Venturing from Boardrooms, Battlefields and Lecture Rooms: Closing the Cyber Skills Gap on the Frontlines of Cyber Defence

nWith our increasing digital footprints ensuring security,nconfidentiality and integrity has never been so important. Withnincreased awareness of cyber risks and visibility of attacks, we shouldnbe more equipped to protect ourselves than ever before. Unfortunately,nwe have a growing cybersecurity skills gap, and lack of securitynprofessionals. According tonnISC2 research, the global workforce needs to grow by 73% to effectively defendnorganisations critical assets and roughly 4 million more skilledncybersecurity professionals are needed worldwide.n

nUnfortunately, with a general economic downturn post-pandemic we arenexperiencing a dampening of the appetite for investment and recruitmentnacross businesses in both the private and public sector. The journey ofncareer transitioning or starting out in cyber seems to hold manynbarriers including but not limited to lack experience and understandingnof which pathway to take. Choosing between specialities like IncidentnResponse, Threat Intelligence, SOC, Red Team, Blue Team or Architecturen(the career options go on), and then accessing study materials, findingnresources, labs, etc.n

nMany employers lack consideration for diversity of experiences whenntrying to attract talent, they must take a chance on a candidate withnlittle or no time spent in cyber but that may have other transferablenskills. In addition to this, the level of expectation, experience andnskills required for junior- or entry-level positions should benreevaluated. It therefore falls upon security professionals and thencybersecurity industry collectively to address this imbalance.n

nThe greatest help security professionals can provide is by investingntheir time to support, mentor, assist and provide advice. This act ofngiving back is highlighted innnISC2’s Code of Ethicsnncannon, “Advance and protect the profession.” While mentoring a cyberntransitioning colleague recently he said to me, “You’ve been lucky innyour career.” Where I was lucky was that an employer gave me annopportunity to show my worth, they saw potential. But that luck wouldnnot have helped me without my time spend studying, earningncertifications and gaining experience.n

nThe Cyber Landscapen

nCyber is the bedrock of reducing risk in the enterprise, whilst offeringnassurance in our interconnected personal world. It is no longernconsidered niche at C Level or a boardroom afterthought. Increasednsophistication and resources of our adversaries haveto be countered bothnreactively and proactively. Security professionals not only neednfoundational skills but are required to constantly adapt and toncontinually learn of the tactics and techniques that we will face. Thisnparadigm shift from reactive, in what was once primarily about repellingnattack, has now become proactive with threat intelligence, resilientnarchitectures, zero trust, defence in depth and secure by design asnpromoted by the NCSC GuidancennSecure Design Principals.
n
nThe next generation of security professionals, be they from the armednforces, boardrooms or lecture halls is stepping into a rapidly evolvingnlandscape. It is no longer enough to understand threats, but insteadnsecurity professionals will need to anticipate tactics and threats thatnmalicious actors are constantly evolving.n

nCertifications vs. Experiencen

nThis is the ever-persistent debate, not just in cyber but in manynbusiness sectors. Having sat on both sides of the interview table, Inhave found for most hiring managers this is less a question and more anpreconception. We are all products of our experiences, environments andnother dynamics that shape us. So, when you find yourself in anninterview, the hiring manager has their own perspective; for some, thenmost important factor may be on paper and for others it is more aboutnwhat you have done, and the potential they see in you. Admittedly,nhaving worked in highly-regulated environments, industry and vendorncertifications are sometimes a mandatory requirement, be that in thenpublic or private sector.n

nThe key here is not to become focused or obsessed with a ‘one or thenother’ mind-set. While having experience and certifications is ideal,nthese don’t have to be the deciding factor in the job offer. Hiringnmanagers should look at the potential of the individual. One of my bestnhires was a graduate who was lacking experience, especially for thenlarge enterprise in which he would be operating, but he possessednenthusiasm, intelligence and a work ethic to learn and develop. Withinn12 months he was running a vital part of the infrastructure alone,nwithout support due to attrition in the team. The faith I and thenemployer had was repaid to us by his development and excellence in thenworkplace.n

nFinding the Balancen

nOn one hand, we have the skills gap, and in the other we have ancombination of workers looking to retrain, military vets looking tonstart the next chapter in their professional lives and students comingnto the end of their studies looking to start their journey. Matchingnthese up would solve the problem, you would think. But the problem isnjust that: matching these up. As we have touched upon, hiring practicesnneed to improve. Job descriptions need to be realistic, and employersnneed to invest and develop in their workforce. Undoubtedly, we neednexperience in cyber, but we need to develop the next generation too. Thenkey here is supporting and helping people transition into cyber. Somenvendors are providing the resources, including the ISC2nnOne Million in Cybersecurity programnn, offering the study material needed to attain thennCertified in Cybersecurity certificationnn. There are others as well: Juniper offered five free certificationnlearning pathways, providing study material and 75% exam discountnvoucher. Cisco University offers free training as does Palo AltonNetworks. Sites such as ‘tryhackme’, and ‘hackthebox’ provide some greatnfree resources for those looking towards ‘red teaming’, and Portswiggernoffer up their Academy which also provides a fantastic resource fornthose looking to learn about application security. For military vets,nthe resources at TechVets are outstanding.n

nThe common theme for those looking to start out in cybersecurity isnknowing where and what is out there to help them along the way. Thisntakes us back to ourselves, as security professionals. We can providencritical guidance, mentor or advise. Just as we were given annopportunity to develop, we should pay that forward and help the nextngeneration on their journey. If we do this and help close the skillsngap, it’s not luck, but good judgment and a safer, more secure cybernworld for all.n

nAndy is a Managing Consultant – Cyber Security Architecture atn6point6.co.uk. Consulting in the public sector including the UKnGovernment. Since leaving the military, he has developed a career in ITnover the past 20 years. He started in support and moved into networkninfrastructure. For the last ten years has focussed on InformationnSecurity, Cyber Security Architecture and Cloud Security.n