A major government-commissioned study found that about half of UK organisations are lacking basic security skills. PublicTechnology talks to the researchers behind it to find out where the skills gaps are and how they can filled
Credit: Adobe Stock
When the government published the UK’s first National Cyber Security Strategy in 2016, the lack of cyber skills was identified among the country’s most significant vulnerabilities. Widening and improving this expertise was picked out as a key strand of the five-year development plan set out in the document.
Indeed, as then chancellor Philip Hammond noted in his foreword to the strategy, the importance of closing the cyber skills gap now extends far beyond the security industry itself.
“This is no longer just an issue for the IT department, but for the whole workforce,” he said. “Cyber skills need to reach into every profession.”
Within two years of the publication of the strategy, the Department for Digital, Culture, Media and Sport had commissioned market-research firm Ipsos Mori to conduct a major study of the cyber skills landscape across the UK.
The resultant Cyber Security Skills in the UK Labour Market report, published in December 2018, showed that more than half – 54% – of the 1.32 million businesses in the country entirely lacked the skills or confidence to carry out one or more basic cybersecurity tasks – such as creating back-ups, managing admin rights, and arranging automatic software updates.
Some 47% of firms said they were not confident in dealing with an attack, while only 11% employed someone who had cybersecurity responsibilities written into their job description.
The findings of the research were used to shape the government’s Cyber Security Skills Strategy, which was published concurrently with the report.
Jayesh Navin Shah, a researcher at Ispso Mori, tells PublicTechnology: “The cyber skills strategy recognises that there are probably a set of skills gaps, and an overall shortage in the number of cyber professionals that there are in various roles in the UK. And DCMS wanted to find out if they could get a sense of how big those gaps are, and what technical areas and other non-technical areas those gaps are the biggest in. The non-technical areas were also really important for DCMS – what are sometimes called soft skills, but also things like communication and leadership and management.”
One in four
Proportion of public-sector organisations for whom a single employee is responsible for cyber
Proportion of employees at UK cyber firms that are women – compared with 28% across the digital sector
Number of UK businesses – equating to 48% of the total – that lack the skills to perform one or more basic security functions
Proportion of people who took on responsible for cybersecurity at their firm after it was added to their existing duties
Anyone with even a passing familiarity with the IT industry will no doubt have heard many mentions over the years of some form of technological skills gap. Such widespread usage has, perhaps, made the term a little nebulous.
Shah says that the research team differentiated between skills gaps skills shortages.
“A skills gap is about levelling up the existing workforce – the people in roles who are supposed to be performing cybersecurity functions, but may not have the necessary skills, technical and non-technical, to be able to carry out those functions to the competent level,” he adds. “A skills shortage is more about not having enough of certain people in the workforce – such as pen testers, security engineers, or security architects.”
The understanding of where gaps exist was informed by researchers working with the team of academics behind the Cybersecurity Body of Knowledge project, which has created a framework to define and map cyber as a field of academic study.
The programme, which brings together lecturers from leading UK and worldwide universities with researchers and industry representatives, has identified 19 core ‘knowledge areas’ that collectively constitute the discipline of cybersecurity. They are split into five groups: human, organisational and regulatory aspects; attacks and defences; systems security; software and platforms security; and infrastructure security.
This framework was used by researchers on the DCMS report as a guide to help identify what expertise would be part of a comprehensive set of cyber skills, and where there are gaps.
Minding the gap
A second iteration of the DCMS cyber skills research was published in March. The data appears to show that the basic skills gap has narrowed slightly, with the proportion of firms lacking the skills to perform one or more basic security tasks dropping by six percentage points to 48%. Similarly, only 27% of companies indicated that they lack skills – either internally or via an outsourced provider – to deal with an attack.
The report also measures areas where higher-end professionals skills are lacking – even within the cybersecurity sector itself, where almost two-thirds of companies claimed to encountered issues with accessing technical expertise either within their existing workforce or during recruitment.
Areas where there is a marked shortage of these more sophisticated skills include: threat assessment and information risk management; assurance; audits; compliance and testing; cybersecurity research; implementing secure systems; and governance and management.
Three in ten IT security companies also reported that a dearth of non-technical skills – such as communication, leadership, and management – was an issue facing their firm.
But, excluding those specialised in in the cyber sector, half of all businesses employ just a single person who is responsible for company-wide cybersecurity.
Although this figure is considerably lower among public-sector organisations – 25% – it is still more than double what it was in 2018, “indicating that they are less well staffed than before”, according to the report.
The majority (62%) of people performing a cyber role for a non-specialist company are doing so after it was absorbed into their existing duties or job function. A further 26% were recruited from a non-cyber role.
“You’ve got the problem of people knowing that they don’t have the skills to do something, and that they need to get a specialist to assist them. But then they’re still not quite clear on what that specialist looks like, and what sort of person they need.”
