Cyber Security Skills and the UK’s Critical National Infrastructure Contents

Conclusions and recommendations

Defining the cyber security skills gap

1.Critical national infrastructure (CNI) is the backbone of the country’s security and economy. A range of specialist skills as well as deep technical expertise are needed to secure CNI against the large, growing and diverse cyber threat. Developing these skills will also have considerable economic benefits, given the importance of cyber security to those new technologies that will help to improve CNI operators’ future productivity and standards of service. However, there are not enough people in the UK who both possess such specialisms and are also willing and able to work in the CNI sector. This situation is of serious concern, given the potentially severe implications for the security of the UK’s CNI and for UK national security more broadly. (Paragraph 15)

2.We are concerned that information about the nature of the cyber security skills gap in the CNI sector is primarily anecdotal. There is no detailed analysis available of which CNI sectors are most affected, in which disciplines and at which levels of expertise the shortage is most acute, or of where these gaps leave the UK critically vulnerable. The Government cannot hope to address the problem properly until it has defined it more rigorously. The first task will be to develop a clearer, and shared, understanding of what counts as a cyber security job and skill. The Government should publish a framework setting out the different types of skills required to ensure the cyber security of the UK’s CNI. In doing so, it might take the framework produced by the United States’ National Institute for Cybersecurity Education as a model. This new framework should form the basis of any future initiative to minimise the cyber security skills gap. (Paragraph 16)

Addressing the cyber security skills gap

3.Education is essential to creating and sustaining a pipeline of cyber security talent, although the time lag between an individual starting school and entering the workforce means that it is not sufficient in itself. The Government, with the Devolved Administrations, is responsible for ensuring a strong foundation for the future skills base through education policy. This can best be achieved in collaboration with industry, which is a source of up-to-date expertise and is also uniquely placed to articulate its current and likely future needs. We therefore warmly welcome the array of initiatives launched by the Government, industry and academia to improve cyber security education at all levels, both inside and outside the classroom. We are concerned, however, that the scale of the Government’s efforts on education so far simply does not match the scale of demand. (Paragraph 28)

4.The Government should address the need for continuing professional development for teachers and lectures, enabling their knowledge to keep pace with the rapidly changing cyber security landscape. It should also investigate how it might ramp up those programmes that have proven effective so far, using them to reach new groups of potential candidates and to increase the numbers of women in the cyber security workforce. As just one example, a version of the CyberFirst Girls Competition could be used to attract returning mothers to the cyber security profession. (Paragraph 29)

5.There are key steps that organisations within the CNI sector can—and should—take for themselves in improving their access to the up-to-date skills they need. These include recruiting based on aptitude, rather than high-level academic qualifications, and reskilling existing employees to meet fast-changing demand for specialist skills. Given the importance of CNI to national security, however, it is also essential that the Government provides clear and targeted support to all those organisations relevant to the protection of UK infrastructure against cyber attack, to help them find and develop the elite talent they need. (Paragraph 37)

6.The Government should explore more creative options in building cyber security capacity within the Government and across the CNI sector. These include:

7.Cyber security as a profession remains relatively immature, lacking recognised disciplines, career pathways and entry points, as well as common standards for industry accreditation. Addressing these issues, while avoiding creating unnecessary barriers to entry, would go some way towards creating a more attractive profession. (Paragraph 43)

8.The Government should move ahead with its plan for cyber security to achieve Royal Chartered status—thereby establishing a professional body for the industry—as quickly as possible. Such a body would provide a focal point and, crucially, a mechanism for scaling up the cyber security industry by increasing the industry’s appeal to more people, raising awareness of potential career opportunities, and promoting continuing professional development. However, it will also be important for this body—under the remit set for it by the Government—to ensure that a more structured approach does not inadvertently discourage a wider and more diverse entry into the cyber security workforce, and to be ready if necessary to adjust how it operates. (Paragraph 44)

9.We are struck by the Government’s apparent lack of urgency in addressing the cyber security skills gap, which is of vital importance to both national security and the economy. The Government’s immediate priority should be the publication of a cyber security skills strategy. This should provide coherence in tackling the current skills shortage. It should also be flexible enough to meet fast-changing future demand, as technology advances unpredictably and at speed. We expect industry and academic partners to be closely involved in drawing up the strategy, given their important role in ensuring that the UK has the necessary skills to ensure the cyber security of its CNI. (Paragraph 47)

10.The strategy should set out the Government’s framework for developing cyber security skills, by:

Published: by authority of the House of Lords and House of Commons