UK'spersistent lack of qualified cyber experts poses a threat to national security
In a bid to address the chronic shortage of cybersecurity professionals and strengthen the UK's digital resilience, a series of steps have been proposed by Dr. Ismini Vasileiou, an Associate Professor at De Montfort University. These steps aim to create a more structured, inclusive, and clearly defined cybersecurity training and career development framework in the UK.
The first step is the establishment of a cyber skills taxonomy taskforce. The Department for Science, Innovation and Technology (DSIT) should create this taskforce to develop a clear taxonomy. This taxonomy will define cybersecurity roles, career pathways, and skill levels, thereby clarifying what training is needed and the jobs it will lead to.
A national governance body is also needed to oversee and implement the cyber skills taxonomy, ensuring consistency and coordination across the country. This body will serve as a national delivery body, governing the proposed cyber skills taxonomy.
Employer incentives, such as grants or best-practice endorsements, are called for to encourage the adoption of standardization in security recruitment. Such incentives could motivate employers to adopt a standardized approach to cybersecurity recruitment with clear role definitions.
The report also emphasizes the need to shift recruitment practices. This includes moving away from outdated recruitment proxies like relying solely on certifications, promoting inclusive, skills-based role definitions instead.
Addressing the mismatch between government digital industrial ambitions and current educational outputs is another crucial aspect. The goal is to create a future-focused cyber skills pipeline supporting the UK's 21st-century digital economy.
The paper also highlights the difficulty of joining the industry at graduate level and calls for more apprenticeships to help develop applicable skills for aspiring security professionals. This, coupled with identifying necessary skills to ensure would-be security staff get the right training, could help bridge the skills gap.
The disconnect between the types of skills being taught versus those needed, particularly at mid-level and specialist tiers, is a significant concern. The report warns that learning AI fundamentals is crucial but not sufficient, underscoring the need for a comprehensive approach to cybersecurity training.
The UK's chronic shortage of cyber professionals is a critical situation, particularly for Small and Medium Enterprises (SMEs), which are the backbone of the UK economy. The report suggests that part of the problem is "misaligned supply and demand" in the cybersecurity sector, with universities and training networks producing graduates annually, but employers still reporting shortages.
The use of AI by threat actors to fine-tune capabilities and accelerate attacks is another concern. Recent cyber-attacks on M&S and Co-op demonstrate the growing threat to UK citizens and businesses. The paper adds that AI is a socio-technical issue requiring interdisciplinary thinking.
A report from Fortinet suggests as many as 80% of data breaches are caused by lackluster capabilities in cybersecurity. The paper's recommendations, if implemented, could help strengthen the UK's cybersecurity posture and protect its digital economy.
[1] Vasileiou, I. (2022). Cybersecurity Skills Taxonomy: A Proposal for the UK. All-Party Parliamentary Group (APPG) on Cyber Innovation. [3] Vasileiou, I. (2021). Cybersecurity Skills Taxonomy: A Proposal for the UK. De Montfort University.
