The challenges around establishing clearly defined roles and skillsets for the UK cybersecurity industry were discussed by Chris Ensor, deputy director of the NCSC, during the (ISC)2 Secure London today.
In his keynote address, Ensor emphasized that “everything we do in life is based on skills.” Yet, currently in cybersecurity, they often do not feature in regulation or policy – they’re something that we believe will happen through market forces.”
However, as it is a young profession, there is significant confusion and disagreement on what skills are actually required for cybersecurity roles. Ensor noted: “We need to get over that because if we don’t, we won’t fill the skills gaps that we have.”
He then highlighted the most common cyber roles that organizations are struggling to fill, as shown by the most recent DCMS Workforce Survey. These include security engineers, analysts, managers, architects and consultants. Ensor observed significant variation in how roles are defined among organizations, even if the skills required are similar. “Every organization defines their jobs differently,” he commented.
Therefore, it is often difficult for those entering the sector to know which skills and courses they require for specific jobs. Ensor advised these people to use the CyBOK Qualifications Framework to help clarify “what is needed for what type of skill and role.”
However, CyBOK is only a starting point for providing this information. Ensor advised: “Sometimes it’s better to talk about the skill set needed rather than the job role until we get to the point where we have some sort of common agreement.” This approach is being taken at the government level, where cyber jobs are being displayed as specialisms, e.g., risk specialist, architecture specialist, etc., rather than roles.
Ultimately, he said it is vital to clarify job roles and establish the skills and qualifications required. This should be similar to the medical sector, which has been around for around 150 years. “We’re trying to compress those 150 years into five years,” noted Ensor.
The next stage of this process is establishing the pathway to get into those roles. Ensor emphasized that these must cater to people from various backgrounds, whether they’ve got a computer science degree, have other experiences in tech or are in a completely non-technical field. These include the provision of apprenticeship schemes and special foundation courses in tech and cybersecurity.
In addition, Ensor discussed the work of the NCSC in trying to build a more diverse talent pipeline for cybersecurity, particularly via its CyberFirst scheme. This works through three main stages: inspire, develop and sustain.
Finally, Ensor highlighted the efforts of the UK Cybersecurity Council, which launched as an independent body last year, to raise and provide clarity on professional standards in the sector. “The Cybersecurity Council will be where regulation will point to setting the standards for what good looks like for a particular skill set needed for a particular purpose,” he explained.