How do YOU find and attract the Cybersecurity skills/talent YOU need?

The SASIG Skills Festival on April 13^th will be the largest Cybersecurity Skills event until the new Cyber Security Council become fully operational and creates a web of partnerships with training providers, recruitment agencies and employers groups.

I am due to help introduce a round table at 11.00 a.m. titled “Where can we find and attract new talent?”. I plan to leave it to the other speakers to answer the question. My aim is to set the scene, including why you need to listen carefully to what they have to say.

I have been involved, off and on, with studies and programmes to address the digital shortages of the day since the mid-1970s. There has never been a shortage of talent, only of employers willing and able to do work with and through competent education and training providers to identify and harness the talent available. There have been sporadic short-term exercises at times of crisis (e.g. in the early 1980s or during the run-up to Y2K). None was sustained for long enough to achieve lasting change.

I therefore brought over forty years of hindsight and prejudice, alias experience, to help interpret the three DCMS reports published during the run up to the launch of the Cyber Security Council:

UK Cybersectoral Analysis 2021

Cyber Security Skills in the UK labour market 2021

Understanding the Cyber Recruitment Pool

In a  previous blog I summarised the report on the Cyber Security Supply Sector. I had planned to add relevant material from the other two reports into the blog I am updating on the current state of cybersecurity policing structures and skills partnership but ran out of time after adding material on how to check the accreditations of training providers and qualifications of individuals or reporting and guidance with regard to child safety. Instead I have produced a quick digest, below, of the implications of the DCMS reports for those looking for talent to meet their own needs.

This focuses on the answers to five questions:

1. What is the current recruitment pool?
2. What skills does it have?
3. What is the shortfall: qualitative? – technical and/or soft skills and quantitative – numbers
4. What is the current throughput? – via which pipelines
5. Where and how should YOU look for the skills YOU need?

For those who wish to read the conclusions first I will give five “teasers” to the “answers”?

1. Most “professionals” work for a small number of large organisations whose needs are different to those of most employers.
2. Many, even graduate/certificated “professionals”, are largely self-taught with regard to skills in demand.
3. There are many different shortfalls but the biggest is a demand for graduates with 3 – 5 years experience who do not exist.
4. Whichever talent pipeline you look at, the throughput is currently about half what that which it could be readily expanded.
5. Trawl your users and their children, in partnership with trusted local training providers and your regional Cyber Resilience Centre.

1. The Current Labour Market

 The cybersecurity recruitment pool covers five main groups (although the reports group them into three):

• 46,700 in “core roles” (professional/technical cyber-security job title) with Cyber Security Suppliers
• 11,800 in “core roles” in the public sector (GCHQ, MoD Civilians and rest of Central/Local Govt, NHS etc.)
• 39,500 in “core roles” with (usually large) private sector users, e.g. banks, defence, aerospace, retail etc.
• 8,700 in “cyber-enabled” (requiring recognised skills) public sector roles.
• 64,300 in the private sector with cyber enabled roles.

The report on cybersecurity skills in the UK labour market includes much larger numbers but these refer to those “responsible” for cyber in the 1.4 million SMEs with less than ten employees and no full-time in-house digital skills.

The employment of full time cyber professionals/technicians is concentrated with a relatively small number of large employers. 40% are employed by GHCQ, MoD and those cybersecurity product and service suppliers (about 150) with teams large enough for in-house training programmes to be realistic. Around 20 large telco, defence, consulting, product, service and/or outsourcing operations employ nearly 30% of the total. Half of that total has been recruited from a previous role in cyber security and 19% are career starters. Half, however, work in organisations too small to employ and supervise more than a couple of trainees.

Diversity is fashionable. 32% of cyber sector firms say they have made changes to recruit more women, 25% for ethnic diversity, 19% for physical disability and 15% for neurodiversity. But only 16% of current employees are women, 17% from ethnic minorities, 9% disabled and 10% neurodivergent. This compares to 48%, 12%, 14% and unknown (for neuro divergency) for the UK workforce as a whole.  The cyber workforce appears to be more ethnically diverse than the workforce as a whole but almost all are from cultures which have valued mathematics and cryptography for a millennium longer than the West and few of them are in senior positions.

The reports spend much comment on the value of neurodiverse talent  but there is little mention of the potential need to provide pastoral and clinical care on an ongoing basis. Hence the value of outsourcing to virtual CISO services, like those provided by the skills incubators organised by the Cyberhub Trust or IASME, which are also geared to provide the support and structure needed by the unrecognised Alan Turings of today.

Outside the cyber sector, 45% of organisations with anyone responsible for cyber security have only a single individual. 29% or organisation with 10 – 49 50 have only one. 23% of those with 50 – 249 staff have only one. 11% of those with more than 250 staff have only a one. 84% are not full time. Most had cyber added to existing roles, with no formal training. 8% were recruited internally from a non-cyber role into a cyber-specific role. 2% were recruited from a previous cyber security role. 1% are graduate trainees or apprentices.

2. What skills does the workforce have?

Most analyses are of the core skills needs of the cyber secuei5ty sector, as opposed to those of users, large or small.

33% of staff with Cyber security suppliers had a general computer science/ IT degree, 27% a specialist degree in cyber security, 11% had qualified via a cyber or other apprenticeship role; and 51% some form of other technical accreditation. The latter included CISSP (38%), CISM (14%), CREST (12%), Certified Ethical Hacker (12%). (11%) and/or one of over 30 other cyber qualifications. 65% of employers thought they knew their training needs very well.

The pattern outside suppliers may, however, be very different. In the UK 7,900 (ISC)² member have  CISSP (out of 148,000 world-wide). But, globally, three time as many individuals have Comptia Security + as have CISSP. This was not mentioned in the survey of specialist suppliers but appears to be by far the most qualification among those supporting SMEs, whether direct or along supply chains. Analysis of the recruitment market (via Burning Glass) indicates 8,000 postings per month for non-core roles, compared to only 3,000 per month for core professional and technical roles. How far this indicates numbers needed or difficulty in recruitment is unclear.

3. Where is the shortfall?

47% of cybersecurity suppliers reported technical skills gaps including:

• Incident management, investigation and digital forensics 41%
• Assurance, audits, compliance and testing 37%
• Cyber security research 36%
• Threat assessments and information risk management 32%
• Cybersecurity governance and management 31%
• Implementing Secure Systems 22%
• Operational security management 21%
• Business resilience 19%

Only 31% reported soft skills gaps but the shortage (63%) was “senior staff” (3 – 5 years experience).

Technical skills were of less concern to users who were more concerned with gaps in soft skills, such as:

• Carrying out a cyber security risk assessment 45%
• Developing cyber security policies 43%
• Preparing training materials or sessions 42% (57% among those in education and training)
• Writing or contributing to a business continuity plan 39%
• Carrying out a data protection impact assessment 39%
• Communicating cyber security risks to directors, trustees or senior management 25%

The gaps in numbers

The overall growth in demand (across all sectors) is estimated at 14% since 2016, falling to 9% in 2020, with the impact of Covid. This implies a growth of 12,000 is to meet expected demand – unless impacted by factors such as automation and labour costs.

There is an estimated attrition (retirement and/or movement to other roles) of approximately 4% p.a., giving an estimated outflow of 5,500.

This indicates a need for 17,500 new entrants p.a. to meet growth expectations while the Burning Glass analyses indicate a current shortfall of over 33,000 online job vacancies and (ISC)² estimates a UK workforce gap of c. 27,400.

4. The current throughput, numbers and sources

   .Currently there are c. 7,500 new entrants p.a.,

• 2,000 (out of a current throughput of 3,360 from 83 institutions) cybersecurity graduates (undergrad and masters),
• 2,000 (out of a throughput of 30,886 from 128 institutions) computer science graduates,
• 2,500 from current career conversion, re-training, or other routes
  • Students with relevant A Level/NVQ qualifications moving into further or higher courses.
  • Retraining from other occupations, such as law enforcement
  • Veterans via Career Transition Partnership , SaluteMyJob
  • MoD staff and military personnel via the Defence Academy Cyber Foundation Pathway
  • Transfers from other IT professional roles
  • Alternative talent pools: neurodiverse groups, returners and rehabilitated offenders.
• 1,000 cyber-security apprenticeships (currently 600 but doubling year on year).

