Originally posted on PrivSec Report
Amid the furore around a withdrawn UK government-backed cyber skills advertisement this week, Privsec Report takes a look at the messaging and what it says about cyber security recruitment.
Earlier this year, the UK government published the results of research conducted on behalf of the Department for Digital, Culture, Media and Sport (DCMS) that laid bare the skills shortage facing the cyber security sector in the UK.
The research highlighted a basic skills gap in 48% of the businesses surveyed – such as setting up firewalls, storing or transferring personal data, and finding and removing malware – and a more advanced skills gap in 30% of companies – in areas like penetration testing, forensic analysis and security architecture.
Two-thirds (64%) of cyber firms reported an issue in sourcing technical cyber security skills, either among existing staff or among job applicants, with a quarter (25%) admitting that these skills gaps had impeded achieving business goals.
But the skills gap also extended to non-technical skills, with 29% of cyber companies revealing that candidates were deficient in skills such as communication, leadership or management skills. 28% even said that their existing employees fell into this category.
All of this may explain the thinking behind a recent government-backed advertisement that was widely criticised and withdrawn this week. The advertisement which formed part of the UK government’s 2019 “Rethink. Reskill. Reboot” campaign, intended to encourage people into a career in tech. The ad was pilloried on social media by arts professionals who believed the image, featuring a ballerina tying her shoes with the slogan “Fatima’s next job could be in cyber (she just doesn’t know it yet)”, was targeting them amid the recent squeeze on arts organisations during the pandemic.
With the Covid-19 pandemic cutting a swathe through the employment market across the globe, the UK government has encouraged workers in threatened sectors to consider retraining, and has a tool to help make choices – an online skills assessment test. The test asks candidates questions about their preferred style and ways of working and matches them with potential sectors.
So could the twin woes of Covid-19 and a skills shortage actually benefit the cyber sector? We asked our cyber adviser, Dr Emma Osborn, Director of OCSRC Ltd, to take the test and tell us what she thought.
The test identified Dr Osborn as “a creative person” who enjoyed “coming up with new ways of doing things”, who likes “dealing with complicated problems or working with numbers”, is “sociable” and finds it “easy to understand people”.
Dr Osborn was fairly happy with this assessment: “I’m someone with multiple degrees in a numerical subject who now does research into the human factors of cyber security. Creative problem solving that understands how people behave is at the heart of what I do. The test is doing an okay job of profiling who I am.”
But she identified a deeper problem with the rest of the test, which perhaps hints at a broader issue within the job market (and within the cyber security sector) – not only that of skills, but of perceptions.
“The dependence on stereotypes of what roles are and who might have an aptitude means that, yes, they’re giving me some suggestions to think outside of the box. However, reinforcing stereotypes also reduces the diversity of people applying to work in an industry, which damages the efficacy of the cyber function by not supplying enough varied perspectives to effectively identify risks or problem solve.”
The skills test picked out a top three suggestions for Osborn – sports and leisure, creative and media and construction.
“There’s a certain amount of irony in someone already working in cyber security being told that becoming a ballerina might be a viable option (that feels like it could be creative or sports?!)”, she says.
But wasn’t the ad right to open up the cyber profession to people from a diversity of backgrounds? The field certainly suffers from a diversity defecit – a 2018 survey by US-based cyber security association (ISC)2 found that just 24% of the cyber security workforce surveyed in North America, Latin America, and Asia-Pacific was female, although it reported that the picture was improving.
Cybersecurity specialist Anna Russell, EMEA VP at comforte AG, commented:
“The gender gap has been closing within all roles – technical/marketing/sales/support/channel – within the cyber security industry, but there is definitely room for the gap to get smaller. The gender gap is extremely important to create healthy and diverse places of work. There have been many studies and factual reports on the more diverse your teams are in your business the more likely your employees will be happier and therefor more productive.”
Diversity goes beyond the gender gap, to diversity of thought and skills, but some feel the ballerina ad was in danger of obfuscating the recruitment message by unhelpfully simplifying the skills gap.
