Alarm cyber shortage

The gap between the demand and the supply of suitably skilled cyber security workers in the Critical National Infrastructure (CNI) sector is a cause for alarm, but the UK Government has no real sense of the scale of the problem or how to address it. So say parliamentarians of the Joint Committee on the National Security Strategy in a report.

Chair of the Joint Committee, Margaret Beckett, long-serving Labour Derby MP, said: “Our report reveals there is a real problem with the availability of people skilled in cyber security but a worrying lack of focus from the Government to address it. We’re not just talking about the ‘acute scarcity’ of technical experts which was reported to us; but also the much larger number of posts which require moderately specialist skills.

We found little to reassure us that Government has fully grasped the problem and is planning appropriately.

“We acknowledge that the cyber security profession is relatively new and still evolving and that the pace of change in technology may well outstrip the development of academic qualifications. However, we are calling on Government to work closely with industry and education to consider short-term demand as well as long-term planning. As a very first response, Government must work in close partnership with the CNI sector and providers to create a cyber security skills strategy to give clarity and direction. It is a pressing matter of national security to do so.”

The report points to a shortage in specialist skills and deep technical expertise; and a UK Government lack of urgency. On the establishing of a professional body for the cyber security industry, the report suggests that might, inadvertently, have the opposite effect of that intended, ‘leading instead to more rigid, formalised career pathways and industry structures that exclude candidates from more diverse backgrounds’.

On deeper causes and answers to the shortage, the report says: “Education is essential to creating and sustaining a pipeline of cyber security talent, although the time lag between an individual starting school and entering the workforce means that it is not sufficient in itself … We are concerned, however, that the scale of the Government’s efforts on education so far simply does not match the scale of demand.” Besides, as the report adds, technology ‘evolves too quickly for the education system to keep up’.

The report quoted one of its witnesses, Ruth Davis, Head of Commercial Strategy and Public Policy, BT Security, that BT Security has 97 apprentices and expects to recruit another 21 next year. It does not insist on a computer science qualification as a criterion for recruitment. Among other people that the committee heard from were Ciaran Martin, Chief Executive Officer, National Cyber Security Centre; and Peter Gibbons, Chief Security Officer, Network Rail.

Edgard Capdevielle, CEO of cyber security product company Nozomi Networks, said: “There is huge demand for cyber security professionals across the board, not just within our critical national infrastructure (CNI), with the world’s largest banks, energy companies, and governments all struggling to find people with the right skills set. The challenge is that, in such a competitive marketplace, cash rich entities can afford to offer lucrative packages while those operating with tighter profit margins, such as those in the energy and power sectors, will have to rely on alternative enticements.

“The problem within CNI is not just a lack of skilled individuals but also the complexity of these legacy infrastructures and complex industrial control systems (ICS). When you consider that a standard power plant will typically have an average 50,000 real-time processes, using standard networking tools to monitor, manage, and then troubleshoot is akin to mission impossible. The task of manually analyzing the resulting data would take a single skilled professional months, if not years, assuming it could even be done without errors!

“CNI operators should look to leverage automation provisioned by machine learning and artificial intelligence powered operational cyber-security solutions, capable of handling those manual processes that can no longer scale, to detect and mitigate attacks, improve and speed security processes while making staff more productive. These automated, real-time defences are likely to respond to potential threats faster, more efficiently and often beyond the capabilities of humans.”