At the end of July, the Department for Science, Innovation and Technology (DSIT) and Ipsos published a report analysing the UK cyber security labour market. We explore key themes coming out of the report, specifically what a business who lacks the necessary cyber skills, knowledge or capability should consider in order to avoid missed opportunities as well as the operational pitfalls of not having these resources in-house.
Of the organisations surveyed:
- 50% have a basic cyber sills gap; the most common examples being configuring firewalls, transferring personal data and detection and removal of malware.
- 33% have a more advanced skills gap which is unsurprising given the typical skills considered are forensic analysis of breaches, security architecture, interpreting malicious code and penetration testing.
- 41% have no skillset around incident response or recovery, nor do they have cover for this via an external specialist.
The key upward trend is businesses lacking confidence around incident management (27% in 2020, 41% now) likely exacerbated by ever increasing media reports of cyber attacks and the reputational, financial, legislative and operational consequences of them. With GDPR now into its fifth year of enforcement there is still great uncertainty amongst businesses lacking a qualified or informed Data Protection Officer (DPO) of best practice for BAU data processing and protection as well as how that aligns back into roles, responsibilities, planning and actions around a cyber incident.
There is still much to do in creating career pathways for people into cyber, and there is still a lack of entry level positions for those looking to enter the industry. Many innovative training businesses have disrupted the space in recent years and the access to impactful resources to provide people with meaningful skills, knowledge and exposure has never been more fruitful. Apprenticeships are an under-utilised route currently, with funded course content available for organisations looking to upskill or reskill valued members of staff who’s current remits may not be as necessary in the future. All of this however, will still take years to fulfil its potential of bringing entry level cyber talent into the workforce with businesses still unclear, unwilling or unable to cater for dedicated cyber professionals for financial or operational reasons. For those believing their IT team or IT contractors have it covered, the point has never changed, that unless these people are trained to cyber security industry standards with recognised accreditations to prove this, with the qualifications maintained, they will remain behind the threat landscape posing a continual threat to their employer.
What can businesses lacking these skills do now?
In the absence of quick fixes when it comes to embedding the right skills into a business, the most simple cost effective steps in the first instance, are to test your digital environment for areas of vulnerability, and start from there. As a business leader, in a matter of a few days, by working with cyber security specialists, you can have key answers to your likely question “If someone was trying to attack my business today, what would they be able to achieve? What reputational, operational, financial damage would that do to my business? How do I go about preventing that from happening?” If you are asking those questions, contact us at hello@amicisgroup.co.uk to understand how Amicis help answer, address and remediate those concerns whilst also helping you find some quick wins in bolstering your team’s internal cyber security knowledge, awareness and behaviours in the absence of a dedicated professional.
The full report can be accessed here https://tinyurl.com/yck8m3jh