Editor’s Question: How important is cybersecurity education for young people for closing the cyberskills gap?

The majority of UK parents are in the dark when it comes to advising their children on a career in cybersecurity, research from global cybersecurity training provider, SANS Institute, shows.

The findings reveal that 63% of parents in the UK would either not be able to answer questions on how to get a job in the cybersecurity industry or just didn’t know if they would be able to; 61% report they are not very aware or not aware at all of any career opportunities.

This contributes to the wider industry issue within the UK of the ever-increasing skills gap in technology and cybersecurity.

With the industry crying out for new blood and professionals to address the 51% of UK businesses and charities that have a basic cybersecurity skills gap, educating and incentivising school children to take up a career in cybersecurity is considered crucial to the survival of the industry and, even more critically, the security of the nation online.

James Lyne, CTO SANS Institute, said: “These findings should be seen as a wakeup call to the cybersecurity industry that it needs to do more to promote itself.

“We need to ensure that the 72% of parents who haven’t considered a career in cybersecurity for their children become aware of both the economic rewards and the job satisfaction offered by our industry. The only people who can really spread that message are those working in the industry already – it’s another way to help close the skills gap we are currently suffering.”

Although 27% of parents indicated that IT remains within their top five career choices for their eldest child, there is a lack of awareness of where students learn about cybersecurity, with 69% of parents assuming cyber is taught in some form at school.

In addition, 87% of UK parents indicated that they would like their children to learn about cybersecurity more generally as part of their curriculum, and through extra-curricular activities.

In this same research, 46% of UK students polled indicated that they had heard of cybersecurity from their parents, showing a strong case for the education of parents, as well as children, for the benefit of industry.

We spoke to a number of experts who expand on the subject and comment on the importance of cybersecurity education.

Tara O’Sullivan, CMO at Skillsoft: “Women have long faced challenges when entering jobs or careers that are seen as being ‘for men’. The technology industry – and cybersecurity in particular – has a reputation as a boy’s club and this can make it difficult for women to make an impact in these organisations. People tend to hire those they recognise and identify with, and this unconscious bias can foster damaging behaviours. Traditional stereotypes negatively influence women all the way through their careers, from education right through to hiring and promotion.

“White, middle-class males dominate the industry. These are the men responsible for the hiring, promotion and retention of women in cybersecurity. But with women still making up a tiny 10% of the cybersecurity workforce, attention to diversity is still lacking.

“And yet, companies in the top quartile for racial and ethnic diversity are 35% more likely to have financial returns above their respective national industry medians. Additionally, a study from Bersin by Deloitte showed that diverse companies had 2.3 times higher cash flow per employee than non-diverse companies did.

“We need a significant cultural overhaul. A female having a career in cybersecurity needs to become a social norm, not a rarity. This starts in schools, where we need to encourage girls to have the confidence to do whatever they want, even if traditionally it was seen as ‘boyish’.

“Ultimately it starts with education – from school to the boardroom. In school, coding should be mandatory for everyone; complex problem solving and critical thinking should be part of everyday life. In the workplace, training programmes can help people understand conscious and unconscious bias; both helping people to change the way they think and call out unfair behaviour.

“That’s not to say companies can’t take action now. CEOs, executives and company leaders need to demonstrate their attitude to diversity. Being outspoken on this creates a culture and shows you stand for equality in the workforce. Communicating this throughout the whole organisation will ensure the message sticks and will give women the confidence to take on the roles they want. Getting female talent into the industry is only half the story. We need to make sure they have the confidence and support to progress through their own careers.”

Aaron Higbee, Co-Founder and Chief Technology Officer, Cofense: “The cybersecurity skills gap is growing. In fact, according to the (ISC)2 Global Information Security Workforce Study, there will be a shortfall of 1.8 million information security workers by 2022.

“Alongside this, in May, the government added cybersecurity engineers and analysts to its Shortage Occupation List – an official review of the careers in which shortages are recognised as most severe and where the consequences of those shortages are most serious.

“While the UK government has identified the lack of science, technology, engineering and mathematics (STEM) qualified individuals as a problem, it’s clear more needs to be done to attract, engage and retain cybersecurity talent. However, as the shortage of skilled cyber professionals becomes more of an issue, what needs to be done to entice the new generation of information security workers?

