Today’s gamers can be the cyber security stars of tomorrow

Head of Research and Development at the SANS Institute, James Lyne, on how and why we need to address a crucially important skills gap

We live in extraordinary times. Our modern world is powered by IT systems — complex, data-fuelled networks of computers which run everything from critical national infrastructure (CNI) to smart homes to the phones we carry in our pockets. When hackers steal the data which flows through these systems, or cause service outages, we realise just how important IT is to the fabric of society. But there’s a problem: there aren’t enough skilled people in the world to keep these systems safe and secure. In fact, some reports forecast the global shortfall of cyber security professionals will be 1.8m by 2022.

New technologies like AI could potentially take some of the strain off stretched IT security departments, and retraining professionals mid-career is also reaping some rewards, but to address the challenge long-term we need to go back to school. With innovative approaches like gamification, we can encourage a vast, untapped pool of tech natives to consider a career in cyber security.

Rise and fall

There’s no doubt that the cyber security industry is facing a skills crisis. The most accurate figures we have come from the Global Information Security Workforce Study, which has been charting growing shortages over the past decade. The most recent report revealed 66% of UK firms claimed not to have enough IT security staff; nearly half (47%) said the reason for this was a lack of qualified applicants. A more recent vendor survey claimed that just 9% of US millennials are interested in a career in cyber security. The problem is all about awareness and exposure: 69% had never studied cyber security in school and only 17% said they knew someone in their family that has worked in the industry.

This decline couldn’t have come at a worse time. We’re seeing nothing short of an explosion in cybercrime, thanks to endless new recruits and crime-as-a-service offerings on the dark web, which have democratised the means to launch highly effective attacks. From the ransomware attack which decimated the NHS in 2017, to data breaches of tens of millions of customers at big-name companies like Uber and Facebook, it’s clear who’s winning at the moment. That’s not to mention a rise in nation state threats, to the point where the UK and US authorities recently issued a joint alert to CNI stakeholders about government-sponsored attacks.

With industry, government and the education sector all pulling in the same direction, we have a great opportunity to address the skills crisis and make the world a safer, more prosperous place

Starting from scratch

There are some useful initiatives in place for firms looking to retrain and reskill existing employees. These are welcome, but we also need to go back to basics if we want to make a serious dent in the current industry skills shortfall. Fortunately, the government has recognised the criticality of this challenge, putting £20m behind an ambitious four year cyber schools programme – Cyber Discovery – designed to provide opportunities for 14-18 year olds to learn cyber skills outside of their secondary school studies. In addition, GCHQ’s National Cyber Security Centre (NCSC) is running CyberFirst summer courses, consisting of residential and non-residential courses to introduce 11-17 year olds to the field.

But to ensure we’re successful in steering the next generation of school leavers into a career in cyber security, we need to make sure we’re appealing to kids of all backgrounds. They don’t have to be science or computing stars; in fact, some of the best candidates may be more naturally inclined towards humanities. It’s all about showing them the wealth of possibilities that exist in the industry — some roles will certainly require hardcore hands-on cyber skills but, in others, candidates may be required to draw on a wider range of non-technical ‘softer’ skills.

The good news is that young people are surrounded by – and intuitively comfortable with – technology. They’re also naturally inquisitive, which is crucially important for any good cyber security candidate. So how do we make the most of this and appeal to a vast untapped resource of potential IT security pros?

We need to think outside the confines of traditional classroom-based teaching. One example is gamification, which is already being used to good effect in the Cyber Discovery programme. Kids love gaming, are familiar with gamification techniques in the apps they interact with on a daily basis, and respond well to its use in teaching cyber skills. In fact, 78% of senior security managers and professionals globally believe that millennials who have been raised playing video games are stronger candidates for cyber security roles than traditional hires.

With industry, government and the education sector all pulling in the same direction, we have a great opportunity to address the skills crisis and make the world a safer, more prosperous place for us all.