Addressing The Security Skills Gap
In today’s climate, the security sector is undergoing a number of changes and is growing at an incredible rate. While the demand for employees is present, there are a number of roles that are struggling to find suitable applicants. This is, in part, owing to the security skills gap - when individuals working in or applying for roles lack particular skills necessary for those roles.
In the following article, we chat to several leading figures in the security industry to hear what they have to say about this gap, how it affects them, and the practical steps we can take to address it.
Andrew Rose - CISO @ Proofpoint
Andrew Rose is the Resident CISO at Proofpoint, a company that delivers effective cybersecurity and compliance solutions to protect people across multiple channels, including the web, e-mail, the cloud, social media, and mobile messaging - helping firms across every industry.
When asked about the skills gap in the UK security industry, Andrew stated that he had been blessed with a relatively stable team for years but he had found difficulty in recruiting for certain key roles, of very differing seniority levels.
“It’s become clear there are certain roles that are more difficult to fill, those that require a niche set of skills – or those that are broad, but require leadership experience”. He elaborated, “typically it’s tough to find technical employees - those who do vulnerability management or act as security architects. These roles are in high demand and you can find firms paying high salaries to candidates with only some of the skills or experience they really want ”
In addition, as is a common point raised by those in the sector, he noted that it’s also hard to recruit for senior roles: “It’s difficult to find people who can talk competently about technology but also be able to work on a corporate level and face board members. They have to have a technical understanding and a sense of business savvy, and there’s a gap in this section right now.”
Exploring the reasoning behind this, the conversation moved on to the role of human resources in exacerbating this gap. One issue raised is the complexity and over extension of requirements listed in job adverts. “I saw a post on Linkedin the other day”, Andrew told me, “a job advert had been posted that required 10 years of experience with a certain technology - to which someone had replied, ‘that’ll be difficult given I only invented that tech six years ago!’”
Andrew highlighted how job adverts are too often a wish list of what they dream about in an employee. While that’s fine, “it’s unlikely one person could meet all of them and it dissuade great candidates from applying as they think “I can only do 30% of this!”” Andrew also noted that it puts an additional strain on the gender gap as research suggests that women are less likely to apply for a role if they don’t feel that meet all of the requirements asked for. “Overall,” Andrew reasoned, “job specifications need to be more realistic and take into account competencies, skills and potential rather than specific existing knowledge - recruiting ‘talent’ rather than ‘finished items’ can help reduce the skills gap.”
Bence Horvath - Director, Technology Consulting - Security @ Ernst & Young
With a long career in technology, Bence Horvath today works as the Director of Technology Consulting, specialising in security at Ernst & Young, a multinational professional services firm.
For Bench Horvath, the key problem with the skills gap in the security industry is that we just don’t have enough people fullstop. He reasoned, “the industry has been increasing at a breakneck speed and the amount of people we need in this area (demand) is rising faster than supply.”
Addressing why demand is raising, Bence spoke of the “increasing digitisation of the world”. In fact, as a result of COVID, he believed that in the last 6-9 months we have seen as much growth in demand as there was over the past 3 years. And, with digitisation comes a number of security risks and the need to recognise and handle cybersecurity issues that, in turn, require an increasing number of professionals.
Demand, though, is just one problem, Bence also addressed problems when it comes to the UK’s focus on supplying talent. Though the UK “have a great lot of focus placed on training cyber talent and have established dedicated programs in the government and in academia, it’s still not enough.” He argued, “we need to start bringing the possibility of cybersecurity as a career option at an earlier age too - showing people you don’t necessarily need to be a top hacker to be valuable in this field, we need a bit of a reality check to make the field more open, more attractive, and more diverse.”
University isn’t necessarily the answer either though. “Realistically, security moves so fast that it’s hard to get an accurate picture on a static university program. When we hire new graduates, I try to include them in as many projects as I can so they not only get experience but the client can benefit from their new way of thinking, being digital natives.”
Richard Norman - Head of Information and Cyber Security @ A UK Retail Bank
Moving on, Richard Norman also offered a valuable insight on the issue. Richard has worked in security for as long as he can remember, in fact, before the industry even really gained the title ‘security’! “It’s just something that good administrators did”, he told us. Today, however, he works as head of Information and Cyber Security at a UK retail bank.
“The problem”, Richard reasoned, “is that people gravitate towards the technical aspect of security”, yet there are few people drawn to “the governance and risk aspect of security as well as fully understanding the human factors”. He does not believe this problem will last though - “I think this problem will start to sort itself out though as more organisations move to the cloud and technical challenges will be dealt with by specialists like Microsoft and Amazon.” Companies, meanwhile, “will have to deal with the cultural shift in managing the challenges associated with corporate governance of information risk in this environment - that’s why the gap is so important and needs to be solved.”
Talking about how to address this gap, Richard answered “as a nation, we need more awareness and more publication of the fact there’s a skill shortage.” On a government level, “perhaps it would be useful to have tax breaks or something to encourage organisations to develop skills themselves.”
Like Bence Hovarth, he believed this issue may not necessarily be fixed by sending people to university - companies can “take people in, even if they’re unskilled, and compensate by having a greater number of people and work on building up their knowledge.” Recently, for example, he had someone moving in from another sector of the business. “She never used to be interested in security, but having seen what we do, she’s found it really interesting and is really good at it. Ultimately, I think we need to look for talent and nurture it, wherever it may be, and work on retaining it for the future.”
Steve Donachie - Director Global Security Operations @ Aegon
Steve Donachie is Head of Security at Aegon, one of the world’s largest financial service organisations that provides life insurance, pensions, and asset management. It also boasts a global security operation center which is where Steve works.
Steve touched on many of the issues addressed in previous interviews, reiterating their importance. Like Andrew Rose, Steve argued that it’s difficult to find people with a “blend of technical skills as well as an understanding of how organisations work, what expectations are, and some of the more non-technical skills.” He reasoned, “yes it’s helpful if they know science but I also want someone I would like to put in front of others in the business, capable of building relationships, and able to get information across in the right format.”
Aegon is working on a way to address this gap and Steve told us all about it - “We’ve partnered with a local university to create an undergraduate program. The first year of the four year course is more generic business training, not necessarily focused on security but rather business operations and then they’ll typically gain the foundational security knowledge through on-the-job experience. They do one day of university a week, and four days working for us.” It seems a great way to combat the issues of a university education put forth by Richard Norman and Bench Hovarth.
Overall, the issue with security is that it’s just not being talked about enough. On the plus side though, Steve sees this changing - “I’ve got a teenage daughter who is just becoming aware of what I do for a living. They’ve been doing coding exercises at school which is quite impressive, and they do talk about cybersecurity. However, at the moment, it’s more about from a social network point of view and regarding personal safety rather than the idea that there’s a career in this and you can study it. So yes, younger and younger people are learning about security but not as much as we need them to, given they are going to be in the workplace in the next four years.”
So what now?
Ultimately, it’s clear from these industry leaders that the security industry is facing a supply problem - there is too much demand for certain skills and not enough people to fill the roles. Most of them agreed this can be attributed to the lack of information available out there on careers in security as well as recruiting companies expecting too much rather than focusing on the potential a person may have! These should be easy problems to fix but will it be too little, too late?