The cyber security skills gap is well known and documented; a recent Forbes article predicts that the number of unfilled cyber security roles is going to increase by 20% to 1.8 million by 2022 . A 2017 study by the Information Security Systems Association (ISSA) and the Enterprise Strategy Group (ESG)  found that 70% of survey respondents believe that the skills gap has had an impact on their businesses, furthermore that the top two contributing factors to security incidents were:
The lack of suitably trained personnel to meet the growing demand has also led to the UK Parliament convening an inquiry  to specifically investigate the affect this is having on Critical National Infrastructure (CNI) suppliers and consequently the UK’s national security.
The root causes for the skills gap are too numerous and complex to detail fully in this short article. However, the key areas include lack of training, the perceived attractiveness of security roles, and the private-public sector pay gap. School and university education courses struggle to keep up with technological innovations whilst their staff are unable to keep up to date on current trends or develop new skills. The failure to recruit enough women and the negative perception that many employees have of security teams (a hinderance when things are going well and a scapegoat when things go wrong), significantly reduce the talent pool. Those cyber security professionals who are recruited and trained are in high demand: with private and public organisations competing amongst themselves and with each other to retain resources. In this environment, the public sector, unable to match private sector salaries, consistently misses out.
The UK Parliament report  identifies three types of security skill set:
Consultancies can play a key role in helping organisations bridge this skills gap. They offer solutions based on their wide knowledge of tools, technologies and sectors, as well as the wealth of knowledge they bring from their experience of delivering projects. Consultants can deploy at speed and are not caught up in the business-as-usual tasks that full-time staff must deliver. Moreover, they can be brought in to bridge the specific skills gap and are skilled in change management. All of these advantages have the added business benefits of value for money, projects delivered on time and in budget. On longer term projects or portfolios of work, the consultancy additionally becomes a trusted partner advising on delivery, best practice, innovative solutions and risk management; helping senior leaders make the best decisions. The 6point6 approach to programme and project delivery uses a blended model which takes the strongest elements of maturity and risk assessment to deliver clear priorities for the business that can be measured by the board.
Additionally, the client does not need to concern themselves with hiring the right staff with the appropriate skill set, dealing with issues such as long-term sickness, employees leaving or the training burden for full time staff as these are all managed by the consulting firm.
Security awareness training is also a large area for improvement. A report by the ICO  into reported incidents showed that in Q1 2019-2020 phishing incidents were still the highest cause of data breaches compared to other security incidents.
The skills gap is predicted to grow over the next two years, and most likely far beyond. Ultimately, this gap needs to reduce substantially in order to have a significant impact on the rate and scale of data breach occurrences. Businesses and organisations need to take a longer-term view and focus on hiring those who have the potential to become technical specialists and the leaders of the future. In the meantime, consultancies offer a reliable solution to the cyber skills gap. Although not a panacea, they can be used to great effect to supplement a company’s existing team and bring much needed skills and expertise to the business.
If you’d like any more information, please get in touch:
Jim Wright – [email protected]