The importance of diversity in tackling the UK’s cyber-security skills crisis

Profile picture for user cmiddleton By Chris Middleton October 22, 2019
Summary:
Chris Middleton explores how the cyber-security sector should be looking to underrepresented groups to help bridge the UK’s cyber security skills gap.

An image of different people holding hands

A recent Westminister eForum conference on cyber-security zoomed in on the skills and actions necessary to create a more secure world with somewhat downbeat conclusions for the UK.

One organisation that is dedicated to closing the digital skills gap is the Institute of Coding, a £40 million initiative supported by the government (via the Office for Students), 60 universities (including the Open University), and a broad range of employers. Dr Chitra Balakrishna, its Programme Director of Cyber-Security, said that developing shared solutions to shared problems is essential.

There are two obstacles to achieving this. First, cyber-security has the lowest skill levels out of all technology subsets; and second, diversity is poor in the sector – a problem reflected by the eForum itself. The audience was overwhelmingly white, male, and middle-aged, keynote speakers were the same, with just a handful of expert women taking part in panel discussions.

The Institute for Coding is dedicated to broadening participation in technology professions for under-represented groups, such as women and ethnic minorities. Balakrishna said:

We want to create opportunities for early contact, removing any entry barriers to progression, especially for those poorly served by the industry.

The Institute focuses on improving skills and sector diversity among several key groups: university learners, in order to create employable, billable graduates; digital workers, training them on the job in areas of strategic importance via in-work and flexible learning models; and sectors that are engaged in digital transformation, with training offered face to face or online.

The aim is to create badged, open courses around established frameworks, backed by a blockchain-powered system of record. Sustainability is critically important too, with the organisation constantly horizon-scanning for new, essential skills. Balakrishna explained:

It’s not often you hear about nurses who are graduating not having the skills or competencies that are needed by their employers. Yet often we hear about cyber-security graduates not really meeting the industry’s demands.

 The current things we are offering should not only align with existing knowledge domains, but also with competencies and skills. The idea is not to create another academically defined framework for the industry, but to co-create with the industry a standard that focuses on the individual learner’s skill, competence, and employability.

Poor representation

Former paratrooper Kevin McLoughlin is Chief Technology Officer of social value specialists The Integrate Agency and co-founder of security platform provider, Padlock. Acknowledging the irony of being a middle-aged white man talking about diversity, he said that only seven percent of Europe's cyber-security workforce are women.

This contrasts with EPSRC figures shared at recent events suggesting that roughly 13 percent of professionals in UK STEM careers of any kind are female, with just 10 percent of employees coming from ethnic minorities. The message is stark: even in a tech industry that has shocking diversity statistics, cyber-security does badly.

But why is this important? One answer is that if you want to design robust systems that are used by all of society, then you need to involve all of society in their creation, management, and security in order to get the broadest possible perspective. Another is that jobs are going unfilled so the industry needs to bring more skilled individuals in, especially from areas where talent is untapped and people need well-paid work. A third is that all industries benefit from a diversity of voices – including the conference circuit. And a fourth is that digital technologies are supposed to help everyone in society equally.

Padlock is another of a new generation of organisations that is dedicated to transforming the security industry from within. Its LinkedIn page says: “We are leveraging the cyber-security skills crisis to close the gender and ethnicity gaps in the industry to provide cyber-security expertise.”

At the eForum, McLoughlin added:

There’s a lot of talent out there, but we are not looking in the right places.

Ninety percent of single-parent families are mother and child(ren) and 47% of children in such families grow up in poverty, he said. Providing interesting, flexible, high-paying work for women in these situations is something that Padlock aims to do, by creating a professional, on-demand team of security consultants to work in the gig economy. The training is free, so that there are no barriers to the flexible workforce acquiring up-to-date skills.

For Hugh Boyes, Principal Fellow in the Cyber Security Centre at the University of Warwick, and Cyber Security Lead at the Institution of Engineering and Technology, cyber-security is “like a hydra”. Acquire the skills to cut off one ‘head’ of cyber-crime and two grow in its place.

There is no single set of skills that can be used across every aspect of an industry that embraces security engineering, information management, security by design, cyber resilience, business continuity, disaster recovery, and more.

So how do we tackle cybersecurity, the skills gap, and the growing number of vacancies that apparently can’t be filled?

The government’s view

In an oddly low-key speech, Matthew Parsons, Head of Cyber-Security Skills and Professionalisation at the Department for Digital, Culture, Media, and Sport (DCMS), explained the UK’s cyber-security strategy is to create a national centre for computing education and a sustainable supply of homegrown professionals in the private and public sectors.

The government wants a nationally recognised career structure in place by 2021 and a code of ethics for the cyber-security profession. DCMS aims to support the creation of a structured and easy-to-navigate sector that is both sustainable and responsive to change, bringing coherence to an industry that is fragmented.

It plans to put training and education in place to develop previously untapped talent with the right skills for the digital economy. And it wants to create a public sector that leads by example – more on that below. However, being able to measure progress against such broad and ambitious aims is difficult, he acknowledged. That said, the intention is for the tech community to “have easy sight of progress”.

My take

One of the challenges of representing the government’s views on technology and security in 2019, is that political leaders often seem at odds with the aims of their own Industrial Strategy. This may be why Parsons – young, intelligent, articulate, and personable – almost sounded apologetic on the conference stage.

While the UK has published the bare bones of a modern, forward-looking Industrial Strategy – one backed by modest investment and targeted missions – much of what could have been an inspiring message to the public has been lost in the political uproar of Brexit.

The Industrial Strategy recognises grand challenges such as clean growth, caring for an ageing society, and future mobility, and sees technologies such as robotics, AI, and digital health as critical to the nation’s prosperity. That’s good news.

Yet far from portraying itself as modern, technology-centric administration with a bold vision of the future for the nation’s youth, its current leaders increasingly seem as though they are rebuilding the UK as a Downton Abbey theme park for ancient disaster capitalists. No wonder Parsons sounded depressed.

This isn’t a party-political point, it’s a problem of global perception. The public face of this government – reactionary, bumbling, dated, comedic – runs counter to the positive aims of the Industrial Strategy and to the excellent work that organisations such as DCMS, the Office for AI, Innovate UK, and UKRI are doing to highlight UK technology innovation.

For the UK to maintain a credible position as a world leader in cyber- security is at least partly reliant on whether the country is seen as a safe place to do business and carry out research – including for women and minorities.