“Generation Alpha will be critical to filling this employment gap and it is vital that there is more investment, both time and monetary, made to encourage young talent into seeing STEM careers as a viable and lucrative vocation. By encouraging future workers into STEM education early, the talent pool available to businesses will grow substantially and attract some of the brightest and most talented minds.

“It’s important to note however, that the industry needs to start competing for talent in the classroom early. Research from Microsoft has shown that girls begin to lose interest in STEM-related careers by their mid-teens and there is much that can be done to prevent this.

“The industry not only needs to provide the younger generations with role models, but also hands-on experiences, allowing them to explore cybersecurity before deciding to stop their STEM education altogether. By encouraging this, we will make the first steps in closing the gap, as well as building a culture of security awareness from the ground up.

“Today, businesses face threats from bad actors across the globe. From ransomware to social engineering, hackers are trying new and inventive ways to get access to information they’re not privy to. And – alongside technology – employees play a critical role in safeguarding against those with malicious intent.

“In order to build a risk-averse culture, employees must be educated, trained and actively engaged as part of the organisation’s cybersecurity strategy. Organisations must ensure their employees understand and appreciate the onus is on them as the last line of defence to help protect their organisation from data theft and critical information being compromised.”

Steve Hanna, Co-chair of the Trusted Computing Group’s (TCG) Embedded Systems Work Group: “Cybersecurity is one of the fastest growing employment opportunities. Today, salaries for cybersecurity experts are growing quite rapidly and we see this trend as one that is likely to continue. Although Artificial Intelligence (AI) has an important role to play in cyberdefence, skilled human security experts will always be needed to identify attacks, develop counter strikes and build defences. The next generation of cyber natives are perfectly equipped to fill this gap and are likely to enjoy the fast-paced game of cat and mouse.

“In today’s world of the Internet of Things (IoT) and growing connectivity, cybersecurity is a substantial risk to us all. Autonomous vehicles, smart homes and smart factories are opening exciting opportunities for greater efficiency, convenience and customisation, but they also open the door for attackers to infect and hijack these smart systems. In recent years, we’ve seen examples like the attacks on the Ukrainian power grid and on the German steel mill which resulted in a loss of power in the winter and significant equipment damage to the steel mill. Heading off these risks requires creative and rapid action as there is a constant battle between the attackers and the defenders. Therefore, we need to have the best minds of this generation working on it.

“We see now how social media and rapid technological change influence our society and even our psychology in subtle and still unknown ways. It is therefore important for our young people especially, who are on the cutting edge of these technologies, to be aware of the risks, as well as the benefits, and be on guard against the fraud that happens in cyberspace, as well as in real space.

“TCG is working to create technologies and standards that make computing systems and smart things trustworthy in fundamental ways. While we want to deliver this for everyone and in ways that are easily accessible, it remains true that there is important new research to be done in this area and we are constantly engaged with academia to anticipate and forestall the newest threats that are emerging. For young people seeking an exciting career, cybersecurity is a great option and TCG is happy to offer this avenue for interesting research with a real-world impact.

“We invite professors or graduates with an interest in cybersecurity in trusted computing to contact TCG regarding research opportunities and gratis liaison membership.”

Simon Church, General Manager and Executive Vice President, Europe, Optiv: “With more than nearly 2 million cybersecurity job openings worldwide, cybersecurity is incredibly fertile ground for new careers, but many young people will incorrectly assume they need a technical background to enter the field. That is not always the case.

Instead, cybersecurity requires a foundational skillset that often can’t be learnt in school or from an internship. This skillset includes; soft skills, curiosity, and the ability to be a team player. They can then be refined with the right mix of coaching, experience and self-growth, and used as the right base on which to build cybersecurity-specific skills.

Soft skills are required because a career in cybersecurity means having the confidence to speak to employees across all lines of business. Candidates must be confident enough to stand in front of a group and act as an expert, even if they might be perceived to be the least business-experienced person in the room. Without soft skills, a cybersecurity professional wouldn’t be able to delicately and effectively deliver difficult news, such as if a data breach were to occur or if network vulnerabilities are discovered that could be exploited.

