Much debate has rightly focussed on getting more young people into cyber security. There is undoubtedly a skills gap and not enough people leaving university with the skills to fill it.
Part of the problem has been due to historic education decisions, and much has been done recently to address this. But there is also the issue that security is complex. It requires technical ability, understanding of the working environment, and management and communication skills.
Few graduates have all of these, but many IT professionals do. We believe that the skills gap can be better addressed by encouraging not just young people but IT professionals to move into security.
The skills for the job
People with more experience make ideal candidates. They will generally have core technical competencies with a good understanding of security and also an understanding of the people issues around security. They know the industry they work in and the business challenges it faces and are familiar with corporate infrastructure and networks.
They will need to learn some new specific security skills of course, but with the right support this is an achievable goal – constantly learning is one of the many appeals of the IT profession.
Security is also a good option for career progression. It is much in demand from industry and government and this desperate need for security professionals makes it a very lucrative profession. As security threats evolve, demand will only increase, and in many cases regulation makes a team of security staff an absolute requirement, not just a sensible business decision.
IT professionals who move into security will also be appealing to employers. They are experienced enough to make informed career choices. Someone with 8-10 years IT experience who decides to take a cyber skills course is probably doing so because they are committed to a career they have thought long and hard about, whereas a younger employee may find it’s not for them.
Identifying what skills you need to take the next step
Before you embark on any career move, think through what skills you need. Examine the security challenges your company or industry faces. There are many core skills, applicable to all industries, whilst some industries will face specific security challenges. A good starting point is to research the standards and regulations, e.g. those set by the ISO 27000 as well as industry specific standards like PCI-DSS.
You should also consider what technology you want to work with. For example, if your company uses Cisco or Oracle systems, you may want to look for training packages which include industry certifications in these technologies.
You may also want to evaluate your management and other non-technical skills. Many training packages will cover these issues in a security-specific context, for example developing security strategies and presenting them to the board, rolling out security policies, and managing teams.
Making the case
Once you know what you want to achieve and have identified the right training to get you there, consider making the case to your employer. Whilst you could fund all this yourself, you may find your employer is keen to support you. Chances are, they are struggling to meet their cyber security needs and would rather have someone they know and trust, than take an expensive gamble on someone external.
You can help your employer reach this decision by highlighting the risks to your industry and cost of defending against them vs the cost of training you to defend against them. Present them with a course you wish to take, what the costs are and what benefits it will bring to you and them. If training you is cheaper than the alternative – data breach, ICO fines, recruiting someone else – then it’s a no brainer.
A big worry for employers when considering training their staff to work in the competitive world of cyber security is that their new talent will disappear in six months when a consultancy or government department offers more money. A commitment to staying with your employer for a period of time after the training, is likely to be seen as a welcome gesture and will help allay this concern.
Security is of course not the only area with a skills gap, many of the same arguments go for areas like software engineering and data management. However security is in particularly high demand and top of the agenda for many companies, not-for-profit organisations and government departments. This is a good time to make the case that, with a little support, you are the person to help them stay secure.
Dr Arosha K. Bandara teaches Postgraduate Computing courses at The Open University aimed at helping IT professionals advance by using technology to drive the business forward.