Solving the Cyber Security Skills Gap with DCMS

Solving the Cyber Security Skills Gap with DCMS

• 1.
  Bridging the cyber skillsgap June 2020 Erika Lewis, Department for Digital, Culture, Media and Sport Jayesh Navin Shah, Ipsos MORI Sam Donaldson, Perspective Economics David Crozier, CSIT Professor Steven Furnell, University of Plymouth
• 2.
  CIISec masterclass: bridgingthe skills gap | June 2020 | Version 1 | PUBLIC2 Content analysis of cyber security job postings 393,257 UK job postings on the Burning Glass database Covers 3 years from Sep 2016 to Aug 2019 Both core cyber roles and cyber-enabled roles Representative surveys of cyber sector firms c.1,200 UK firms in sector Data collected across 2 telephone surveys 262 firms surveyed from May to Jun 2019 205 firms from Aug to Oct 2019 Qualitative interviews with cyber firms and team heads From Jun to Sep 2019 7 cyber training providers 15 cyber team heads in very large organisations 8 skills and recruitment leads in cyber sector firms
• 3.
  CIISec masterclass: bridgingthe skills gap | June 2020 | Version 1 | PUBLIC Skills demand
• 4.
  CIISec masterclass: bridgingthe skills gap | June 2020 | Version 1 | PUBLIC4 Job titles often don’t define cyber roles well, and they mask a range of wider jobs that also need cyber skills Source: Burning Glass Technologies Base for chart: 105,194 core cyber job postings from Sep 2016 to Aug 2019 105,194 core cyber jobs (most common job titles in chart) 288,063 cyber-enabled jobs that need technical cyber skills Job postings over 3 years Security Engineer Security Architect Security Consultant Security Manager Security Analyst Information Security Manager Information Security Analyst Network Engineer IT Security Analyst Information Security Consultant Network Security Engineer Cyber Security Engineer Security Specialist Trainee Cyber Security Network Architect 10% 7% 6% 5% 5% 4% 4% 3% 2% 2% 2% 2% 2% 2% 2%
• 5.
  CIISec masterclass: bridgingthe skills gap | June 2020 | Version 1 | PUBLIC5 A relative reluctance to go for entry level staff or those entering core cyber roles from other professions Source: Burning Glass Technologies Bases (job postings that request specific experience): 16,044/ 55,915 core/cyber-enabled job postings from Sep 2016 to Aug 2019 30% 52% 8% 9% 41% 46% 5% 7% 0 to 2 years 3 to 5 years 6 to 8 years 9+ years Core Cyber-enabled Years of experience demanded
• 6.
  CIISec masterclass: bridgingthe skills gap | June 2020 | Version 1 | PUBLIC6 Growing clusters of cyber jobs across regions Source: Burning Glass Technologies Base: 24,167 core cyber job postings from Sep 2018 to Aug 2019 Top 15 in terms of absolute job postings i. London (8,474) ii. Birmingham (1,360) iii. Manchester (1,164) iv. Edinburgh (684) v. Bristol (682) vi. Reading (624) vii. Leeds (534) viii. Belfast (529) ix. Slough and Heathrow (398) x. Glasgow (394) xi. Cambridge (381) xii. Coventry (371) xiii. Luton (349) xiv. Basingstoke (332) xv. Southampton (302) Top 15 in terms of Location Quotient 1. Basingstoke (2.5) 2. Reading (2.2) 3. Edinburgh (2.0) 4. London (1.9) 5. Birmingham (1.8) 6. Bristol (1.5) 7. Cheltenham (1.5) 8. Leamington Spa (1.4) 9. Leeds (1.3) 10. Coventry (1.3) 11. Milton Keynes (1.3) 12. Gloucester (1.3) 13. Belfast (1.2) 14. Worcester and Kidderminster (1.1) 15. Salisbury (1.1) Location Quotient key: High (2.5) Low (0)
• 7.
  CIISec masterclass: bridgingthe skills gap | June 2020 | Version 1 | PUBLIC Skills gaps
• 8.
  CIISec masterclass: bridgingthe skills gap | June 2020 | Version 1 | PUBLIC8 There is a skills gap, and it affects several specialist cyber security roles Bases: 262 cyber sector businesses; 169 identifying any skills gap % of cyber firms saying the following prevent them meeting business goals 64% job applicants/existing employees lacking necessary technical skills 28% employees lacking communication, leadership or management skills 44% 43% 43% 42% 40% 36% 34% 25% Business resilience Assurance, audits, compliance or testing Threat assessment or information risk management Cyber security research Implementing secure systems Cyber security governance and management Incident management, investigation or digital forensics Operational security management
• 9.
  CIISec masterclass: bridgingthe skills gap | June 2020 | Version 1 | PUBLIC9 Employers found it challenging to get people with the holistic skillset they were after • Talk credibly across multiple technical areas • Work with multiple tools and learn new tools quickly • Mix of Governance, Regulation and Compliance (GRC) knowledge and technical skills • Ability to implement technical skills in a business context • Communication and client handling skills Finding people who have the broad brush approach and a holistic understanding of cyber security is challenging. Cyber security can mean a lot of different things for different clients. Cyber sector business
• 10.
