Article by Amanda Finch, CEO, Chartered Institute of Information Security
Amanda Finch explains why it’s never been a more important time to showcase the range of opportunities in cyber to increase diversity and professionalism in the industry.
The cybersecurity industry is, unfortunately, suffering with an image problem. Often perceived as a dry, technical career and stereotyped as a “boys only club”, in reality cybersecurity should suit almost anyone. The industry is looking to encourage a diverse intake of fresh blood, ranging from graduates to those looking for a mid-career change. Not all of these will have a background in cyber, or even technology.
Cybersecurity is much broader than a purely technical career – it demands social, managerial, investigative and even financial capabilities. In CIISec’s latest survey of cyber security workers, 57% said analytic, thinking and problem-solving skills were the most important in security – compared to 18% saying technical skills. Moreover, many individuals will have already developed the skills needed in security in other careers, from attention to detail and identifying unusual patterns of behaviour, to the “soft” skills needed to drive security awareness in others.
For example, communication and education are key in a cyber career. If security teams are going to align with the wider organisation, then they must be able to understand and properly communicate business risk; including levels of risk, what risks are and aren’t acceptable, and how best to mitigate them. They will then have to coach employees to reduce, recognise and react to threats, including staging mock attacks to make the risks clear. These are skills that could just as easily be developed in any number of careers.
Even on the technical side, there are a huge variety of roles for prospective employees to choose from. Some might focus on forensics work, unpicking what happened during a serious incident to help defenders prevent it from occurring again. Others may spend more time on incident detection and response. Meanwhile, others may focus on preventative measures such as patching vulnerable machines.
Opportunities for Everyone
The bottom line is whatever your skills, there is almost certainly a career for you in the cybersecurity sector. And it’s important that the industry finds a way to showcase the opportunities that are out there for everyone.
The industry certainly needs fresh talent as it is suffering with an ongoing skills shortage. The global shortfall in professionals is decreasing, but is still estimated at around 2.7 million, including 33,000 in the UK. Without enough security practitioners in place, organisations are likely to face increased cyber and business risk. That could translate directly into serious breaches, service outages, or disruption to much-needed digital transformation projects. In a recent government report, 13% of organisations say cyber skills gaps among job applicants have prevented them from achieving business goals to a “great extent”.
Given cyber security’s role as a business-critical function that is comparatively well-paying and recession-proof – on top of the industry skills shortage meaning there are plenty of openings – it is an increasingly attractive career. There’s not only more variety of roles, but there are also more opportunities to advance.
There’s even a strong cyber element emerging in sectors like law enforcement, where digital is one of the fastest-growing vectors for criminal activity. Organisations like the Institute of Cyber Digital Investigation Professionals (ICDIP) are a great place to start looking for more information about this burgeoning field.
Finding the Right Avenue
So how do you kick start a career in cyber? Contrary to popular belief, it doesn’t have to begin with a sector-specific qualification. However, many do choose to begin their journey with education. That could be a Computer Science A-Level. It could be a university degree. Or it could be something like CIISec’s new Cyber Extended Project Qualification (CyberEPQ), which plugs the gap between GCSE Computer Studies and a full-blown degree. The CyberEPQ gives anyone from 14 years old the best possible opportunity to kick-start their cyber security career, integrating with CIISec’s broader development programmes to provide a clear pathway to progress.
There are also a range of apprenticeships on offer, as well as bootcamps and other vocational courses run by organisations passionate about persuading professionals to give cyber a go. Many focus on currently underrepresented groups, like Code First Girls, and/or have links to local employers to accelerate the transition into a new career.
Showcasing the Opportunities
Despite the different routes into the industry, the cyber security industry needs to advertise itself better to overcome its ‘boys club’ image problem. This should involve showing the opportunities, excitement and career routes available to anyone from any background at any level – from school to university, and then at different stages of their career. Without this image overhaul, cyber security risks losing out on the best and brightest talent for other, more attractive or widely understood sectors, such as data analytics.
It’s important for the industry to do more to attract candidates from non[1]technical and non-cyber backgrounds, and make sure these people are actively encouraged to apply for roles. We need diversity in the industry – not just in terms of race, gender and neurodiversity but also in background, work experience and training. Ultimately, we need diversity in outlook: if the whole industry thinks in a monolithic way, it will be harder to spot and react to new threats, especially from increasingly creative adversaries.
There’s a largely untapped pool of talent who may have had roles in adjacent sectors like mathematics, engineering, compliance or risk management. But there are undoubtedly also many more who have what it takes to succeed in cyber, despite never having considered themselves a “techie.”
We will need this diversity to ensure the sector is able to adapt to the challenges of tomorrow, as cybersecurity evolves as an industry – embedding itself deeper into the fabric of business and society.
To attract a broader pool of talent, the industry needs to be able to show exactly what skills are needed for what roles, so people can see the opportunities available. Key to all this will be both organisations and individuals having a framework that can show exactly what skills are necessary to fulfil what roles. That’s what we’re trying to deliver at the CIISec. First, accredited qualifications so that candidates and employers are clear what technical and non-technical skills individuals possess. And second, frameworks with which to work out which skills are required for a specific role and level.
Doing this will help in hiring the right people for the job. However, it will also mean that the routes to progress through an individual’s career are clearly marked, ensuring that individuals who join the industry don’t, over time, become jaded or burnt out due to a lack of opportunity.
This is the path to professionalising the industry. And with the cybersecurity sector booming, it’s never been a better time to join.