Curiosity is a key element of career success in the cybersecurity industry because passionate cybersecurity professionals have an innate desire to know how things work. Such as learning what happens when risks aren’t mitigated or understood, how security needs to be implemented when employees are interacting with their apps and phones every day, or the risks created from an ‘always on’ cloud-focused culture. Having this curiosity is one way an aspiring cybersecurity professional can learn the latest tactics, techniques and procedures cybercriminals are using.

Lastly, cybersecurity professionals must be the ultimate team players, not only within their organisations, but within their cyber communities as well. They must be willing to share their knowledge as they learn new things by blogging, writing whitepapers, speaking at conferences, attending industry meet ups, etc. This is so important because staying one step ahead of cybercriminals requires collaboration and communication among security vendors, threat researchers, consultants and the industry in general. It is rare for a cybersecurity professional to succeed alone as you might see in other industries.

The cybersecurity skills shortage is a problem that isn’t going away any time soon. As such, the cybersecurity industry needs to continue to focus on building the industry’s future professionals — and seeking candidates with the right skillset, regardless of their academic or professional background, is a step in the right direction. As long as candidates arrive with the above foundational qualities, they can be coached and mentored to further develop these traits and apply them throughout their career in cybersecurity, thus making a cybersecurity-specific education a non-necessity for young people.”

Steve Mulhearn, Director of Enhanced Technologies, Fortinet: “Education is extremely important but unfortunately, today’s IT curriculums aren’t quite addressing current needs.

“Firstly, we often find that the learning content and materials being used are out of date with regard to what is actually happening in the industry. Because of the rate at which breach and cybercrime defence methodologies evolve, it’s difficult for education bodies to keep up. As a result, there is a general lack of understanding around the field in general. While students are learning how to code and develop applications, they aren’t necessarily learning how to build effective security mechanisms from the ground up to keep those applications safe – they aren’t learning to think in the way cybercriminals do.

“Secondly, many current programmes fail to accurately depict what cybersecurity professionals actually do – many young people believe they sit in front of computers late at night wearing hoodies – or the commercial need businesses have for the cybersecurity skillset. Young people don’t realise the breadth of the problem. While it is the most wanted skillset in the UK, Ireland, the US, Germany and Israel, and is a growing need in emerging countries where competing in the global marketplace requires a digital presence, a recent workforce development survey showed 59% of organisations have unfilled cybersecurity positions, with Frost & Sullivan forecasting a shortfall of 1.5 million by 2020. That gap is expected to grow significantly over the next few years if nothing is done.

“As a result, people usually fall into cybersecurity, rather than being guided towards it. The majority of today’s industry professionals start out in a different field of IT and land in cybersecurity because at some point, they realise they have an interest or a skill for it. They then have to retrain as cybersecurity specialists, exacerbating the skills shortage issue.

“To address this challenge, we need a new approach that combines the resources of higher education organisations with those of the private industry and public sector. For example, in the UK we’re looking at how we can work with universities to further engage with students in order to give them a better understanding of cybersecurity – through exposure to us as a business, investments in educational technology, and investments in time to ensure the materials they are using are up-to-date.

“We need to acknowledge that schools and universities alone can’t address the pressing problem of the cybersecurity skills gap. A concerted effort across public and private organisations is our best shot at creating a cybersecurity talent pool with a variety of skill levels, with professionals who know how to engineer secure environments and detect and respond to sophisticated attacks.”

The education secretary has laid out plans for guidance to help guard children against online harms including catfishing, targeted advertising and fake news. The guidance is designed to help students understand the motivations of people online and protect themselves.

Ed Macnair, CEO of Censornet has commented on the importance of these initiatives: “It is beyond time that online safety was made a priority throughout education. As with every aspect of life, childhood has been altered by the digital age. This has brought a lot of good, not the least in education, but it also brings a large amount of new risks. Catfishing, fake news, cyberattacks, social media abuse, targeted advertising, data misuse – these are issues that earlier generations never had to deal with but that the government and schools cannot neglect when it comes to educating students. Our work in the cybersecurity industry shows us that, even in the most sophisticated of organisations, adults’ understanding of these challenges and ability to be safe online remains poor, decades after the Internet and smart phones. We have to act now to ensure the next generation is better prepared.”

*** This is a Security Bloggers Network syndicated blog from Trusted Computing Group authored by TCG Admin. Read the original post at: