The cyber security skills challenge: Hiring for tomorrow
Organisations must alter their approach to cyber security recruitment in order to combat the global shortage of security professionals, writes BT
With digital transformation and the ubiquity of web and cloud applications and services, it’s hard for businesses to fill many of their IT positions, let alone ones that require security expertise.
It’s a global challenge, The Centre for Cyber Safety and Education predicts there’ll be a shortage of 1.8 million cyber security professionals in 2022.
Yet many employers are approaching the challenge the wrong way, looking for skilled individuals that don’t exist.
We talked to Ruth Davis, head of strategy, and Rob Partridge, head of commercial development, both part of BT’s Security team, about why the cyber security industry needs to make a paradigm shift in its recruitment.
Cyber security is still a relatively new field, and one which is evolving rapidly. There are very few people who have been ‘taught’ security skills, so typical recruitment approaches go out of the window.
We see a few people moving from related industries or from the public sector to the private. Ruth says, “Looking at industries with comparable skills and trying to attract people from there is one of the key parts to bridge the UK’s cyber security skills gap.”
Rob adds, “We have to get out of the mindset as an industry that we’re always looking for skilled individuals. What we’ve got to look for is potential, an attitude, which we can then help bring in at an entry level and develop into the talent of tomorrow.”
For example, one of our young apprentices in BT is Rachel Lutton, who is now doing a higher apprenticeship in cyber security whilst working as part of our physical security team.
Rachel’s first love is music, and when she left school she had offers to study music at a prestigious conservatoire in London, as well as computer science at university, but chose to do an apprenticeship with BT.
Rachel says, “Having played the violin from a young age, there are many transferable skills to my role now. From communication skills I developed introducing my violin programme in front of 11,000 people, to leadership from managing and motivating an orchestra, to working under pressure and balancing multiple projects doing my A-levels and a Diploma in Music Performance at the same time, they’re all things I use now. And then there’s the practical side. When I’m playing the violin I’m thinking about what I’m playing and what’s coming next, I’m spotting patterns in the piece to stay ahead of the game, which was useful when I was studying coding and languages.”
'Looking at industries with comparable skills and trying to attract people from there is one of the key parts to bridge the UK’s cyber security skills gap' - Ruth Davis, Head of cyber security strategy
For many established careers, there’s a well-defined entry path. If, at 14, you decide you want to be a vet, you know which subjects you need to focus on at school, what grades you need, where to apply. It’s not as clear for security.
Firstly, it’s not as well known that you can have a career in cyber security at all. And there are plenty of misconceptions about what it’s all about if you have heard of it. What subjects do you need to study? What courses are good? What skills should you focus on?
One of the biggest myths surrounds computer science and coding skills – they aren’t always key. When Rob asked Ruth if she can code, the response was “No!” A highly successful security professional with years of experience, her degree was in Theology. And Rachel, despite doing ICT at school, prefers some of the other aspects of security like report writing, risk assessments and the theoretical side.
Their career paths show that there are plenty of areas to explore under one umbrella of cyber security. Rob likens it to a map of the London Underground, with lots of places to start your journey in cyber security, and lots of ways to navigate from A to B. From strategy, policy, sales right through to penetration testing and white hat hacking, there’s something for everyone, whether you can code or not.
The problem is that to have understood that, you’ve probably met someone face to face at an event and talked to them about what a career in security means. And with 1.8m roles to fill by 2020, that’s a lot of individual conversations to have.
Moving away from siloed thinking
There are many great initiatives globally to try to overcome the skills gaps. From Cyber First and Cyber Patriot to the Cyber Security Challenge and Cyber Discovery, cyber security is being promoted in schools, colleges and universities around the world.
But with so many schemes and programmes, it can be hard to see the wood for the trees, either as someone interested in a career in cyber security or as an organisation looking to get involved and support the next generation.
As Ruth says, “Certainly in the UK, one of the biggest issues we face is no clear set of strategic goals. There are lots of initiatives, many of which we support as an organisation, but no strategic goal. One of the areas we’re working on at the moment is supporting the government as it produces a Cyber Skills Strategy to help put those goals in place. We recently held an event with our apprentices as part of Cyber Security Awareness Month in the UK Parliament to promote our five point plan for bridging the skills gaps and offer cyber schools visits to raising awareness of the cyber profession.”
There are also plans to make cyber security a chartered profession, which both Rob and Ruth agree will be a great step forward, but worry about how long it will be before it’s in place.
These silos of initiatives and thinking, Rob believes, are why progress on filling the skills gap has been relatively slow to date. “By focusing on the bigger picture, not just how to hack, we can bring more talent into our teams.”
Cyber security not only lacks gender and ethnic diversity but also neuro-diversity. It’s an area that Rob and Ruth are both passionate about.
Only around 11 per cent of information security professionals are women. In BT this increases to 17 per cent of the security workforce – still, as Ruth puts it “a rare breed”. Yet a recent Cyber 9/12 Strategy Challenge competition hosted in the UK as part of a global annual cyber policy and strategy competition had 50 per cent female competitors – and indeed the winning team was an all-female team.
And neurodiverse people — those with autism, Asperger’s, ADHD etc — have a different set of skills to neurologically typical people. They tend to approach problem-solving in a completely different way and can grasp processes very quickly, something that’s important in cyber security.
Unfortunately, the traditional interview process often acts as an insurmountable barrier. Often neurodiverse candidates are rejected because of a lack of communication skills. At BT we’re committed to boosting neurodiversity across our organisation through initiatives like our Work Ready programme.
As Rob says, “It’s easy to get someone interested, but how do you take that and get them into a job and doing something that they find engages them.”
'By focusing on the bigger picture, not just how to hack, we can bring more talent into our teams' - Rob Partridge, Head of commercial development, penetration testing
Hiring for tomorrow
Both Rob and Ruth agree that, in the face of such a global challenge, it’s only through coordinated action that the skills gap will be closed. And that future success lies not in skilled hires, but in the apprentices and graduates entering our workforce.
BT's report - SD-WAN is the cornerstone of network transformation - is available to read here.