As if there was need for another report, (ISC)2 has weighed in on the shortage of skilled cybersecurity staff. Unlike other reports, the (ISC)2 data has a higher value. The report was compiled from a survey of its own membership with over 19,000 responding. Inside Europe it managed just 3,694 responses but it hasn’t said what percentage of its membership that represents. It has also declined to provide the underlying data so we can get a better view of what members said.
According to Adrian Davis, Managing Director, EMEA at (ISC)2: “There are real structural concerns hampering the development of the job market today that must be addressed. It is particularly concerning that employers appear reluctant to invest in their workforce and are unwilling to hire less-experienced candidates. If we cannot be prepared to develop new talent, we will lose our ability to protect the economy and society.”
What is (ISC)2 adding to the skills shortage debate?
In one sense they are simply restating what we all know, too many jobs, not enough people employed. In this case it doesn’t necessarily equate to not enough people with skills. What the report does say is that there are not enough people with formal training or at least the formal training (ISC)2 promotes.
This is a major issue at the moment. There seems to be a massive focus on the type of cybersecurity training rather than the cybersecurity skills people have. At one level it is no different from the demand for everyone in the business to have a degree. As the major consultancies have discovered, having a degree and being able to do the job effectively are not the same thing. Over the last year people like EY and Accenture have dropped the demand for a degree before they will interview people.
The same needs to happen here in cybersecurity. While the focus is on formal training there will always be a significant drag on getting the right number of people into work. Of course, for (ISC)2 members this carries an unexpected bonus. The fewer people classed as having the right skills the higher the salaries those skilled workers can command. And judging by salary reviews, they are really making the best of the shortfall.
Rightly, (ISC)2 calls out the problem of training workers in terms of poaching. This has always been a challenge for SMEs. They invest in staff both in terms of training courses and time, only to have them acquired by larger companies. That is never going to go away and it takes time and effort to devise a strategy to keep staff rather than lose them. It is also important to recognise that completion of a training course and passing an industry exam are also not evidence of skills or competency.
Finding a wider source of skills
One interesting finding is that those responsible for hiring are busy using their own networks or those of their staff. This means that they are drawing on those already involved in the cybersecurity industry rather than looking outside. (ISC)2 does challenge this and points out that 63% of those who call themselves managers have non-computing backgrounds.
There is another group that this study ignores and that is those who are being attracted to cybercrime. Many of these are unemployed teenagers who have low education qualifications and come from difficult socio-economic backgrounds. They see cybercrime as an easy route to make money yet many of them have very good skills when it comes to social engineering, coding and hacking. Sadly, their lack of formal education often leaves them excluded from the cybersecurity market.
So here’s a thought. They already have a head start when it comes to cybersecurity training. Showing them that they can make money legally from their skills is not hard. It is also quicker and cheaper to provide them with formal education rather than train someone from scratch as a cybersecurity worker.
We asked (ISC)2 if they’d considered this group. Their response was that they had considered Millennials. When told that was not what we asked they admitted they had chosen to not look at this group. In part, this is not completely their fault. They would have been led by the responses from their membership and their research partner Frost & Sullivan.
Why does this matter?
If we insist on only going down the formal skills route to training cybersecurity staff the shortages will persist for at least five years if not a decade. That is because of the length of time it will take to get people through the relevant degrees and then the professional training. (ISC)2 has been brave enough to call out hiring managers and say they need to widen their search for talent. Unfortunately it failed to really take a stand and offer a realistic alternative to the route that most benefits its membership.
Ultimately, European companies will continue to pay the price for an employment and training strategy that is about the status of those already involved in cybersecurity. What is needed now is leadership that looks at how the talent pool can be widened. It also needs to provide workable strategies to help SMEs training and retain staff. The question is whether the (ISC)2 can set aside its own interests in favour of leadership and solving a critical problem.