Encouraging learning to fill the cyber security skills gap
James Lyne, Head of R&D at SANS Institute, writes about the complexity of cyber security and the government's Cyber Discovery programme…
We generally take for granted the IT systems that run behind the scenes, managing so many aspects of our lives. From critical national infrastructure (CNI) such as government, energy and defence, to the heating and air-conditioning in a smart building, right down to our personal mobile devices, our world is powered by complex, data-fuelled networks of computers. When the security of these networks is threatened, however, we become acutely aware of just how important IT is to the smooth running of today’s society.
Worryingly though, despite our reliance on these systems growing at an exponential rate and despite data breaches and software vulnerabilities making the news on an almost daily basis, as well as targeted attacks causing network outages, there just aren’t enough skilled people available in the world to ensure the ongoing safety and security of these systems. Indeed, reports suggest that we could be facing a global shortfall of 1.8 million cyber-security professionals by 2022.
Of course, it’s not necessarily all doom and gloom. For example, new technologies such as AI and automation could help relieve the pressure some IT security teams find themselves under, while retraining professionals mid-career is also proving to be successful in stopping the gap. A long-term solution to the challenge requires us to go back to school, though, to encourage a whole new generation of tech natives to consider pursuing a career in cyber-security.
Now more than ever
According to the most recent edition of the Global Information Security Workforce Study, which has been charting the growing skills shortage over the past decade, two thirds of UK firms claim not to have enough IT security personnel, with around half (47%) putting this down to a lack of qualified applicants. This latter statistic is, perhaps, unsurprising when you consider a second, US-based, report which found that only nine percent of millennials were interested in a career in cyber-security. Much of this reticence, it appears, can be explained by a lack of exposure to the subject itself: more than two thirds (69%) hadn’t studied cyber-security in school, and only 17 percent knew anyone in their family that worked in the field.
At the same time, thanks to incidents such as the WannaCry ransomware attack that paralysed the NHS last year, or the massive high-profile data breaches experienced by Facebook and Yahoo!, we’ve never needed qualified cyber-security professionals more than we currently do. Easily available “crime as a service” offerings on the dark web, for example, have led to an explosion in cyber-crime by democratising the ability to launch highly effective, targeted attacks. And with tensions rising once again between Russia and the West, the UK and US authorities recently issued a joint alert to CNI stakeholders, warning them of the risk of an increase in malicious cyber activity. Right now, the cyber-criminals appear to have the upper hand.
Recognising the seriousness of the skills shortage currently faced by the industry, and the need to encourage more young people to consider pursuing it as a career, the UK Government has invested £20 million in Cyber Discovery, an ambitious four-year programme designed to provide 14-18-year-olds with the opportunity to learn cyber skills outside of the regular secondary school curriculum. With over 23,000 taking part in the programme in its first year, the second year of the programme will launch later in the autumn and will aim to attract still more potential cyber experts into the field. Furthermore, the National Cyber Security Centre (NCSC), part of GCHQ, has run a series of CyberFirst residential and non-residential summer courses aimed at introducing 11-17-year-olds to the subject.
It’s important, however, that we appeal to young people of all backgrounds if we hope to attract the next generation of school-leavers to a career in cyber-security. We should focus on those who are more naturally inclined to humanities subjects, for example, as much as those who excel at computing or science, by demonstrating the wealth of opportunities that exist within the industry. There’s no doubt that many roles will require hardcore cyber-skills, but many others will also require candidates who offer ‘softer’, less technical skills.
Today, from an early age, technology in all its guises and on a wide array of devices and systems, is just an accepted tool across all aspects of everyday life, from school to social to extra-curricular activities. What’s more, natural curiosity is crucial for any good cyber security candidate. We need, therefore, to make the most of these qualities if we are to tap into the vast pool of potential talent that these young people represent.
Thinking outside of traditional classroom methods, we can employ techniques such as gamification, using elements of video game design to engage learners. This is already being used to good effect in the Cyber Discovery programme. The recent Fortnite phenomenon, for example, and the mobile apps that school-age students use on a daily basis mean that gamification techniques are commonplace, the use of which have been proven to be successful in the teaching of cyber skills. Indeed, so successful is gamification as a teaching technique that more than three quarters of senior security professionals believe that millennials who have been raised playing video games make stronger candidates for cyber-security roles than their more traditional counterparts.
There is a clear need for more qualified cyber-security professionals to fill the gap in the industry. Industry, government and the education system should pull together in the same direction and, by taking innovative approaches such as the use of gamification, it’s possible that we can address the current skills crisis, and improve the safety, security and smooth running of everyone’s daily life.