Calling IT Professionals: Addressing the Security Skills Gap
Art Coviello at RSA often refers to the skills gap in the number of Cyber security professionals in his keynotes. A UK National Audit Office report out today quotes it could take “up to 20 years to address the skills gap”.
The truth is the number of IT and cyber security professionals in the UK has not increased in line with the growth of the internet and the NAO warns that the UK faced a current and future cyber security skills gap, with “the current pipeline of graduates and practitioners” unable to meet demand.
It warned that the cost of cyber crime is estimated to be between £18bn and £27bn a year. In 2011, ministers announced funding of £650m to implement the UK’s Cyber Security Strategy, which set out the risks of the UK’s growing reliance on cyber space.
The strategy identified criminals, terrorists, foreign intelligence services, foreign militaries and politically motivated “hacktivists” as potential enemies who might choose to attack vulnerabilities in British cyber-defences. To date both SOCA (Serious Organised Crime Agency) and Action Fraud, the UK’s national fraud reporting centre have both been very active in thwarting threats.
How can this skills gap be addresses? It needs investment by the government but also by education authorities and indeed the Cyber security profession. Many years ago studying IT at a University was very attractive, but it seems to have lost its appeal. Moreover, how many IT related degree courses actually teach security as part of its curriculum.
I think the industry needs to do its part to ensure that the Cyber security profession is seen as an attractive career choice and start early by evangelizing in schools and colleges.
The TV series CSI did wonders for enrolment into Forensics courses so I wonder if we need an equivalent Cyber security TV series to get individuals signed up. Whatever, we do we are still going to be faced with a huge skills gap in this sector.
In my opinion there is not a shortage of skilled workers. Just seems that employers limit opportunity to already skilled workers.
In today’s job market, employees only look dogmatically for candidates with the exact skills they post to describe the position they are trying to fill. Anybody who would fit the job would be somebody making a lateral move and doesn’t allow somebody who may have relevant skills to grow into the position and acquire the new skills.
When I joined the ranks of IT back in the early 90’s that wasn’t the way people got hired and hiring managers used to have open minds about letting a candidate to prove themselves.
I’m somebody who’s been in the IT security with a network centric focus when organizations were still using ACLs on routers; however I have not been able to move into other areas of security in the application layer since I’ve been told my resume doesn’t find its way past the “static” signature based filters recruiters and HR use.
At this point in my career, it seems better to abandon security all-together and move into other “disruptive” technologies where there are no established barriers for entry.