Fixing the cybersecurity skills shortage in the UK
Attitudes towards security continue to harden - with terrorism, geopolitical uncertainty and cyber threats now joining over-regulation in the top four threats to business growth prospects in PwC’s 2018 CEO survey. This shift is reflected by the language now used publicly – by government and business leaders alike – as highlighted by the UK Defence Minister recently confirming that sponsored cyber-attacks on the UK’s infrastructure could cause economic chaos. But after endemic under-investment in skills development for over a decade, Paul German, CEO, Certes Networks, explains it is time for a significant change in approach to safeguard business.
Supply versus Demand
Organisations now recognise the need to invest heavily in security. Yet when day rates for cybersecurity experts hit £1,400, the industry clearly has a massive problem regarding supply and demand. And while it is fair to say that the escalation in cyber threats has created an unprecedented need for individuals with skills, talent and experience, it is chronic under-investment in training and education that is at the heart of the skills shortage problem.
The UK used to lead the world in cybersecurity expertise. Now, Government representatives are travelling to countries across the globe – including some that are flagged as ‘questionable’ by our security services - in the hope of attracting essential start up expertise and skills. And with the proposed National College of Cyber Security sited at Bletchley Park now not likely to open before 2019, home grown talent is simply not being developed.
So what has gone wrong? The ramifications of the massive spike in outsourcing a decade ago are now being felt. When huge swathes of technical experts were ‘TUPE’d’ across from public sector to private sector organisations, a history of training, education and skills development was lost. These individuals are now leaving the industry in swathes and their skills have never been replaced. The result is escalating demand and a pool of resources that continues to shrink by the day.
There are so many flaws in the current model. The industry is frankly appalling at selling itself; at inspiring the next generation by demonstrating that IT can be an exciting and financially rewarding career. In addition, training has over the past decade become almost exclusively product focused – with vendor ‘academies’ teaching individuals about specific product sets, rather than security framework requirements, a move that has further weakened the depth of expertise offered by any one individual.
This approach is simply not sustainable – for IT providers or organisations desperate to access essential cybersecurity skills. Right now, the small pool of talent is being touted around at ever higher rates by recruitment firms, making essential cybersecurity unaffordable for all but the largest and most successful businesses.
The only way organisations will be able to address the huge demand for cybersecurity skills will be to take control and invest. And that means shifting away from outsourcing and a reliance upon expensive contractors towards re-insourcing key services, including security: the onus is now on companies to build up their own expertise in-house.
At the same time, the IT industry needs to step up and invest in training – true, agnostic training, not product specific, ersatz sales education. If the next generation of cybersecurity individuals are going to be able to make the right decisions, they need an excellent grounding in security – from compliance to standards, including GDPR, PCI and ISO 27001. It is only with that in-depth understanding of end to end security issues that individuals will be able to create a robust security infrastructure supported by the right product choices.
From vendor agnostic training to a commitment to inspiring the next generation to join the industry in the first place, everyone demanding a solution to cybersecurity skills shortages today needs to step up and become part of the solution – not the problem.
SAS: Improving the British Army’s decision making with data
SAS’ long-standing relationship with the British Army is built on mutual respect and grounded by a reciprocal understanding of each others’ capabilities, strengths, and weaknesses. Roderick Crawford, VP and Country GM for SAS UKI, states that the company’s thorough grasp of the defence sector makes it an ideal partner for the Army as it undergoes its own digital transformation.
“Major General Jon Cole told us that he wanted to enable better, faster decision-making in order to improve operational efficiency,” he explains. Therefore, SAS’ task was to help the British Army realise the “significant potential” of data through the use of artificial intelligence (AI) to automate tasks and conduct complex analysis.
In 2020, the Army invested in the SAS ‘Viya platform’ as an overture to embarking on its new digital roadmap. The goal was to deliver a new way of working that enabled agility, flexibility, faster deployment, and reduced risk and cost: “SAS put a commercial framework in place to free the Army of limits in terms of their access to our tech capabilities.”
Doing so was important not just in terms of facilitating faster innovation but also, in Crawford’s words, to “connect the unconnected.” This means structuring data in a simultaneously secure and accessible manner for all skill levels, from analysts to data engineers and military commanders. The result is that analytics and decision-making that drives innovation and increases collaboration.
Crawford also highlights the importance of the SAS platform’s open nature, “General Cole was very clear that the Army wanted a way to work with other data and analytics tools such as Python. We allow them to do that, but with improved governance and faster delivery capabilities.”
SAS realises that collaboration is at the heart of a strong partnership and has been closely developing a long-term roadmap with the Army. “Although we're separate organisations, we come together to work effectively as one,” says Crawford. “Companies usually find it very easy to partner with SAS because we're a very open, honest, and people-based business by nature.”
With digital technology itself changing with great regularity, it’s safe to imagine that SAS’ own relationship with the Army will become even closer and more diverse. As SAS assists it in enhancing its operational readiness and providing its commanders with a secure view of key data points, Crawford is certain that the company will have a continually valuable role to play.
“As warfare moves into what we might call ‘the grey-zone’, the need to understand, decide, and act on complex information streams and diverse sources has never been more important. AI, computer vision and natural language processing are technologies that we hope to exploit over the next three to five years in conjunction with the Army.”
Fundamentally, data analytics is a tool for gaining valuable insights and expediting the delivery of outcomes. The goal of the two parties’ partnership, concludes Crawford, will be to reach the point where both access to data and decision-making can be performed qualitatively and in real-time.
“SAS is absolutely delighted to have this relationship with the British Army, and across the MOD. It’s a great privilege to be part of the armed forces covenant.”