Steve Furnell, University of Plymouth
Excepting dedicated IT security businesses, only 6% of people currently fulfilling a cybersecurity position at a UK company were previously employed in a similar role. A further 4% are in their first professional position or apprenticeship.
The skills gap for basic IT security functions is, in part, because even the smallest firms need to assign someone to – theoretically – assume oversight of and responsibility for cyber. In many cases, such firms may not even employ a generalist IT professional.
“Many businesses… have an untrained member of staff dealing with the cybersecurity function in an informal way,” Shah says. “That person has their own additional job to do – sometimes they are the finance director, for example – and, therefore, the cybersecurity function is a secondary function in their overall job role and doesn’t get their full attention.”
On top of this, there are also many businesses that have yet to take advantage of the guidance provided by the National Cyber Security Centre’s Cyber Essentials programme – which, for £360, offers businesses the chance to conduct yearly self-certification exercises across core security areas such as installing firewalls, securing devices, protecting data, defending against malware, and updating software
“The person in the cyber role, even if they’re not a professional and are just a general manager, they should be aware of things that are in the NCSC guidance – but we’re finding that most businesses have not accessed to that guidance yet, even though it is out there,” Shah says. “They don’t actually fully appreciate the technical things that they’re supposed to be doing as part of that role; they may know common-sense stuff – that they might need a policy, and they might need to put something in that policy about the use of USBs and personal devices, or that you can’t just have 1234 as your password. But they might not actually know much more than that – which is why we find these basic skills gaps to be quite high.”
He adds: “This is something that is a continual challenge for government: trying to get businesses to understand that this is not just about common sense any more and you need to and look at this guidance and it will teach you to do these things properly.”
Professor Steve Furnell, leader of the Centre for Cyber Security, Communications and Network Research at the University of Plymouth – who was also part of the research team commissioned by DCMS – says that the challenge goes beyond simply raising awareness.
A business reaching an understanding of where it needs to look out for cyber shortcomings does not necessarily mean that it will then know how to address them, nor whom they need to help them do so.
“Part of the problem is that, even when somebody looks at it, interpreting what that guidance means and how that guidance would need to be enacted in their organisation is something that the layperson isn’t going to know how to interpret,” Furnell says. “So, you’ve got the problem of people knowing that they don’t have the skills to do something, and that they need to get a specialist to assist them. But then they’re still not quite clear on what that specialist looks like, and what sort of person they need.”
The research makes clear that there are a vast array of differing cyber qualifications – both academic and technical – but a decided lack of clarity on what each of them means, and their relative merits. This is demonstrated by the fact that about two-fifths of firms (38%) in the cyber sector itself do not employ anyone who possesses or is working towards a dedicated IT security certification of any kind.
It is, perhaps, little wonder that non-specialist organisations might struggle to know what kind of expert assistance they require, and what badges to look for.
“Even if you’ve got the resources to do it – [you may not know] what sort of person you need to engage,” Furnell says. “What does the appropriate professional or the appropriate skill set look like for the sort of protection your organisation needs to enact? While there are myriad different qualifications and certifications out there, knowing which is the appropriate fit for your needs is something that isn’t quite there yet.”
Certified Information Security Systems Professional (CISSP) status emerges as the most common specialist qualification to be possessed by someone working for a cyber firm as a cyber professional. But, even so, just 19% of specialist companies employ someone with this qualification. A generalist degree appears to be more useful, with 33% of cyber firms employing a computer science or IT graduate.
However, one respondent from a cybersecurity company described CISSP as “the gold standard”, on account of the comprehensive grounding that it offers.
“It is a generalist certification, which is a mile wide but an inch deep,” they said, “The fact that someone has passed that shows that they have a wide understanding of security and can hold a security conversation with a client.”
Furnell says that part of the appeal of CISSP is that it is only available to those with at least five years’ career experience. For employers, the simple knowledge that they are hiring a seasoned professional can be at least as valuable as whatever skills that person gained while studying for the qualification.
“Another reason why CISSP is a widely sought-after qualification application is that people can see CISSP is a widely sought-after certification; demand creates more demand,” he adds. “And this isn’t to disparage or in any way criticise the content of CISSP. It’s a broad certification, and it covers a wide range of knowledge and skills areas. Many vacancies are asking for CISSP. And, so, somebody else looking for security professionals will see that others are asking for CISSP, so will ask for it as well.”
There is a sense that some respondents quizzed for the study were a little tepid on academic qualifications. But Furnell says it is important to understand the distinct and differing roles played by different types of certification.
“The academic qualification is about someone being capable of embedding themselves in the knowledge domain, developing some initial skills and exposure to that environment and maybe some level of workplace experience, particularly if it’s an undergraduate programme that has an industry placement,” he says. “But that’s not going to be the equivalent of somebody who’s been out there for five to 10 years as a practitioner, working in an environment.”
