The UK Cyber Security Council – the newly forged organisation tasked with charting a path forward around security education, training, skills and professional development – has issued a call for industries to recommit to spending on security skills development as the transition back to more regular working practices looms.
Issued to coincide with the opening day of the Infosecurity Europe fair, which is taking place virtually although an in-person event had been planned, the Council’s rallying call cites research by the London School of Economics that shows how many organisations changed their approach to training during the UK’s repeated national lockdowns.
Many cut back spending, while others were put off by the challenges of delivering existing training programmes to a largely remote workforce. Some were found to be adopting “quick-fix” approaches through recruiting cyber pros rather than training teams.
The pandemic has also accelerated general trends in training that have been noted for about a decade – the total number of days trained per trainee in the UK dropped from 7.8 10 years ago to 6.4 in 2017, down 18% according to the LSE study, and total expenditure per trainee dropped by 17%.
“It is imperative that the UK’s cyber security community returns to training in order to maintain their ongoing situational awareness and to maintain the UK’s global position as a centre for cyber security skills and innovation,” said Don MacIntyre, interim CEO of the UK Cyber Security Council.
“While investment in specific skills development courses, setting staff on a pathway to certification is essential, it needs to be teamed with continuous education that can build on industry accreditation and ensure professionals are constantly developing their skills and knowledge as part of a career pathway, as well as to support the evolving needs of their organisation.”
The security skills challenges faced by organisations across the UK are supported by the Department for Digital, Culture, Media and Sport’s most recent statistics, which found 30% of security firms were finding it hard to fill generalist roles – where people are expected to be able to cover a range of security areas – as well as specialist roles, senior management roles, penetration testing, and security architecture.
As part of its remit, the Council is building a variety of tools and resources to support organisations and cyber security professionals, including its career and forthcoming qualification frameworks. These are interactive guides to help organisations develop “clear and realistic criteria” for hiring, and help security pros plot viable career progression routes for themselves.
Speaking to Computer Weekly earlier in 2021, Council chair Claudia Natanson said a big problem right now is that many organisations are crafting unrealistic job descriptions for security roles that don’t account for the skills that are really needed to excel in the field.
“We need to help organisations understand what they want to begin with,” she said. “We have a skills shortage because we are not communicating, not defining properly, because we have misplaced where cyber should be.”