Cyber Security Skills Gap: What Skills Gap?

The Cyber Security Industry needs more talent; but at which level and to do what? Here is a theme that has cyber security experts gripped: There is an enormous problem of skills across the cyber security industry. Not enough professionals. Hundreds of thousands of jobs remaining unfilled. It’s a massive challenge and a key to the evolution of the industry. A fundamental factor preventing progress.

But frankly, what is all this about? What are those jobs? What would be their purpose?

You don’t have to read much between the lines to see that most of the skills gap message emanates from the incestuous eco-system formed by large consultancies, their clients in large established security teams in large organisations, and the recruitment firms servicing both.

Most of the language used when describing the missing skills is heavily technical in nature and points towards the same IT security space: Pen testers, SOC engineers, threat analysts etc… ; as many jobs supporting large tech platforms built on tech products; and behind that, the same – misleading – message from the tech industry, that all this is a just technical problem that can be fixed by buying more tech …

So it becomes apparent pretty quickly that the “cyber skills gap” story dominating the headlines is just another aspect to an old theme: The cyber security industry’s obsession with finding technical and tactical silver bullets, to a problem that is in too many cases rooted in decades of adverse prioritisation, complacency, a “tick-in-the-box” culture around compliance and – fundamentally – poor corporate governance.

I am not in denial about the threats and I fully appreciate the challenges faced by large global firms and government agencies in dealing with cyber defence, but when talking to CISOs and senior executives in smaller firms, and those truly trying to create a long-term transformational dynamic around cyber security, it is a very different skills gap we hear about.

What they crave is management experience, personal gravitas, political acumen and internal business focus – coupled with strong control-mindedness and a degree of cyber knowledge of course – because this is the true combination that drives change.

Those are attributes that you develop through real field experience. You are not likely to find them in junior consultants or ex-auditors. And few successful IT executives are likely to follow that path, because the whole IT industry is measuring success in terms of delivery, functionality and performance, not in terms of controls or security; and therefore, IT security has never been – and will not be for the short-term – a rewarding path to the top for most IT executives.

So there is indeed a skills gap in the security management space, and a pretty serious one. And this is the real big story around missing cyber skills.

To fix this, you have to make control functions attractive to increase the pool of younger professionals who want to get involved in them, learn and build a career out of it, both within and outside IT.

It requires credible board-level support and engagement, a credible regime of tangible incentives, both in terms of financial rewards and training, and credible role models and career success stories. There may also be a role for business schools to play to start shifting the narrative around cybersecurity leadership.

It can be done in firms – large and small – but it becomes a true matter of corporate culture, and in many cases, a matter of real transformation.