  CIISec masterclass: bridgingthe skills gap | June 2020 | Version 1 | PUBLIC Training and qualifications
• 11.
  CIISec masterclass: bridgingthe skills gap | June 2020 | Version 1 | PUBLIC11 The plethora of technical qualifications makes the training and qualifications market hard to navigate Source: Burning Glass Technologies Base: 20,774 core cyber job postings from Sep 2016 to Aug 2019 that request specific certifications CISSP CCNP CCNA CISM CISA CCIE MCSE CompTIA Security+ GCIH CCDP GCIA CEH 37% 27% 22% 18% 9% 9% 5% 4% 4% 4% 3% 3% % of job postings asking for these qualifications, among those demanding any specific qualification
• 12.
  CIISec masterclass: bridgingthe skills gap | June 2020 | Version 1 | PUBLIC12 We have a lot of people who have qualifications but have no clue what they are talking about. Cyber lead in large organisation CIISec masterclass: bridging the skills gap | June 2020 | Version 1 | PUBLIC12
• 13.
  CIISec masterclass: bridgingthe skills gap | June 2020 | Version 1 | PUBLIC13 Employers wanted more guidance and signposting for qualifications and more flexible training options Further guidance linking qualifications to career pathways would be helpful for: • Employers writing job descriptions • New entrants and those transitioning to cyber roles (e.g. IT professionals) • Recruitment agents Employers faced various challenges with current training provision: • Training not always accessible for diverse groups • Courses perceived as overly theoretical or academic • Training does not routinely build soft skills • Variable quality of vendor- specific accredited training Apprenticeship and placement schemes can be more flexible: • Perceived lack of flexibility in current apprenticeship frameworks/standards • Lack of time or experienced staff to train career starters • Longer term placements as part of university courses • Universities and schools could give better career guidance
• 14.
  CIISec masterclass: bridgingthe skills gap | June 2020 | Version 1 | PUBLIC Recruitment and diversity
• 15.
  CIISec masterclass: bridgingthe skills gap | June 2020 | Version 1 | PUBLIC15 Vacancies for cyber roles have been hard to fill for various reasons, but mainly a lack of technical skills Bases: 205 cyber sector businesses; 79 that have had hard-to-fill vacancies 35% of all vacancies for cyber roles in the last three years have been considered “hard-to-fill” 43% 22% 16% 16% 13% 10% Lack of soft skills Lack of technical skills or knowledge Candidates lacking required attitude or motivation Lack of candidates Low pay or benefits Location
• 16.
  CIISec masterclass: bridgingthe skills gap | June 2020 | Version 1 | PUBLIC16 Employers highlighted several barriers and challenges they faced when it came to recruitment • Skills are highly priced • Lack of suitable applicants and some misrepresenting their abilities • Mismatches between job roles, frameworks and qualifications • Recruitment agents lack an understanding of roles and qualifications I got the perception that people were trying their luck, jumping on the cyber security bandwagon with little experience and demanding a good salary. Cyber lead in large organisation
• 17.
  CIISec masterclass: bridgingthe skills gap | June 2020 | Version 1 | PUBLIC17 Cyber sector firms are less gender diverse than the rest of the UK’s wider digital sector Bases: 198 cyber sector businesses for gender estimate; 183 for ethnicity estimate; 163 for neurodiversity estimate (excluding those that were not able to answer these questions, or refused) Gender and ethnicity comparison data taken from DCMS Sectors Economic Estimates 2018. 9% 15% 28% 47% Female Neurodivergent Cyber sector workforce Digital sector workforce All UK workforce Ethnic minorities 16% 17% 12%
• 18.
  CIISec masterclass: bridgingthe skills gap | June 2020 | Version 1 | PUBLIC18 Diversity was broadly considered important but often overlooked as a way to increase the recruitment pool • Generally seen as beneficial • Sometimes viewed as beyond their control • Perceived mostly in terms of soft benefits • Diversity initiatives were sometimes limited in scope and focus I can only pick from the CVs that are put in front of me. Cyber sector business I don’t know what we can do really apart from attracting more and more people to the positions. Cyber lead in large organisation
• 19.
  CIISec masterclass: bridgingthe skills gap | June 2020 | Version 1 | PUBLIC19 • A complex labour market with strong regional variation in demand • Skills gaps across multiple technical areas as well as soft skills gaps • A strong desire for job applicants with an holistic mix of skills • The quality of courses, and requirements for different roles, often not clear • More diversity not always acknowledged as a way to widen the recruitment pool • It is unclear how this labour market will adapt to the coronavirus pandemic Summing up
• 20.
  CIISec masterclass: bridgingthe skills gap | June 2020 | Version 1 | PUBLIC Thank you jayesh.shah@ipsos.com sd@perspectiveeconomics.com d.crozier@qub.ac.uk s.furnell@plymouth.ac.uk