Growing the Pipeline of Cyber Security Talent

David Eaton - Cyber Security Consultant and Chair of the Cyber Security Skills Taskforce

The market reality       

According to most estimates, the demand for cybersecurity workers far exceeds supply. Evidence from the Centre for Cyber Safety and Education (formerly the ISC2) Global Information Security Workforce study in 2015 which surveyed over 14,000 global organisations, estimated the demand will be for 1.5m more cybersecurity professionals by 2019[1], while evidence presented by the ISACA to the UK House of Lord’s Digital Skills Committee in 2015 was of a 2m shortage[2].

The 2015 ISC2 report also found that demand for cybersecurity professionals is increasing: 62% of the survey respondents stated that their organizations have too few information security professionals, compared to 56% in the previous 2013 survey.

It is not just a shortage in numbers, it is also a shortage in diversity.  In an update to the 2015 report[3], Frost & Sullivan reported that the cybersecurity workforce participation rate by women has remained stagnant at only 11%.  In Asia Pacific, this rate is only 10%, and in Europe it is 7%.  This “diversity deficit” has the direct consequence of narrowing the cybersecurity talent pool available, and especially also limiting the non-technology and “human factors” that the profession needs[4].

Within this unprecedented “tide” of demand, specific cybersecurity skills are more in demand than others.  According to a report in Forbes in May[5], over 40,000 vacancies for cybersecurity analysts went unfilled in the USA in 2016, and that demand is not forecast to abate.

This presents employers with tough choices. At the time when businesses are intent on improving their cybersecurity posture to reduce brand and reputational risks, they are severely constrained in finding capability.  While waiting for the education system to catch-up, the choices are few; hire in an active and constrained market, look to offshore talent, or internally recruit and retrain your own talent.

A skills pathway into cybersecurity

Cybersecurity offers a number of specialised opportunities to build on a core skillset and, partly as a consequence, there is confusion as to what entry points are available, what are suitable, and particularly what constitutes appropriate “entry” skills.  Is a degree required?  How do you balance the academic with practical skills and aptitude? How do you incubate core skillsets? How can you gain needed experience in a measured and appropriate manner?  What is the best entry point into the cybersecurity profession?  Is there a need for multiple entry points – and if so, what are they and where are the gaps? 

These were the types of questions considered by the Cyber Security Skills Taskforce and posed to industry during consultation on what we might do to address the skills shortage.  A key finding was that a pathway into entry-level roles was needed – and this needed to shorter than a three-year university degree.  One of the particular roles to be developed was for junior roles within a Security Operations Centre (SOC) which is where an organisation undertakes security administrative functions on its critical information assets. 

A Level 6 Skills Pathway

It is with the need to balance theoretical understanding with hands-on skills, that the Taskforce has initially focussed its efforts on encouraging and working with NZQA and ITP to establish a Level 6 cybersecurity diploma within NZ.  This qualification will be focused on developing a graduate who has the skills and knowledge sufficient to work in entry-level cyber security roles.  For example, it is anticipated that a graduate, trained through the Level 6 Diploma pathway, could join a SOC as a level 1 security administrator (in SOC parlance a Level 1 Analyst Intern) who is then developed over time to the point where further speciality in other areas such as forensics or penetration testing can be evaluated.

This diploma will balance the academic understanding of cybersecurity but also provide the student with practical experience in the skills needed to be a junior cyber security analyst.  It is proposed that the students complete at least half of their study within a practical setting or settings.

NZQA and ITP are inviting feedback on the draft cyber security qualification – you can complete the survey before 28 September.

The Taskforce is now working to identify and develop other pathways into the cyber security profession, developing an entrenched cyber security internship framework so that we can position graduates to fill in-demand cyber security jobs, and ways in which we can address diversity.  We are also looking for opportunities to promote and raise awareness of cyber security careers.  Please feel free to get in touch with us here 

[1] “The 2015 (ISC)2 Global Information Security Workforce Study”, Frost & Sullivan

[2]House of Lords Select Committee on Digital Skills 2015

[3]“The 2017 Global Information Security Workforce Study: Women in Cybersecurity”, Frost & Sullivan

[4]What Is the Impact of Gender Diversity on Technology Business Performance?” National Centre for Women & Technology, 2014

[5]Forbes, “The Fast-Growing Job with A Huge Skills Gap: Cyber Security”