Furnell adds: “You can have somebody with an academic qualification, who’s got a lot of knowledge of what the issues are, but hasn’t put any of it into practice, versus a practitioner who could have an extreme level experience in a particular niche… but is unable to generalise that into a wider context.”
Publication date of the government’s five-year National Cyber Security Strategy
Number of core ‘knowledge areas’ that comprise the cybersecurity field, according to CyBOK
Amount of professional experience needed to obtain CISSP certification – described as the ‘gold standard’
Annual certification cost of NCSC Cyber Essentials – which the study found is still underused
Among cybersecurity businesses, 52% of employees had joined from a previous role in the sector, with a further 21% occupying their first job.
The qualitative research conducted by Ipsos Mori found that firms had a “positive attitude towards apprenticeships”.
“Where discussed, the heads of cyber teams saw them as good opportunities to fill skills gaps,” the report says. “Various benefits were mentioned, including allowing people with no cybersecurity background to enter the profession, getting staff who do not have preconceptions about working in cybersecurity and staff who sometimes have better soft skills than those coming through the university route.”
It adds: “However, there were cases where firms had struggled to find apprentices or found it challenging to match them up with the right training courses for their specific cyber roles.”
Furnell says that apprenticeship schemes dedicated to cyber disciplines – particularly degree-based programmes – and “still in the early days”. But some specialist options have emerged, and these will have an important role to play.
“For certain types of students and certain types of employer, that will be a very valuable route for people to go,” he adds. “They’ll be available to offer the degree-level education that the student wants, whilst doing so from the context of a workplace, and having that practitioner experience building through time. But the employer still needs to begin the process with somebody who is not an experienced practitioner, and it is a different journey to get there.”
It is an oft-repeated maxim that humans are the weakest link in any organisation’s IT security. The increased focus on so-called soft skills in the 2020 skills report speaks to the need for cyber specialists to communicate effectively with the wider workforce and instil in them awareness of risks and best practice.
About half of cyber professionals in the private sector, and a quarter of those employed in the public sector, are not confident in preparing training materials or sessions. Some 27% of business security professionals would not be comfortable discussing risk with their senior managers. This figure is just 8% in the public sector.
The research found there is a clear need for a “holistic” set of skills – including both technical expertise across a range of technologies, and the business know-how required to implement initiatives effectively.
The report says: “In the qualitative interviews, a major recurring theme was around the importance of staff in cyber roles having a combination of different types of skills rather than focusing on individual gaps in skills and knowledge.”
The cultivation of a greater variety of skills could be helped by an improvement in the diversity of the cyber sector – something which is currently clearly lacking, even against the fairly low benchmark set by the tech industry.
“Many businesses… have an untrained member of staff dealing with the cybersecurity function in asector – something n informal way. That person has their own additional job to do and cybersecurity is a secondary function and doesn’t get their full attention”
Jayesh Shah, Ipsos Mori
Just 15% of people employed by cyber-specialist firms are women, compared with 28% of the wider digital sector. Some 16% of cyber employees, and 17% of the overall digital industry, identify as BAME.
The DCMS and Ipsos Mori report finds that 9% of workers in the cyber sphere are neurodivergent – the first time that a reliable figure has been calculated.
Among the report’s qualitative data, many respondents talked earnestly of the need for greater diversity, and the benefits of achieving it, while displaying an understanding of the scale of the problem – at least in statistical terms.
Fewer spoke of concrete initiatives or made quantifiable commitments to the achievement of the goals they espoused.
Shah – while noting that the research might have looked different if it had been conducted in light of the Black Lives Matter protests and, perhaps, the coronavirus pandemic – says that the study found that many organisations address diversity issues in a “piecemeal” way.
Larger firms might have company-wide initiatives that do not address problems that are endemic to the cyber sphere.
“We found people saying that diversity is dealt with across the firm as a whole, and is not specifically looked at for the cyber part of the business,” Shah says. “And diversity initiatives, when they get to the cyber team, can peter out a little bit, because it’s not specifically dealing with the issues in cybersecurity.”
He adds: “The other thing we found was there was a sense that people thought this is important, but what can I do? So, they were saying: ‘we think it’s an issue primarily [because of] the pool of people that are coming to us – and we can’t change the nature of the CVS that come to us; if they all happen to be from men, then there’s nothing we can do about that’.”
Having commissioned another iteration of the study, due to publish in spring 20201, government appears committed, at least, to keeping a close eye on how much changes and what can be done to address the need for cyber skills and the resultant issues.
“There is still quite a lot to be done – there is still a gap to be filled,” Furnell says. “Organisations, clearly, not only need to do more, but they need more support in doing it. And we as a cybersecurity community need to be doing more to ensure the accessibility of the skills that the wider community needs.”