The impact of COVID-19 on the cyber skills gap
12:00 Sunday, 13 December 2020
UK Cyber Security Council
There is no doubt that a vast skills gap exists in the cyber security industry. A recent UK government survey revealed that 48% of UK businesses have a basic skills gap with regard to cyber security, and even more – 64% of businesses – have seen skills gaps with current or prospective employees.
The cyber skills gap has been a concern for years, but with the advent of the COVID-19 pandemic – of which the first UK case was confirmed on 31 January 2020 – the impact of the gap has been magnified significantly. In this paper, we look at the top five reasons that the cyber skills gap presents an even greater risk than ever before.
Some cyber security staff – particularly the younger ones – have only ever known a career in cyber security. Many members of the security, however, have previously worked in mainstream IT and have evolved into cyber security. Particularly at the beginning of the first UK lockdown, enabling home working was the absolute priority in many organisations, and it was common for at least part of the security team to spend days or even weeks back in a mainstream IT role. Some of this was security-related, for example running pre-deployment checks on newly built laptops. Much of it was “traditional” IT work, though, deploying laptops and assisting the Service Desk with calls from the massively increased number of home workers who were harder to support from afar. Every hour spent by a cyber specialist on this “needs must” basis was an hour not spent on maintaining or promoting the organisation’s cyber security.
Users working at home
Aside from the technical (and usually non-cyber) problems with rapidly and unexpectedly deployed technology, the newly deployed remote users were also disadvantaged with regard to their cyber skills.
A good cyber security education programme will combine computer-based training (CBT) with instructor-led sessions. There is no reason that CBT should be less accessible in a technical sense when working remotely, as there are many excellent cloud-based cyber CBT resources. In addition, many people work incredibly effectively at home. The issue, though, is one of the employees’ ability to work effectively when they have been sent home at short notice. If a user cannot organise his or her day efficiently, he or she will be able to fit less work into the day, and the day job will be prioritised above what they perceive to be the “less important” cyber training element.
Technology at home
The technology available to home workers is also a potential blocker to productivity, regardless of the onset of COVID-19. If one’s home office equipment is any less complete than the office equivalent, though, or if broadband connectivity is sub-optimal, one’s ability work will be diminished – which amplifies the difficulty of the organisation both delivering training and communicating specific threat information to the users.
Training and CPD
On top of the ability to educate one’s users remotely, the cyber team itself is also thwarted by COVID-19 with regard to improving skills and knowledge. Several months on from the onset of COVID-19 in the UK, the training providers have now had time to develop effective on-line classroom facilities for delivering cyber training. For the first few months of 2020, though, many courses simply stopped completely or were delivered in a mediocre fashion in lieu of the development of a fully-fledged digital classroom. In the long term the cyber training industry may well see a net benefit from the forced introduction of digital teaching, through students signing up for online classes to exploit the benefit of instructor-led training whilst avoiding the need for the inconvenience and cost of travel and accommodation on multi-day courses.
The increase in on-line conferences, webinars and presentations has also been beneficial for those with professional certifications that require a certain level of Continuing Professional Development (CPD) credits. Online, view-on-demand conferences allow attendees to fit the material around their calendars, and to avoid the time and inconvenience of their in-person equivalents.
Lack of networking
Finally, and absolutely not least, is the complete absence of opportunities to network with one’s peers in the industry. Despite the plethora of online materials, the ability to network with one’s peers and share knowledge and anecdotes is invaluable in enhancing one’s knowledge about the realities of what threats exist and examples of how they have been dealt with. Online networking sessions simply cannot deliver the same experience as standing in a room with someone: although one can share with the others on the call, the ability to have the equivalent of a short, private chat in a corner electronically is seldom available and almost never used.
The predominant effect of COVID-19 on the skills gap in cyber security is, unsurprisingly, highly negative. In areas such as networking, it is difficult to see how this can be addressed to any real extent. The opportunity to improve in areas where technology can make a difference is a large one, though, and almost a year into the COVID-19 pandemic the exploitation of this opportunity is accelerating palpably.