Six ways to develop a sustainable cyber security workforceby
The cyber security skills gap in the UK continues to be a serious problem, which has been exacerbated by increasing numbers of employees working from home over the past year. Now is the time for L&D teams to catch up in order to build a sustainable cyber security workforce for the future.
The past year has seen an unprecedented demand for organisations to adapt quickly to change. Many of us now work in ways and locations that would previously have been unthinkable before early 2020. Technology has been a critical enabler of this, with an extraordinary take-up of technologies facilitating remote working.
From a cyber security perspective though, the pandemic has not so much delivered ‘new’ challenges, as exacerbated challenges that already existed. We already understood that cyber threats are now simply part of doing business in the 21st century. The evolution of technology towards being able to access our work data and colleagues from anywhere, and our increased reliance on it, were already well established. Working practices and dominant issues of public concern accelerated social media participation.
Staff development and training is essential to the long-term health of any organisation. This is especially true of cyber security, where the skills that people acquire may make a huge difference to that organisation’s resilience...
What the pandemic and the accompanying explosion in home/remote working did, then, was further enrich an already fertile environment for malicious cyber actors seeking to exploit the situation for financial gain. Research by one major provider estimates that ransomware attacks in the UK increased by as much as 80% in the third quarter of 2020 (source: ITPro, citing a CheckPoint report, October 2020).
Looking at it positively, I would argue that the pandemic also, inevitably, made the importance of cyber security skills and awareness in the workplace a much more mainstream concern. Demand for the skilled staff needed to accommodate the cyber threat environment and ensure operational continuity and success has never been higher. Increasing these skills across the workforce is going to be critical to operational success for most organisations, but how do we get there? The reality is that the cyber security skills gap in the UK continues to be a serious problem in 2021. A recent UKGOV report estimates that:
- Around 50% of businesses in the UK lack people with ‘basic skills’ in cyber security, such as storing or transferring personal data, setting up configured firewalls, and detecting and removing malware.
- Around 33% of UK businesses don’t have enough people with advanced technical cyber security skills such as penetration testing and digital forensics.
- Around 32% don’t have enough people with the right skills to respond effectively to cyber security incidents.
Six steps to building a sustainable cyber security workforce
Coupled with increasing stories about the enormous damage inflicted by cyber attacks, it’s clear that we have some way to go on addressing the skills shortage. It can be done, however, and it can be done in a way that, in the longer term, is cost effective, delivers real results and enhances the career options and working life of people in your organisation. Based on my experience as head of training in a digital risk management company, here are some elements that must be considered when planning for and implementing a sustainable cyber security workforce.
1. Start at the top and work down
I always start at the top, helping business leaders to understand the cyber threat so they can make the correct investment decisions to effectively defend their organisation’s assets. What we’re talking about here is good risk management. With knowledge of the threat and understanding of what capabilities exist, business leaders can make an informed judgment around what might be needed. Particularly at government and corporate levels, this work lays the foundation for identifying learning and development opportunities for designing a new cyber security workforce or finding and developing potential cyber security people, sustainably.
2. Embed cyber security training into your organisation’s strategy
The pace and power of technology, and the risks associated with its use mean that workforce learning and development should be a key element of any organisation’s cyber security strategy. This could mean technical training to deliver specific skills for increased resilience to cyber incidents, as well as the ability to handle incidents when they occur. As the majority of cyber attacks are still enabled via social engineering, however, general awareness of the cyber threat and training in good security practices for non-technical staff is also important. Without the right levels of awareness and skills, organisations are more likely to suffer data breaches or operational instability, affecting reputational, operational and financial agendas. This is especially true in respect of regulatory issues comprising sanctions or large fines (taking GDPR and PCI DSS as examples).
3. Include cyber security roles and skills in workforce and business planning
The senior-level work I mentioned above starts the workforce planning process. Ideally, it is followed, if necessary, by the organisation doing some work to determine its level of cyber security maturity and its investment needs around cyber security. At this point, I can help identify the skills and numbers an organisation will need to protect its assets and its people. This may include designing specific learning and development skills frameworks, that can then align to cyber security training career paths mapped to the critical functions and job roles requiring cyber security skills, knowledge and, ultimately, capability.
These frameworks and career paths usually include:
- Various job roles or domains
- Skills levels
- Suitable industry recognised qualifications
- Relevant tool-specific or vendor-agnostic practitioner training courses
- Use of multiple preferred training providers
- Immersive on-the-job learning
- Mentoring/shadowing and indicative time in which to conduct operational work experience
These are designed to suit a range of budgets, frameworks, learning outcomes and other preferences.
4. Consider reskilling as well as recruitment
Once an organisation has identified the resources it needs, how can it acquire the talent to fulfill resourcing requirements in a recruitment market where skilled cyber security practitioners are often scarce and expensive? Reskilling programmes can be very effective in the face of this challenge.
The right cyber security practitioners don’t necessarily have to come from external sources. If cyber security resource requirements are addressed as part of the overall workforce plan, the aptitude of existing staff can be assessed, and their learning pathways created. Then it’s about providing the right training and development. This needs to be a good mix of knowledge acquisition—through content and hands-on exercises and mentoring—to encourage rapid development.
Trainers who can not only can teach the content but also have the operational expertise that allows them to mentor their students are ideal for this approach. Reskilling can have additional benefits; the decision to invest in staff often increases positivity and encourages loyalty, reducing turnover and recruitment costs.
5. Link training to specific business needs and career plans
Developing internal reskilling programmes may not be an option for some organisations. Good, effective training can still be very valuable, however. To get the most value, especially from third-party delivered training, this should be clearly aligned to the organisation’s business requirements. Clearly defined skills frameworks and career pathways can help this tremendously, while still offering employees a degree of flexibility and choice about training. When learning plans are folded into a proper career plan, it can help to keep staff more focused, and the organisation can be reassured its objectives are being worked towards. Longer term, this helps to control costs, reduce staff turnover and provide tangible results.
6. Consider who the training is for
Decisions on training are, too often, over-influenced by considerations of cost rather than value. Treating cyber security training as part of your workforce planning makes it easier to consider return on investment. This is also relevant to finding the right training for the intended candidates. Different people absorb information in different ways. Some things to consider, especially when ‘buying in’ training from an external supplier, include:
- Virtual or classroom based? Do you understand the learning styles of your staff and can you accommodate them in the type of training they are undertaking?
- Does the training provide sufficient mentoring or coaching? Learning in a group of 100 online or in a classroom with 30 other people – all of whom learnt differently and have different job roles and levels of experience – may increase or decrease the likelihood of effective learning for them.
- What is the level of interaction with the provider? This might be extremely important for those employers who need to acquire hands-on practitioner skills to do this job successfully (e.g., incident response or penetration testing).
In my opinion, learning is not just about books and Powerpoint presentations. A hybrid learning format, encompassing classroom theory, hands-on exercises, real-world scenarios and teacher-student mentoring, is the best approach. It not only provides participants with a strong foundation, but also accommodates for varying learning styles.
Additionally, I think it’s important to mention here that, in my experience, it’s vital to make learning digestible and achievable within the context of daily operations, such as breaking delivery up into smaller chunks to fit around a team that has to operate critical systems. For example, 20 two-hour sessions rather than five eight-hour sessions, may be far more effective. Admittedly, this may not be practical but it is very achievable with remote training.
Good workforce planning is vital to building sustainable cyber security defenses
Ultimately, staff development and training is essential to the long-term health of any organisation. This is especially true of cyber security, where the skills that people acquire may make a huge difference to that organisation’s resilience towards threats with the potential to devastate operations and bring business to a standstill. In security, you will often hear the view that the best security is ‘built in’, not ‘bolted on’. This is never more apt than when considering your workforce and the role that all of them need to play in navigating the cyber security threat landscape.
Interested in this topic? Read Why is L&D still not aligning upskilling and reskilling programmes with business needs?