You find cyber security talent by looking in unusual places, writes Steve Jones, UK MD at SANS Institute. It recently launched the UK Government’s first cyber retraining academy. Among SANS’ training events is London March 2017, at the Grand Connaught Rooms from March 13 to 18.
Of UK Chief Information Officers (CIOs), 77 per cent now say they will face more security threats in the next five years due to the skills shortage. Yet this comes at a time when cyber has never been a more attractive industry to work in, with security professionals projected to enjoy the highest salary rise of any technology specialism in 2017. With industry and Government facing the unfortunate reality of a projected increase in cyber-attacks, it has been suggested that the cyber security industry could be worth $175 billion by 2020. Over a third of UK CIOs are planning to hire more cyber professionals this year. So why is a booming industry still failing to fill vacancies?
The fashionable answer is that this is a supply-side problem, caused by the shortcomings of schools, colleges and traditional academic institutions to turn out enough computing graduates. Yet what if it is not the education system, but the employers hiring criteria that is the problem?
The belief that the education system is the main cause of our woes is connected to the fact that cyber security employers continue to lean towards seeking people with technical backgrounds.
However, prioritising job applicants with technical degrees means fishing in very shallow waters; just 7 per cent of our top universities even offer an undergraduate degree in cyber security. Many employers also demand ‘hands-on experience’ as a requirement for cyber roles. Yet this automatically excludes anyone who hasn’t worked in cyber, filtering out an enormous potential talent pool at the first hurdle. It is as if the aviation industry acknowledged it was suffering a severe shortage of pilots coming through, but refused to hire anyone who was not already a qualified pilot from an elite flight school.
If we are to provide a realistic solution to this urgent and pressing problem, cyber security employers must radically rethink their hiring checklists and entry tests and the places they recruit from. The largest ever survey of cyber security professionals ranked non-technical skills (such as risk assessment and management; communication skills and analytical skills) higher than technical skills when recruiting mid to entry-level cyber security professionals. These are attributes often found in professions as diverse as the armed forces and the legal profession. Cyber security is an increasingly multidisciplinary profession requiring diverse skillsets, yet the industry’s hiring criteria is still far too focused on people with technical degrees and backgrounds.
To put weight behind that claim, we have looked further afield than the average technology graduate, successfully transitioning military veterans into cyber careers through our academies. Out of the thousands of applications to the first SANS UK Cyber Academy, the final group selected for the course included several from outside the tech industry including a law graduate.
To prove this theory at national level, SANS has been recently tasked by Government to partner them in launching the first ever ‘Cyber Retraining Academy”, which will specifically seek applications from those who have never worked in cyber.
Applicants will be filtered using psychometric assessments developed to identify behavioural and cognitive traits that indicate high probability of success in cyber security, then trained to be industry ready practitioners with immediately deployable skills that will set them on a path to become seasoned/skilled cyber professionals of the future.
We believe this offers a radically different recruitment model for the industry, which could help plug the skills gap and diversify the workforce in quick time, effectively condensing a typical graduate type training programme into an intensive, immersive ten-week schedule.
This is something we have seen in other industries, with some businesses now recruiting using bespoke aptitude tests that not only widen their recruitment net but offer a far better guarantee of ‘culture fit’ than degrees or career experience. We can do much more to give those starting out in security a firm foundation, ensuring those who undertake training are immediately deployable and add real value to the employers from the outset.
