UK cybersecurity is now worth £8.3 billion and is staffed by 43,000 full time employees. However, despite this positive growth, there aren’t enough people to fortify organizations against cybercrime, with the average data breach costing businesses £3 million.
In 2018, (ISC)² found the global skills gap had grew by 33%; 65% of firms have a shortage of cyber staff; and that the UK needs to increase its workforce by 291,000 people to plug the gap.
Apprenticeships are the answer. The pool of cybersecurity grads is small, partly because university is inaccessible to many, so hiring strategies need to urgently move away from exclusively hiring graduates if we are to deal with this crisis. Opening cybersecurity up to more apprentices will not only create a larger and more diverse workforce; they will also better equip individuals to tackle the modern cyber threat because apprenticeships teach both technical skills and real world knowledge. Any cyber professional will agree that hands on experience and people skills are fundamental when dealing with the biggest vulnerability in any organization: its employees.
People are your biggest vulnerability
The biggest cybersecurity threat is people. The vulnerabilities they cause often by accidental or ignorant behavior opens up your network to attack. The problem is people lack cyber knowledge so take careless actions - for example, forwarding sensitive information to the wrong recipient over email.
The insider threat is exacerbated by the sophistication of social engineering tactics such as phishing and the proliferation of BYOD. A lack of education and policy means your employees are likely putting the organization at risk daily. In order to properly protect a business, staff vulnerability must be reduced. Funnily enough, to deal with people… you need people skills!
Cyber-pros need hard and soft skills
Apprentices gain a deep understanding not just of the network, but also the business and its culture. This means that, when putting a cybersecurity policy together, they can develop something that is bespoke to their business. It also means education and general cybersecurity communications can take place in the company’s tone of voice, via the medium employees are most likely to read.
This sounds simple, but you’d be shocked at how many businesses I’ve worked with that view of education, policy and communication as an afterthought.
Of course, technical knowledge is critical. Professionals must understand systems architecture and be able to identify attacks and implement relevant defenses (as well as mitigate against issues). Apprenticeships can still come out tops because they enable individuals to implement new skills immediately, allowing them to put into practice what they’ve learned.
Implementing a digital apprenticeship strategy
Apprenticeships require a time and money investment, but arguably no more than a good graduate scheme would. The average cost of a cybersecurity apprentice is £18,000 for a one-year program which can be paid for in part using the businesses’ apprenticeship levy.
After the year, they will have three to four key digital certifications, as well as a full year’s worth of mentoring. You can also use the levy to upskill existing staff - either those already in the cybersecurity team, or those in different departments wanting to move sideways.
A rotation-style scheme where apprentices have the opportunity to work two months with each team so they can learn assorted best practices works well. At the end they will understand how everything works together and can choose where they’d like to go with their career.
To conclude, my argument may be controversial and of course I don’t believe we should stop hiring graduates - some of the best cyber pros out there are grads - but I do think that a digital apprenticeship is more effective at equipping people with both the hard and soft skills needed to fight the modern cyber threat. Whilst opening up the pool of talent organizations can recruit from to a much larger and more diverse audience, it is here where the key to solving the cybersecurity gap lies.