Unless you’ve been living under a rock somewhere, chances are you’ll have read about the ongoing cybersecurity skills shortage. Here in the UK, estimates have been revised by the Department for Culture, Media and Sport (DCMS) from an annual shortfall of 10,000 to 14,100. This isn’t just due to a lack of new blood. There’s also a significant exodus happening, with recent reports suggesting almost half of cybersecurity professionals have considered quitting over the past year while estimates suggest up to 7,000 leave the labor market annually.
Staff turnover rates are high, with the top reasons being given as poor renumeration, limited job progression or promotion opportunities, high stress levels and a lack of support. What’s notable is that a lack of career progression is the second biggest reason, and that’s because within our industry, it can be incredibly difficult to climb the ranks.
Professional Progression
There’s very little information on what skillsets you should be equipping yourself with in a given specialist field. Indeed, many of the top performers in cybersecurity readily admit they only got where they are today through a combination happenstance and hard work.
There are, of course, multiple routes into the profession, and that’s to be encouraged, from formal academic institutions to apprenticeships or even to moves sideways from a different profession. In fact, the Cyber security skills in the UK labour market 2022 report found that 27 percent of cyber professionals had previously been in a non-cyber related job role, much higher than the career starters who accounted for just 19 percent.
But without more transparency over career progression, the sector will undoubtedly continue to struggle to attract and retain talent. It’s also the cause of much confusion. In the recruitment sector, we regularly see job specifications that ask for conflicting skillsets. Employers cite a lack of technical skills or knowledge, yet it’s not qualifications they’re complaining about—industry certifications are well respected. What they’re looking for is more experience. The same report found that the bulk of skills shortages are among middle-management and senior roles, which require three or more years of experience, for instance.
Cyber Pathways
For ISACA and the other industry bodies that make up the Cyber Security Alliance, these are familiar issues which it has actively sought to address. The Alliance helped form the UK Cyber Security Council in late 2019. The Council is responsible for representing the sector’s interests and growing the nation’s cybersecurity skills base. It referred to “the complex nature of career routes into cyber security; the myriad of cyber qualifications, certifications and degree standards which exist without any uniform equivalency; and the challenges this creates for employers when it comes to assessing candidate suitability.” To counter these challenges, it is currently in the process of embedding standards and pathways across the cyber profession by 2025 in a move that promises to provide some much-needed clarity with regards to career development.
The Cyber Pathways Framework will introduce chartered standards that align with 16 cybersecurity specialties. These job roles that have, until now, been loosely defined will be given specific descriptions and linked to existing qualifications and certifications to see the establishment for the first time of minimum requirements, as called for by the DCMS in its Understanding the cyber security recruitment pool report.
On the plus side, this will set a bar to achieve certain roles, helping to standardize role requirements. This could prove helpful in the current climate where the demand for talent is leading to job creep, with job descriptions containing myriad skillsets. And it could prove fundamental in stopping the current job hopping that we’re seeing. But it will also see roles become more rigid, and given that the sector has always grown organically, there will need to be some provision made for the evolution of new roles as and when needed, such as ones involving AI and DevSecOps.
A Register and Chartered Status
Another key pathway proposal is the creation of a register for cybersecurity practitioners, similar to that seen in the medical, legal and accountancy professions, for senior positions. This will take the form of a voluntary register listing individuals accredited as having achieved associate, principal and chartered levels. In this way, it will help provide recognition for experience and ethical values that are not formally recognized today.
The pros and cons of this chartered status were discussed in the UK labour market 2022 report. Concerns ranged from how chartered status would be judged to whether some might promote their status unduly in place of the requisite experience, how it will differ from other accreditations, and whether it will reflect work experience as well as technical achievements.
No doubt these will form the subject of further debate. But both the register and pathways are exciting developments that could fundamentally alter the structure of the industry and even reporting hierarchies. For example, the CISO in some businesses reports to the CIO while in others it reports to the CEO, so a clearer designation of the role will allow CISOs to understand their scope more clearly. This is to be welcomed because at the present time, CISOs tend to carry the can when things go wrong, leading to an average tenureship of just 26 months, according to a Verizon report, and as a result of which they’re seldom able to see security transformation projects that last three to five years through to fruition.
Yet where the pathways are likely to have the biggest impact is in resolving the skills crisis. They will make job specifications far more relevant and will provide businesses with the assurance that applicants have necessary experience. That’s got to be good news for candidates, employers and the industry.
Editor’s note: For more on the cybersecurity skills gap, see ISACA’s State of Cybersecurity resources.
