NCC have put up an interesting blog post on the challenge of developing the next generation of consultants (https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2019/january/developing-the-next-generation-of-cyber-risk-consultants/).
NCC’s experience goes to show how much creativity businesses are willing to commit to the task.
It’s widely recognised that the cyber security industry has some of the most critical talent shortages at the moment, and innovative thinking is needed to try to repair the shortfall of consultants available for hire.
The first challenge is the scarcity of resource. Many more vacancies than applicants is the typical headline. This is where most media outlets and magazine reviews end their scrutiny, but underneath this there are some structural topics worthy of further thought.
The most significant is what I would call the “experience levels” problem. The cyber security industry has inherited its pool of candidates from Information Assurance and Information Security fields (setting aside the debate over whether cyber security = information security), established for some time and before cyber security was driven up in priority in the recent decade. This has given the field a large number of highly-experienced professionals, now at the pinnacle of their career, whose succession has to be planned for by organisations. These are the kinds of specialists who have an seemingly infinite understanding of the field, can effortlessly navigate complex waters, and provide the backbone of corporate cyber security programmes. This has led to a high number of experienced practitioners, but very few (hardly any) mid-career experts, and until recently hardly any early-career entrants. Inevitably, this will lead to a further challenge in the coming decade as a number of highly experienced practitioners retire from the profession or are promoted up to CISO roles to focus on strategy.
The second problem is building the “pipeline of talent”. Building the pipeline of talent has been the societal and industrial response to the perceived staffing challenges in the profession. Most approaches are focused almost exclusively on the development of cyber security degree programmes in universities, and indeed universities have turbo-charged their efforts there. The efforts are helpful, and the numbers look good on paper. But it will not deliver the transformational change needed by the sector–for the very reason that in terms of experience, it will simply address the shortfall in early-career professionals but will not address the mid-career experience shortfall or the pending highly-experienced vaccum.
What this means, broadly, in terms of the three experience levels is something like this:
- Early-career professionals are growing in number, due to training initiatives in universities. This is good, and to be applauded. But early-career professionals need mid-career managers and team leaders to direct their efforts. Despite the intense coverage in media and press, this is really Priority #3 – the solutions is being addressed and is being managed.
- Mid-career professionals remain incredibly scarce. These practitioners are looked on to lead teams and occupy mid-level management roles, and use their years of experience to provide a sensible and measured contribution to management activities. It will be a decade or more before the growth at the early-career level begins to expand the field of candidates for these roles, and this remains an acute problem for employers. This is therefore Priority #1.
- Highly-experienced, late-career professionals are in the market, but the pool of candidates is dropping drastically. In 5-10 years’ time, this will become something of a predicament for the domain, as cyber threats continue to expand in number and sophistication. The loss of knowledge will be a particular difficulty to overcome. This is Priority #2, and will become Priority #1 in the next decade.
It appears to me, based on this relatively simple breakdown, that the talent challenges for the field will not be overcome for two to three decades. Within the next 5-10 years we will see the impact of losing highly-experienced leaders.
Of course, companies have not stayed still and in practice what has happened in many is that cyber security professional vacancies have been staffed up by personnel switching from other, related areas. This is a form of solution, but the lack of a systematic, naturally-progressing career path will inevitably lead to some challenges further down the line. This is perhaps where initiatives like NCC’s has a lot of merit.
There are lots of other challenges to consider as well, reflected in the broader computing field. The lack of interest in STEM subjects at university has been a particular problem for many decades now. This has probably fuelled the interest in cyber-security specific degree programmes at universities, which integrate non-STEM content into a STEM core, which is obviously more appealing than a pure-STEM degree.
In some ways cyber-security programmes have side-stepped the problem. But, promoting interest in STEM careers remains challenging, and this underlying difficulty will complicate the development of talent in cyber security for decades to come. Diversity is also a goal that many in STEM and general engineering have advocated. For example, promoting technical and engineering careers for women. This is yet another challenge within the broader computing field that will complicate the development of the profession.
Efforts by companies to develop and share their structured programmes, like NCC’s, will help navigate this incredibly complicated landscape. To me there does not appear to be a single, straightforward solution, but by sharing and communicating efforts, progress will be made.
This and other internal efforts in companies underlines the need for substantial training budgets within cyber security teams and functions. This is perhaps the most tangible step businesses can take at the moment, and will be a key determinant for applicants when selecting what is likely to be multiple, competing opportunities.