Charlee Ryman, Director of Recruitment at specialist Cyber Threat Intelligence recruitment firm
Trident Search, said: “We feel this advert does not clearly highlight the attributes needed to be successful in starting a successful a career in cyber security. You can look at it one of two ways; either anyone can land a career in cyber, or it takes a dedicated person, who is at the top of their game, to break into the industry. It is not clear what the message is meant to be.
“It must be understood that professionals within the industry have spent many years honing their skills, following the evolution of new technologies and sometimes justifying their existence to their colleagues, whilst working on incidents for 48 hours straight. CISOs have often fought hard to get budget for additional headcount. So, you can understand why there would be backlash over this advert.”
Despite agreeing there was clear potential for professionals in other fields to enter the cyber field, Ryman felt that the ad trivialised the hard work and dedication behind a cyber career.
“We have seen graduates or potential “ballerinas” who have studied day and night, taught themselves to code and the methodologies associated with cyber, go on to become fantastic advocates of the industry. But make no mistake, it is an incredibly competitive field; this advert does not seem to highlight this.
“Cyber can be a very fast-paced environment, which can financially reward practitioners a lot quicker than many other careers. But if you look at the individuals who have set the bar as high as it is; they have sacrificed.”
Of course, ballerinas would be familiar with a high bar (geddit?) – and sacrifice. And Ryman worried that the backlash to the ad might actually deter people from entering the industry if it became perceived as a hostile environment – but that it is “best to set people’s expectations at the right level.”
“In an ideal world, where the security industry is a little more mature and clients or CISOs can afford to take a little more risk by bringing in people to train them up on apprenticeship type schemes, this may work. But that is not the industry today. The harsh reality is that CISOs and boards cannot take that risk. The driving force behind hiring in security is to decrease risk. Employers need experience, they need people who can deal with stakeholders, they need people who understand the latest technologies and threat actors to protect their business. We are still in a time where hiring managers are fighting to build their teams, and they cannot justify bringing in someone who doesn’t have the experience or aptitude yet.”
He adds: “Depending on how you look at this advert, I think the consensus is that they could have done better. However, you can understand the reasoning behind it. You need to cast your net wide to attract the best talent. You need to have a strong and diverse work force with different cultures to bounce ideas off each other. You do also need diversity of thought; you cannot have a strong team if they all look and think the same. This helps an organisation stay innovative, secure, and ahead of potential attackers.”
Becs Roycroft, Senior Director of Global Emerging Talent and Reskill Operations at technology training academy and talent provider mthree, takes a slightly more sympathetic view of the advert given the “profound” skills gap, in which “talent acquisition is only going to become more challenging in the near future as the market continues to evolve.”
She says: “It’s easy to understand the recent controversy surrounding the 2019 advert featuring a ballerina from the government’s ‘Rethink, Reskill, Reboot’ campaign, given the current concerns for the future of the arts. However, the promotion of careers in cyber, particularly to those who do not fit the typical profile of a tech specialist, is actually incredibly important.”
Roycroft believes that “strategic reskilling” programmes could be the answer: by re-training existing employees for cyber roles, lowering the costs of external recruitment drives.
“Investing in reskilling programmes does not just provide a sustainable talent pipeline for businesses, it also demonstrates to those outside of the business that there is opportunity for progression and variation within the company too.”
Roycroft also cites reskilling as solution to the lack of diversity in the tech industry, with the particular underrepresentation of women and certain ethnic minorities:
“This may partly be because not enough people from these groups are being introduced to the profession at a young age, and therefore do not have the required qualifications. Reskilling is a great way for businesses to reach these people later in life and work to improve diversity from the ground up.”
Back to the UK government’s skills test, and scrolling down the list of seven other careers suggestions for Dr Emma Osborn, she eventually found IT and technology.
“If they’re eager to get people into sectors with skills gaps, why were sports, arts, hospitality and retail higher in the list than tech, healthcare and emergency services?!” she wonders.
“Was the reason that IT and tech wasn’t at the top of the list because whoever wrote the quiz thinks people don’t need social skills to work in tech? It’d be fascinating to see the decision engine behind the survey…”
It seems that messaging from the UK government around skills – including in cyber security – has not always hit the mark and the concern maybe that by arguably reinforcing stereotypes and creating false expectations around the career options for those with skills outside the cyber “box”, the skills gap might remain unfilled for some time.