Tackling the UK’s cybersecurity skills shortage
When I joined the newly formed Police Service of Scotland in 2014, the National Cyber Security Centre (NCSC) – the United Kingdom (UK) cybersecurity authority – did not yet exist. By the end of my policing career in 2023, I was working as a Detective in Police Scotland’s newly established national Cybercrime Investigations Unit.
Here, we regularly engaged with the NCSC and other international agencies to investigate the increasingly complex cybercrime landscape. The technological changes I witnessed during that decade was significant, with individuals and businesses becoming increasingly reliant on technology to improve their lives and productivity.
Technology is now integrated into everyday life and is essential to many of the services we use daily. This includes technology’s critical role in:
- The National Health Service (NHS)
- The economy and financial transactions
- Our critical national infrastructure (CNI) such as the electricity and gas power supply, and data centres (now categorised as CNI by the UK government)
- Our communication for social, employment and national security purposes
With this increased reliance on technology and 50% of UK businesses reporting they experienced some form of cybersecurity breach or attack in the last year, it is no surprise that cybersecurity and the closing of the current skills gap, are priorities for the UK government.
Incident response consultant at Systal.
The Widening Gap
Studies by the International Information System Security Certification Consortium (ISC2), an international non-profit cybersecurity organization, have found that while the demand for cybersecurity professionals to secure organizations globally is increasing, the supply of qualified cybersecurity professionals is not. This disparity has resulted in a skills gap, which has been widening year on year since at least 2022 when the study began.
The UK is also impacted by this skills gap. Research by the Department for Science, Innovation & Technology estimates that approximately 637,000 (44%) of businesses have basic cybersecurity skills gaps, where employees responsible for cybersecurity lack the confidence to carry out basic tasks, and do not outsource these tasks. Furthermore, approximately 390,000 (23%) of UK businesses have gaps in advanced cybersecurity skills such as penetration testing and incident response, skills essential for organizations with more complex cybersecurity needs.
The Impact of the Skills Gap
Why does the skills gap matter? As we become increasingly reliant on technology in our everyday lives, the severity of the impact caused by a cybersecurity incident grows as well. In recent years, we have seen the disruption that cyberattacks can cause. Notable examples include:
- Royal Mail (2023): Disrupting international deliveries and costing £10 million.
- The British Library (2023): Costing an estimated £7 million and impacted services are still not yet fully restored.
Whilst the internet has revolutionized global communications, it has also allowed cybercriminals to launch attacks from almost anywhere in the world. Cybercrime has no borders, and a few lines of code sent across the world to a system with cybersecurity vulnerabilities can have significant consequences: a digital butterfly effect.
As technology is constantly evolving, so too are cybersecurity threats. Consider some technologies that have risen in popularity in the last decade:
- Cloud computing
- Cryptocurrency
- Artificial Intelligence (AI)
- Internet of Things (IoT) devices
All these technologies have been, and continue to be, exploited by cybercriminals.
Cybersecurity is a technological arms race between those seeking to breach networks and those seeking to defend them. With cybercriminals consistently learning new skills, it is essential for cybersecurity professionals to continually upskill in order to thwart attacks and protect data and IT infrastructure.
Strategies for Closing the Gap
Now that you know about the cybersecurity skills gap and the impact it will have, you might be asking how we can close the gap and secure the future of cybersecurity in the UK? Whilst there is no one-size-fits-all solution, several strategies can help:
Invest in People: One of the most important skills in cybersecurity is the ability to learn. Hiring and developing staff who are passionate about learning, and investing in training them, will help embed essential cybersecurity skills into your organization.
Education and Awareness: Ensuring that all staff understand basic cybersecurity concepts relevant to their role is essential to defending against threats. With 98% of cyberattacks relying on social engineering (exploiting the human element) employees must have at least a basic understanding of the risks and how to react.
Culture: Foster a culture where employees are encouraged and have opportunities to upskill and continuously learn. Employers that fail to prioritize upskilling their staff will risk leaving themselves vulnerable to emerging technologies and threats.
Upskilling Schemes: Identify and leverage cybersecurity upskilling schemes and grants offered by government and non-profit organizations. Examples include ISC2’s 1 Million Certified in Cybersecurity scheme and The Scottish Government’s Cybersecurity Graduate Apprenticeships scheme.
Look to the Future: Anticipate emerging technologies and threats and upskill your staff to meet the challenges presented. With new threats emerging daily, cybersecurity must be proactive rather than solely reactive.
Consider Outsourcing: It may be the case that your organization does not have sufficient internal cybersecurity skills at present. In this case, it may be practical to outsource cybersecurity tasks (even temporarily) as a cost-effective solution to provide the required skills into your organization.
Balancing Innovation and Security
New technologies present new opportunities for organizations to increase productivity and improve customer and employee experiences. However, whilst innovative technologies can have significant benefits, they also present new cybersecurity risks, and ignoring these risks can have devastating consequences.
When considering implementing new technologies, critically assess the risks they introduce, particularly regarding data and cybersecurity, and implement controls to mitigate them. Taking a holistic approach to considering security implications at an early stage will help prevent cybersecurity complacency and enhance your organizational resiliency against the evolving cyber threat landscape.
We’ve compiled a list of the best HR software.
This article was produced as part of TechRadarPro’s Expert Insights channel where we feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro