Are We Looking for Unicorns

Are we looking for realistic combinations of skills and certifications in cyber security recruitment, or are we looking for mythical candidates who, like unicorns, simply don’t exist?

That was the question posed on Monday 8th February, Colin Robbins chair of CIISec Nottingham/Derby/Leicester Branch hosted a virtual Masterclass on “Certifications or Skills – Are We Looking for Unicorns?”. The event was well attended by 64 security professionals and generated a great question and answer session.

The speaker for the event was Steven Furnell – Professor of Cyber Security at the University of Nottingham and CIISec Board member.

Steve began the Masterclass with an overview of the current perceived challenge around the skills shortage within the Cyber Security profession. He then went on to discuss the following: What exactly are we asking for within roles regarding skills and certifications, and do we have an understanding of the business need and requirement when hiring people? A lack of understanding the skills and relevant certifications required to fill roles could potentially leave many organisations at risk as shown below:

(ISC)2 Cybersecurity Workforce Study 2020 found that 64% of organisations reported some level of skills shortage.

  • 42% characterised it as a slight shortage, 22% as significant;
  • 56% considered their organisation to be at moderate or extreme risk as a result;
  • The same study suggested a global skills gap of 3.12 million (a reduction from 4.07 million in 2019).

(Based on a global study with 3,790 industry respondents.)

Steve then went on to discuss the following points in more detail:

5 Key Takeaways

1) Who are we looking for?

Organisations require prospective employees to understand the task, have the ability to provide the solution and have the skills to do what is needed. But how do employers know what is relevant; how do we recognise those skills, and where do we find these people? It seems in order to find the right candidate most job adverts will take a multifaceted approach and ask for varying degree of skills and expertise regardless of the role that is being advertised. A sample of job adverts from earlier in the year saw an Information Security Consultant role requiring numerous certifications such as CISSP, GDPR, CCSP, PenTest+ to name a few, with a salary range of £30-99K. Whilst all of these certifications hold merit in their own right (apart from GDPR which doesn’t apply to individuals!), an employer is unlikely to find a single individual holding all of these specialised topics.

This is just one example of an organisation not perhaps fully understanding the right candidate proficiency which they require in order to meet their own business needs and objectives.

2) Are technical skills more important than non-technical?

There is no right or wrong answer to this question. Fundamentally it will be determined by the needs of the business. The drivers and studies of the market would indicate that employers lean heavily towards technical skills such as system, device and network security rather than managerial, interpersonal skills, human factors and physical protection.

This is further evidenced by referencing a survey carried out by Ipsos MORI in 2020 which concluded that the areas organisations lacked confidence were Technical Skills 17.7%, Communication 28% and Governance 40.3%. It is perhaps not surprising that confidence was lacking within the governance domain, when as shown above the key ask by employers recruiting for a role emphasised more on the need for technical ability.

3) Cybersecurity is a wide discipline that requires a holistic view

What practitioners perceive cybersecurity to be about and how to apply it varies significantly according to their security framework of reference. There are a number of frameworks used in businesses and this can be significant when recruiting into the role and will determine the right candidate for the organisation.

There is no right or wrong framework – they are all fit for various purposes. For example, ISO/IEC 27002 is a very different framework in comparison to the Cyber Security Body of Knowledge and a great example of one size does not fit all. This is also relevant to what certifications we are requiring from the individuals we recruit into our organisations. Maybe we should be asking, do their certifications align with the wider business objective and do they possess the skills to carry out the role effectively?

4) Are Graduates leaving education with skills aligned with the market needs?

When looking at 10 Master’s Degrees in the UK with the title of “Cyber Security” there were very different approaches taken.

Taking publicly available information from websites, the courses vary in topics and optionality. Some had a range of options to allow candidates to choose their own route through the course; others were fully mandated or only had limited options.

It is widely acknowledged that additional computing knowledge in areas such as programming, operating systems and networking can be relevant in supporting Cyber Security, is the amount of coverage devoted to non-cyber topics relevant to a degree specifically named as Cyber Security? What relevance will this have for employers, what will be the implications be for future vacancies, will graduates have topic knowledge and skills that are market aligned?

5) UK Cyber Security Council

Steve gave a brief overview of the UK Cyber Security Council that will be launching in April 2021. This has been a formation project running since late 2019 and CIISec has been one of the contributing partners. It involves mapping knowledge and skills to careers and qualifications. As described on the formation project website, the Council’s work will include “Mapping routes into and through cyber security professions, signposting essential skills, defining career pathways, removing complexity and demystifying the profession” and “establishing a professional qualification framework, mapping criteria to appropriate skills and qualifications including The Cyber Security Body of Knowledge (CyBOK)

It was great to hear that such positive inroads have been made in a possible solution to the challenges raised during the presentation.

Conclusion

We need to recruit intentionally and with clear definition of the skills and people we require. These absolutely must align with the needs and objectives of the business rather than just asking for a cocktail of certifications with the hope it covers some of the work that we do! We need a range of skills working together in an effective way. Finding the right people may always be a challenge, but we need to be looking for realistic hires and not the elusive Unicorns.

Suggested further reading:

https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/869506/Cyber_security_skills_report_in_the_UK_labour_market_2020.pdf

https://www.sciencedirect.com/science/article/abs/pii/S1361372320300178

 

 

Author Bio – Dawn O'Connor

Dawn O’Connor is an associate of Nexor with an extensive business background across different market sectors including retail, local and central government and law enforcement. She is a member of the Chartered Institute of Information Security and co-chairs the Nottingham/Derby/Leicester Branch.  Dawn holds the Certificate in Information Security Principles and the ISO 27001 Foundation certification.

 

Cyber Health Check Quiz

 Archives

Be the first to know about developments in secure information exchange