Fixing the cyber-security skills gap

Michael Adjei at Illumio explains how the industry can mend the broken pathway from cyber-security education to employment

The cyber-security skills gap has been a major talking point for many years. But amidst all the talk of challenges in recruitment and retention, there’s one uncomfortable truth the industry shies away from – we have collectively let down young people trying to get into cyber.

The issue is that there is no clear pathway from education to employment in the industry, leading too many talented young people to drift into other, more accessible fields.

Until we work together on fixing the pathway into the industry, the skills gap is only going to widen.

The shortcomings of initiatives like Cyber First 

In the UK, a recent government report into cyber-security skills found that nearly half (44%) of businesses have a skills gap in basic technical areas. Some key cyber-skills have become even harder to find, with the gap in incident management skills growing from 27% in 2020 to 48% this year.

To address the problem, the UK government introduced initiatives like Cyber First and the expanded Fast Stream scheme. Both aim to draw more young talent into cyber-security by providing foundational knowledge and early exposure. 

Such programmes have seen some success – the number of students enrolled in cyber-security courses has increased by 14% over the last year, and the number of graduates has grown by an even more encouraging 34%. 

However, once these students leave school, many struggle to find a clear pathway into cyber-security careers. The excitement generated early on fades as the necessary follow-up support to guide them into the workforce is often lacking.

The new Fast Stream project has an encouraging approach, supporting young people as they take the first steps of their careers, but it’s limited to public sector roles. 

For wider cyber-security programmes to truly succeed, they must not only focus on education but also provide a well-defined pathway to employment. Without this support, the industry will continue to lose talent, and the cyber-security skills gap in the UK will widen further.

Internships and apprenticeships

When it comes to creating opportunities to enter the cyber-security industry, there is a tendency for government programmes to focus on large and well-established companies. However, small and medium enterprises are well-suited to providing new entrants with a broad and rounded experience of different roles.

Having the opportunity to experience a variety of roles and disciplines is particularly valuable within internships and apprenticeships. While formal education is essential, real-world experience is what transforms students into effective professionals. Internships provide an invaluable bridge between education and employment through hands-on experience and mentorship. 

I’ve seen this value first-hand with Illumio’s internship programmes. We make sure our interns have a lot of opportunities to learn and apply their skills, flex their creativity, and just generally experience a working business environment. 

Unfortunately, the UK faces a significant shortage of internships and apprenticeships in the cyber-security sector. Less than a third of UK cyber-security firms currently offer internships, a figure that has remained flat for the past four years. Unlike the US, where internships are integral to the education system, the UK has been slower in adopting this model. 

By creating internships for areas like incident management, where we know there is a greater shortfall, we can start to fill the most critical gaps. The key is making these opportunities highly visible and accessible to students so that they have a clear and direct path.

The UK government should incentivise businesses to create these opportunities through tax breaks and vendor partnerships. This is especially true for SMEs that often lack the budgets to easily fund programmes themselves. 

Structural gaps in cyber-security career paths

Unlike fields such as accounting or law, where there is a defined progression from entry-level positions to senior roles, cyber-security generally lacks a defined career development framework. 

The dynamic nature of cyber-security means creating a clear roadmap is more challenging than many other fields. The requirements for accounting and law skills are relatively static and will stay current for many years, but qualifications are still far from ‘one and done’ and require regular refreshers. 

Rapid adoption of technologies like cloud and AI, as well a new attack vectors, means demands on cyber-skills can shift dramatically within 12 months. This requires a much steeper effort to stay current.

This lack of structure affects those entering the field and contributes to a broader issue of retention. Promising talent is often drawn away to other industries that offer more predictable career progression and long-term incentives. 

A formal career progression model, with defined milestones and roles, would provide professionals with the clarity they need to stay in the industry. This approach would also help employers retain talent by providing long-term development opportunities, creating a workforce that is not only well-prepared but also motivated to grow within the sector.

Lessons from other countries

While the skills shortage is a global problem, some other countries have taken more proactive steps that the UK can learn from. 

The US, for example, have implemented long-term retention strategies that not only attract talent but also keep professionals engaged throughout their careers. These countries focus on offering clear career progression, ongoing training, and support systems that help maintain a skilled workforce over time.

In the UK, much of the emphasis has been on recruitment, but without focusing on retention, the industry risks losing valuable professionals. The absence of long-term incentives and career support leaves many individuals feeling that cyber-security is a short-term career option rather than a viable long-term path.

In contrast, the US offers structured mentorship programmes, clear career ladders, and ongoing professional development, which provide stability and growth opportunities.

Getting cyber-skills development back on track

The pathway from cyber-security education to employment in the UK is fractured, with many talented individuals falling through the cracks. While we should celebrate efforts like Cyber First that are making strides in raising awareness, we need to address the fundamental lack of guidance for young people seeking to enter the industry. 

Establishing a clearly signposted path for graduates to enter the sector through internships and apprenticeships will go a long way in helping connect these talented and hungry young people with companies crying out for skilled cyber-security practitioners. Until we fix the path, the cyber-security skills gap has little chance of closing. 

Michael Adjei is Director of Systems Engineering at Illumio

Main image courtesy of iStockPhoto.com and Ivan-balvan