Barry Searle, Managing Director at Intelligencia Training, discusses the cyber security skills gap and the need to align education with industry needs
With the global cost of cyber crime estimated at over £6tr in 2024 and the UK reporting business losses of over £27bn, both public and private sector organisations are acutely aware of the need to develop capable and effective cyber-security teams. As well as the billions of pounds we spend each year on defensive technologies, the skills of people charged with implementing and managing those tools to protect us is something that is arguably even more critical in the defence against growing criminal and nation-state cyber capabilities.
Half of UK organisations have a cyber security skills gap
With the need very clear, a UK Government study published in July 2024 reported that over 50% of UK organisations had a cyber security skills gap. Therefore, is it the case that there are simply not enough individuals out there seeking employment in these roles? This seems unlikely. We meet hundreds of people each year, many of whom are recent graduates or have completed recommended and recognised cyber security certifications. They are actively seeking cyber security roles yet are struggling to gain employment. Therefore, if we have a pool of talent that is actively seeking employment and a range of organisations with critical cyber security roles that are available, how do we have such a large skills gap? The reality is we are searching for unicorns.
Aligning cyber-security education and industry needs
It is a term increasingly used by graduates in the field, frustrated that they have undertaken the relevant courses and gained recognised certifications, yet even entry-level roles often require five years plus of experience. It is rare for a cyber security practitioner, particularly at more entry-level roles, to come into an organisation with the specific skills needed for their role. Traditionally, academic courses will focus on specific software, applications and cyber security tools that are commonly used within the industry; they are generic to the course as they are the best fit for all delegates. Whilst that is logical, it does not always reflect a real-life environment. Training companies are more likely to use more common tools, often due to cost and familiarity, when in the real world, a company is more likely to use the best tool for the job, which in many cases is something more complex and costly.
This creates a scenario in which we have a misalignment of the knowledge developed within education and the actual role requirements, as the training undertaken does not leave the individual with the specific knowledge and skills required for that role. A company then often needs to spend considerable time re-training or upskilling individuals to work the way that they need them to, which is both financially and operationally disruptive. As a result, we have a stalemate: job roles that require specific experience on tools and applications that are not often available within a learning environment or low salaries that organisations believe will account for the additional training, coaching and mentoring required until an individual is actively competent within their role.
Having worked within the industry for over a decade, we can see this is a problem that isn’t being effectively resolved. The cyber security skills gap is not closing, and each year, an increasing number of people with qualifications and certifications are looking for roles without success. We must, therefore, consider what we are getting wrong and how we can better align training and skills development to employer needs.
The first consideration is how we perceive cyber security roles. Many of them are office-based and sit in front of a computer screen, so they are often labelled as ‘white collar’ roles from an administrative perspective. This shows that we lack understanding of the role requirements. Cyber security practitioners are required to be able to operate a range of tools, often within particular legislative parameters and bound by regulatory and safety requirements. By definition, a cyber security practitioner’s role is far more ‘blue collar’ and akin to that of an engineer, mechanic or nurse. In these roles, continuous professional development (CPD) is critical to understanding the latest technologies, threats and techniques to fix/resolve issues. Much of the training we put our cyber security practitioners through is static; they are assessed by utilising specific tools and applications within an academic environment over a shorter duration. Much of the knowledge is irrelevant to a specific role, and the rest can be lost if not actively practised.
The benefits of apprenticeships
Apprenticeships are a tailor-made solution to the cyber skills gap and help us to develop the unicorns that we are so desperately looking for. UK employers developed the cyber security technologist apprenticeship to meet their needs and focus on three specific roles: Cyber Threat Analyst, Cyber Security Defender/Responder and Cyber Security Engineer. Apprenticeships may well be the solution as they are delivered specifically to your organisational requirements, including the nature of the role, tools and applications used. As such, an apprentice is developed to meet your organisational needs. Each apprenticeship programme is designed in coordination with an employer to meet the role’s needs, and as such, an effective apprenticeship will provide complete relevance in its curriculum. Many well-known cyber security certifications focus heavily on the teaching of knowledge, but apprenticeships are centred around the training and coaching of skills. They provide an opportunity for skills to be developed and, most importantly, honed within the real-world environment in which they need to be applied.
Apprenticeships mean that training is current and relevant; the ability to apply the teaching in a real-world environment increases retention within the student and builds a genuine capability. Salary expectations for an apprentice are far lower than for a graduate or ‘qualified’ candidate. Yet, there is a strong argument that an apprentice is often more capable in the role only a few months into their apprenticeship as they are learning on the job. A culture of carrying out CPD is part of an apprenticeship programme that helps to build a genuine passion for learning. Ultimately, an apprenticeship helps to mould a cyber security professional to the needs of your organisation whilst also developing a working knowledge of the organisation’s culture, ethos and working practices. When an employer seeks prior experience for cyber security roles, what they really mean is that they need somebody with the skills to perform their role effectively. Apprenticeships have existed in various forms for thousands of years to develop the skills for the next generation. Yet, they are something that we are not harnessing effectively to help us close the cyber skills gap.
You can read more about Intelligencia Training and its specialist apprenticeship training programmes at https://www.intelligenciatraining.com/.
Please note: This is a commercial profile
