Cybersecurity skill gaps in the UK's workforce.

Researchers conducting a study on behalf of the UK Department for Science, Innovation and Technology (DIST) have discovered significant skill gaps in the cyber security industry. “Approximately 739,000 businesses (50%) have a basic skills gap. That is, the people in charge of cyber security in those businesses lack the confidence to carry out the kinds of basic tasks laid out in the government-endorsed Cyber Essentials scheme, and are not getting support from external cyber security providers. The most common of these skills gaps are in setting up configured firewalls, storing or transferring personal data, and detecting and removing malware,“ the report finds. What's more, 33% of businesses have more advanced skill gaps in forensic analysis, security architecture, and interpreting malicious code. The researchers note that while the figures for basic and advanced skill gaps have not changed, the proportion of businesses who lack confidence in their ability to carry out tasks has steadily risen since 2020. 22% of businesses report that applicants lack the required skills to fulfill their prospective job, and 49% report that their existing staff or applicants are underqualified. A significant portion (61%) of the cyber security workers expressed that they have pursued or are pursuing a cyber generalist specialization, in which their work is spread across several specialties in the “career road map.” 

Recruiting and employees entering the workforce. 

The report finds that job listings for cyber security roles have increased at a rate of 5,921 jobs per month in 2022, to a total of 71,054 jobs for the year. “When compared to 2021 levels, this suggests that the number of core cyber job postings has increased by 33% (from 53,586 in 2021). Demand for ‘all cyber roles’ has also increased by 30% in this time period,” write researchers. However, the supply does not seem to be meeting the demand as there was a shortfall of about 11,000 positions filled in 2022. There is hope that the shortfall will lessen in coming years as the number of students choosing a cybersecurity degree program has risen by 29% in a year ( from 14,910 to 19,200). Employers continue to value generalists with strong technical skills, researchers write, “Skills shortages continue to exist in approximately equal measure in specialist and generalist roles (where candidates are expected to understand a range of cyber security areas, but not necessarily in depth). In the qualitative research, we found that employers particularly valued staff with strong technical and complementary skills but these candidates can be hard to find (‘unicorns’ was one description).” 

Is it time to change hiring strategies?

Rick Howard, N2K CSO and Senior Fellow at the CyberWire’s parent company, explained this style of recruiting in his “Cybersecurity moneyball” essay, “I'm reminded of one of my favorite movies, Moneyball, starring Brad Pitt and Jonah Hill, released in 2011 and based on the 2003 book of the same name by Michael Lewis. Lewis tells the story of how the Oakland A’s, an American Major League Baseball (MLB) team, adopted a radical new approach to fielding players. In 2002, the A's had a payroll of approximately $42 million, while the New York Yankees, their arch nemesis, had a payroll of around $126 million.3 That meant that the Yankees could buy the best players in the game and the A’s could hardly compete.” Employers should be looking for individuals who will get the job done at the lowest possible cost. By seeking out prospective employees with high degrees of speciality, employers are passing up lower costing cybersecurity professionals who can, when put on a team, work to do much of the same thing an all star could do. Instead of relying on certifications and degrees, maybe it is time that employers adopt an aptitude based approach focused on training their team, and its members, to their best advantage.