The conversation on what qualifications someone needs to make it in cybersecurity is not new: we’ve been debating the need for a varied background of experience and education for years, and why the next set of graduates don't need to have followed traditional computer science paths.

That is not to knock computer science graduates; I have had the pleasure of working with executives and practitioners who have come from a variety of backgrounds. Instead we’ve been talking about a ‘skills gap’ for so long, I wonder if it is ever going to be filled. 

For example there is an apparent global shortage of nearly four million cyber professionals, and a variety of sources claim 71 percent of organisations have unfilled cybersecurity positions. As this is the period of the year where students graduate, and there could be 900,000 undergraduates this year, is the bigger challenge in bridging the gap between academia and industry?

If those students are made more aware of career opportunities before graduation, is that a better way of ensuring a pipeline into cybersecurity?

Speaking to SC UK, Jenny Brinkley, director of AWS Security at Amazon Web Services says that as an industry as a whole, it's our responsibility to talk about all the different types of jobs that are available.

She says that by going into academia, it helps the universities and colleges understand the range of different kind of jobs, and AWS will also work with different professors at different universities “and have them actually do research for us and then work with different students to find out if there's any kind of attraction or interest.”

The Outside World

That sort of engagement is important, as it shows that there is a world outside of the university. Is it welcomed? Daniel Dresner, professor of cybersecurity at the University of Manchester, told SC UK that he invites companies to come in and present, as this an opportunity for students to meet people in the field and learn what the issues are.

In particular, Dresner names KPMG as “one of the greatest successes” as they participated in a module on designing secure architecture, and spent time testing the students, after which the students presented their work and were given a critique of their work.

Dresner also pointed at a former student who is in the team at KPMG, and this gives the students have an opportunity to make some meet and hear from someone closer to where they are, “and see where they can go and they hear what the expectations are.”

Dresner says that ”little real world experiences” help demonstrate the realities of business life, as well as the technicalities and socialities of cybersecurity, as he says there is an old adage of you're not training people for work, “but if we deliver people into job ready for work into the chair, that would be fine but you would have lost the training and the learning to learn.” 

To achieve this, “industry has to be prepared to do some of the work with people and to take care.” Dresner says that captains of Industry wanting a sausage machine in academia are asking for something unrealistic.”

Natural Curiosity

Brinkley says that commonly, people have a “mental model that security roles look like one thing, like you need to come from the intelligence community or you need to have a computer science degree or you need to come back from a law enforcement background.”

She admits that the majority of the people she works with have a variety of degrees, and she is more interested in people who have a “natural curiosity about how things work and how to protect people and systems and infrastructure.”

Brinkley says: “If you care about those things and you have this natural need to learn, security opens up so many different types of jobs. As an industry we've got to do a much better job of explaining that to young students about what's possible. So they don't have this this one mental model of what or one visual of what it means to have a job in security.”

Is that the sort of person that can be spotted whilst in academia? Dresner says that whatever the class, there are always students that are keeping abreast of the news and prepared to discuss current issues, and students who will ask questions about a project or if you recommend an event or webinar, and they attend.

“You see them at the extra curricular activities, and yes they still have all of their university work to do, they are not going to get any extra marks for attending these things, but they are going to get rewarded in later life,” he says.

Hiring Locally

Earlier this year, BlueVoyant opened its first UK security operations centre in Leeds. Doing something like that requires staff, and the company said that the proximity to around eight local universities was a good feeder of talent.

Hollie Mowatt, SOC manager at the Leeds centre for BlueVoyant, says that while recruiting, she admits that the best way to assess someone is by “sitting in front of someone and having that conversation”, and often people come to the cybersecurity industry “because people love the kind of excitement of it.”

Ultimately if someone is involved in outreach and community initiatives they may be improving their knowledge and personal skills, but Mowatt admits that it is not all about technical or soft skills - and while that shouldn't be underrated because they are important - she says it's the motivation and the hunger to learn, and continuously learn, that she looks for.

“You're never going to know everything in this field, it's impossible because it does changes so much, so it's a hunger to really get stuck in across a broad range of things,” she says.

So that is the element of what they look for, what about that concept of bridging the gap? Mowatt acknowledges her own background, saying she had built her way up in cybersecurity via “working on different sets of skills.”

“So for me, it's important to recognize the value of those skills in cybersecurity as well, because then you build more diverse teams if you recognize people,” Mowatt said. “People want to cross skill from risk and compliance or helpdesk. It's not just about ‘I've got a bachelor's in Science degree’, which is great, but it's about looking at it a little bit differently to consider critical thinking, everything that makes up a good analyst isn't just on a bit of paper.”

To truly bridge the gap, we need academia to welcome industry in, and we need industry to be prepared to work with academia too. It’s a mutual thing, and speaking as someone who graduated 25 years ago this year, a bit of guidance from a professional would have gone a long way.

It may not immediately solve the skills gap, but it could go some way to ensuring the next generation know that their first career step could be in cybersecurity.

Dan Raywood Senior Editor SC Media UK

Dan Raywood is a B2B journalist with more than 20 years of experience, including covering cybersecurity for the past 16 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.

He has spoken at events including 44CON, Infosecurity Europe, RANT Conference, BSides Scotland, Steelcon and ESET Security Days.

Outside work, Dan enjoys supporting Tottenham Hotspur, managing mischievous cats, and sampling craft beers.