Muhammad Yahya Patel (Mo) is a highly acclaimed Security Engineer and member of the Check Point Office of the CTO. Mo has over 10 years of experience in cyber security, ISP field & operations and ICT. Before joining Check Point, he worked as a Security Consultant designing and implementing security solutions for private and public sector organisations including the UK’s National Health Service. He is a trusted advisor amongst some of the UK’s top VARs and works closely with C-levels on strategy and security challenges.
In this outstanding interview, expert Muhammad Yahya Patel shares perspectives about closing the cyber security talent gap, retaining talent, and training the next generation of cyber security professionals.
The topic of cyber security skills is becoming widely discussed among the industry and within many organizations; including government groups. Can you share insights around this?
The timing of this interview is perfect because the UK government department DCMS just released their 2022 report, Cyber Security Skills in the UK Labour Market.
In this report, we find that the average number of vacancies per business has increased. If we take a look at cyber security businesses that contribute to a large portion of the hires in the industry, since 2020, more than half of these businesses have tried to recruit people into cyber roles. We are seeing an increasing trend where cyber vacancies prove difficult to fill. The common denominator amongst candidates is lack of knowledge and skills. It’s also difficult to fill positions when there is a high demand for candidates, as this drives competitive behavior between businesses when it comes to attracting the right talent.
The cyber security skills gap continues to be a hot topic, as the impact is huge. We’re no longer talking about basic IT functions, as the threats we face today are vastly different from those of just a few years ago. The report finds that private sector businesses identified a 51% skills gap for basic technical cyber security needs. This means that people already hired or being hired do not have the ability to perform the basic cyber security tasks. 33% of businesses identified a skills gap in the more focused or advanced areas of cyber security.
As we see the evolution and increase of cyber attacks, both skills shortages and skills gaps will continue to be an important talking point for the cyber security sector and for those outside of the industry.
Given the shortage of cyber security professionals, how are we growing the next generation of talent?
The UK Higher Education sector has responded to this shortage by expanding the courses being offered to students. It’s really positive to see dedicated cyber security courses and the addition of modules into both technical and non-technical courses.
To help the shortage of professionals we really need the next generation to have validated knowledge and skills; the NCSC- certified degrees offer that quality control check for people coming into the industry. Cyber security degree apprenticeships offer an alternative path into the industry and exciting opportunity that’s debt-free, provides hands-on experience, plus a salary. The apprenticeship route resonates well with me because that’s how I started my career path. Although it was more of a generic IT apprenticeship, I highly recommend taking this path and now that we have more specialisms and diverse courses, it helps younger people focus on their chosen career paths.
Access to free and paid resources through online self-learning platforms is now the norm for studying and hands-on practical labs. This means learning is much more accessible and affordable than previously, not to mention that contemporary students also maintain the option of learning at their own pace and schedule. This offers the next generation flexibility, but also learning on-the-go, so they aren’t restricted to classroom learning.
Tell us about current initiatives to engage high school students in cyber security issues?
In the UK, the NCSC started a program called CyberFirst aimed at students aged 11-17. It’s a programme designed to introduce the world of cyber security to students through free courses, competitions and funds for other projects. This program really gets the students in the mindset of performing different cyber security tasks such as digital forensics, cryptography, data interpretation, cyber defence, cyber attack protections and much more.
The UK government also created the Cyber Explorers platform, which can be used as part of curriculum delivery to teach students the essential digital skills across different areas. It’s a fun way to engage and develop students through challenges and quizzes.
Cyber Discovery is another programme targeting students aged 14-17. This is a free and accessible platform through which students can do their own learning and progress through the different stages of the programme in the same way that students may choose to do an extracurricular activity. This could absolutely be an activity that will gradually enhance and build skills whilst providing some real insight into the world of cyber.
More broadly, how can decision-makers apply creativity to recruitment?
I think that decision makers need to look at their current recruitment methods and whether or not they are adopting the friendliest and most direct approach. By this, I mean the social media approach, such as the likes of LinkedIn, which can actually give valuable data on a given candidate before an interview.
We’re still seeing businesses putting a lot emphasis on certifications and years of experience. Whilst both play a role, depending on the nature of the vacancy, it’s not the most important thing when advertising a position. Hiring managers really should spend some time with existing professionals to validate their job specifications. Hiring managers should explore questions like; ‘Do we still need certificate x for this role?’ Because a certificate doesn’t display competency and was only valid at the time the exam was passed. This brings a different level of creativity to recruitment.
How would you like to see CISOs approach learning and upskilling for existing professionals in the field?
I would like to see CISOs approach their existing teams and openly tell them it’s okay to invest time into training. A lot professionals in the field often feel pressured in terms of how their time should be divided. Even when attending external formal training courses, some businesses will want individuals to do some level of activity in relation to their normal role. How can these professionals focus on learning and upskilling if they feel the need to continue to perform their day job?
CISOs also need to look at the type of training available in the market. It’s not always a formal course for 3 days and that’s it. Sometimes, it’s on-the-job training or informal training, attending conferences…etc. There are many forms of training and learning and one size does not fit all. The conversations I’ve had with professionals suggest that they are the happiest when their training development plan incorporates a true personal goal, which becomes a win-win situation.
Lastly, to receive more cutting-edge cyber security news, best practices and analyses, please sign up for the CyberTalk.org newsletter.