Overall there is a shortfall of 10,000 p.a.  additional to those needed to address the current perceived shortage.

The reports contain detailed analyses covering roles, career pathways, HE and FE courses and apprenticeship  programmes and throughput (including by University and standard) , sources, demography (including age, gender and ethnicity)  and destinations of students and salaries.

• 41% of cyber sector employers have staff with computer science degrees, 35% with cyber security degrees and 13% with cyber security apprenticeships.
• Half have tried to recruit externally for cyber roles in the past two years. Half of these used recruitment agencies (half specialist, half generalist), a third used social networks (such as Linked In), a third used word of mouth.
• 10% had University Partnerships and/or Graduate Schemes and only 5% had school or college partnerships.
• Only 4% reported problems recruiting apprentices, 22% entry level graduates, 63 % senior staff (3 – 5 years experience), 33% principal level staff (6 – 9 years) and 13% Director Level (10years or more).
• Meanwhile 85% of those for whom cyber was one role among several came from another part of the business.

 There were differences of opinion among those interviewed regarding the shortage (quantity and quality) of talent available and of the specific skills needed but consensus regarding the low level of technical skills compared to demand, particularly with regard to penetration testers and firewall engineers.

Short term actions included internal on the job training by employers of those with complementary IT skills. Longer term more bespoke FE courses and apprenticeships are required.

The other barriers to entry included poor awareness of career opportunities and unsuitable recruitment methods.

Government action to increase education and information on cyber security in schools could help.

Geographic and Sector Differences

Analyses of job postings for core skills indicate that the London hot spot may be cooling while that North West, M4 Corridor and West Midlands hot spots are consistent and/or growing.  Local hot spots include Reading, Basingstoke, Cheltenham, Bristol, Leeds, Edinburgh, Leamington Spa, Barrow-in-Furness, Belfast and Bath. The most common title is “Security Engineer 34%, compared to 3% for trainee/apprentice or 2% for penetration tester. IT and Cyber byusinesses account for 23.5% of adverts, consultancy for 17.7% and Finance for 13.8%. Retail is only 3.4% and Manufacturing 1.3%

The peak demand is for Graduates with 3-5 years experience plus Certifications  

58% of ads for core roles and 51% for cyber-enabled ask for 3 – 5 years experience. Only 16% and 10% for more. 90% of ads for core roles and 78% of those for cyber enabled roles ask for graduates or post graduates.  Job adverts for core roles requesting specific qualifications range from 36% for CISSP, 23% CCNP, 22% CCNA, 19% CISP, 8% CISA, to 2% for GCIA and only 1% for CompTIA Security + . This may, of course, be because, globally, more than three times as many candidates are likely to have Comptia Security  + than have CISSP and it is geared more to those in roles where cyber security is part of a wider role.

Is the shortfall causes by low salaries for graduates?

Cyber Security has a premium of 29% over IT salaries as a whole in job adverts (Page 66 Cyber Security Skills in the UK labour market 2021). Meanwhile, according the HESA University Graduate Outcome data (table on page 39 of Understanding the Cyber Recruitment Pool)  cyber security graduates are paid less  than computer science graduates.  This may explain why more do not enter the cybersecurity industry.

And what about outsourcing?

Around half of small (54%), medium (58%) and large businesses (51%) plus 57% of the public sector outsource at least part of their cybersecurity. This rises to 2/3 in finance and insurance. The failure of micro businesses to do so is almost certainly because they cannot find affordable and trustworthy providers. Hence the importance of the Cyber Resilience Centre plans to address this problem.

5. Obvious actions for those looking for talent include:

• Review the salaries you offer to Cybersecurity and Computer Science Graduates – unless your policy is to pay more for those implementing security by design. If you are worried about losing those you train, consider using training/apprenticeship contracts.
• Trawl for talent among those who understand the business: whether your own users or those of your customers. There is anecdotal evidence that cyber sector suppliers are increasingly doing this.   
• Use the talent pipeline partnerships being hosted by the Cyber Resilience Centres to upgrade existing staff, “try before you buy” those on local training programmes, and secure your SME supply and distribution chains.
• Use the work experience components of schools, university and college programmes and integrated programmes like the cyberhubs to “try before you buy” with regard to your own recruitment and organise affordable virtual CISO support.