encouraged firms to cast their nets wider when they recruit meaning a greater number of candidates are now being considered than before the pandemic.

Scott Nursten, the founder and CEO of cybersecurity MSP ITHQ, has recently hired two senior staff and believes they would "probably not" have agreed to work for him if remote working was not an option, and said he has had discussions with candidates "who aren't even in the country".

Brown also said he and Integrity360 have "taken a different view" than they did "pre-pandemic" to staff working remotely, and believes other employers are doing the same.

Though while a higher acceptance of remote working can make it easier to hire, Sumner highlighted the challenges for businesses operating in areas where they previously had little competition when hiring but will now have to contend with larger companies operating in other parts of the country that are willing to recruit from their patch.

"Quite frankly, it's a mess, because you've got everyone now targeting everyone else and you've not got enough people coming into the market," he added.

"Cyber was already a growth market so there was already skill shortages and that's now compounded over the last 18 months, and because all the people have been swept up who were made redundant in the pandemic, there's no one in the market."

Where are the shortages?

As the cyber threat landscape continues to evolve, tech companies have reported a shortage in the technical skills required to fill roles effectively. According to the Cybersecurity Skills in the Labour Market report, incident management, investigation and digital forensics were the most reported areas for technical shortages in the cyber industry.

Brown echoes these findings and said "advanced technical skills" are in short supply - specifically people who are qualified to perform threat hunting and cybersecurity resilience testing and have enough "vendor specific" knowledge.

"General" cybersecurity knowledge was not as difficult to find, he said, but highlighted a "scarcity" in those with more advanced skillsets to address the most difficult roles and tasks.

Nursten also picked out "deep technical skills" as an area where the industry is still lagging behind the demand, though said business-related cybersecurity skills such as knowing how to plan, create roadmaps and budget are of more importance.

And in his work recruiting for tech companies, Sumner said he has seen widespread shortages across the job market, including for roles which require a more general knowledge of security such as sales.

What can be done and what does the future look like?

All three of the company leaders CRN spoke to believe better training programmes and a commitment to investing in the future is a significant way the industry can bridge the skills gap.

Image
Figure image
Description

Nursten, who has recently opened two internship positions at ITHQ, said that companies adopting an approach whereby they "take a longer view" which allows staff to "develop their skills" will help address the shortages.

"I do think that that approach is helping, and I think quite a lot of firms are taking that same approach, so I think cyber skills are coming into the market more quickly than they have in the past," he explained.

He did, however, add that some businesses still "do not want to invest in 18 months of skilling a person up" and called for more to be done to bring new talent into the industry.

Brown agreed with the need for a long-term approach and more training within the sector, claiming it is "the only way forward".

"In my view you've got to go and train your own, you got to basically become, in some respects, a semi education establishment," he said.

"You've got to support them, sponsor them all the way through but from an employer's perspective, you can end up with some extremely good people as a result of that."

He added that he was seeing "more people coming into the industry" in line with the increase in cyber-attacks, but that he did not see a significant change happening "for probably about four to five years".

The Cybersecurity Skills in the Labour Market report found that 79 per cent of cyber sector businesses had provided cybersecurity training in the year leading up to its publication.

But Sumner also believes tech companies must go further in their commitment to training and said there is too much focus on hiring people that are already highly qualified.

"When you look at these cyber companies, they want people that are already in cyber, they want people that have already got an awareness of cyber, an understanding of cybersecurity and have sold in it, trained in it or are technical in it," he said.

"Unless there's a real investment from the channel as a whole, they're not going to take from each other and there's a real investment in actually bringing in apprentices or grads and training people up or accepting other skills, I don't see it changing at the moment."

Moreover, Nursten called for greater diversity within the industry to help address the skills gap, with the Cybersecurity Skills in the Labour Market report finding that just 16 per cent of the workforce across cyber firms is female and only 17 per cent are from ethnic minority backgrounds, as well as a change in recruitment habits.

"I was surprised to see how low the numbers are in terms of that so I would say let's get them more involved. They are a vastly untapped resource," he said

"The recruitment agency model is a huge problem in the UK so they're actually, in a way, slowing down the adoption of cyber skills, because they want to take such a big piece of the pie."

With the number of devastating cyber-attacks showing no signs of slowing down and noticeable shortages still existing within the cyber sector, those in the industry warn real action must be taken to catch up with the vital demand for skills.