Infosecurity Europe
4-6 June 2024
ExCeL London

Keeping it Professional: Modernising the Cybersecurity Workforce 

CIISec’s Amanda Finch tells Infosecurity Europe about efforts to update and modernise career pathways in cybersecurity

Cybersecurity remains a relatively young industry despite its growing importance. Amid the widening cyber skills gap, there is a growing recognition of the need to make the sector more appealing to prospective candidates, offering clear career pathways and specialisms.

A range of accreditation bodies, such as ISACA, ISC2 and the Chartered CIISec are heavily involved in this process, ultimately bringing cybersecurity in line with established professions like law and accountancy.

Infosecurity spoke to CIISec’s CEO, Amanda Finch, during the CIISec LIVE 2023 event in Manchester to find out more about the organisation’s work in this area. We also discuss how to attract and retain talent in the industry moving forward.

Infosecurity Europe: CIISEC is working with the UK Cyber Security Council on creating chartered cybersecurity practitioners. How important is this effort to professionalise the industry, and what do you hope the long-term impact will be?

Amanda Finch: It’s been something we’ve been keen to promote for a long time and as an organisation we were granted Royal Charter status back in 2019. But we really wanted to go to the next stage, which is to charter security professionals.

This is important because chartering is something that people understand as a benchmark, so it puts the profession on the map.

It’s essential that you have people you can trust to do the job. We’ve put a lot of work in with the UK Cyber Security Council because the Council holds the rights to license to organisations to charter. We are the first organisation to get the ability to charter and we work with them on three specialisms: Cyber Security Governance & Risk Management, Secure System Architecture & Design, and Cyber Security Audit & Assurance.

We’re very keen to ensure that we develop something that’s most appropriate for the community.

IE: Do you have plans to work on other specialisms?

AF: Yes, because of the nature of CIISec, we cover pretty much all the disciplines that the Cyber Security Council will be wanting to charter against. We haven’t gone in for security testing because Cyber Scheme are doing that. But as they come along, we’ll take a look. I imagine we’ll be doing most of them.

There are currently 16 specialisms – they’re all up for discussion at the moment because there’s probably too many and some may actually be amalgamated. And enabling people to move from one specialism to another because people change course.

IE: What are the biggest reasons security professionals change roles? What can organizations do to retain cyber talent?

AF: We did our state of the profession survey for 2022-23, and one of the things that we asked about was career development – why people stay in jobs, why people leave. Obviously, money is important and it’s probably more critical now because of the economic situation.

But very close on the heels of that is the opportunity to progress. If people feel like they’re able to progress and have a good working environment and got interesting work, they’re more likely to stay with you.

The main factors for leaving were toxic environments, bad management, continual boring work, as well as the burnout aspect.

That’s a worry because we’ve got a large proportion of people who are working over 55 hours a week which puts them into the danger zone.

Therefore, you need to develop teams, and we’re trying to advocate that there are a lot of transferable skills like problem solving, analytical and communication. Many those can be taken from other parts of the business. If people can move into something and they see themselves being developed that’s often why they stay.

IE: How important is using inclusive language to attract diverse talent into cybersecurity? What advice do you have for security leaders to ensure this is included in job descriptions?

AF: One of the problems you see with a lot of recruiters is unicorn jobs, where we’re asking for too much. That tends to put people off and the people who it’s most going to put off are diverse communities.

Women for example will not apply for something if they don’t fulfil 80% of the job requirement, whereas men often will say, ‘I’ll have a go at that.’

Similarly, if you’re from a background that’s not wealthy, and you haven’t got much confidence, you’re less likely to go for something because you’ll just see lots of barriers. The language is important because diversity makes stronger teams, and we need people from lots of different backgrounds and skills.

We run an Extended Project Qualification (EPQ) with schools. When took it a couple of years ago, the numbers were very low and we saw that the schools didn’t really understand it. They didn’t have much money so couldn’t pay for it unless they were an independent or grammar school.

We’ve gone out and said we understand cyber. All the content is online, you just need to understand how to mark them. We’ll handle the projects and schools don’t need to pay a penny.

IE: What are the most effective approaches organizations can use to reach a broader range of candidates to fill cybersecurity jobs?

AF: With the EPQ we’ve been targeting inner city communities. That’s been effective.

Another effective approach is apprenticeships because candidates get to work and earn at the same time. There are organisations that are building links with schools to take people in and the Northwest of England is doing a lot with cybersecurity.

Really, there needs to be a partnership between industry and education so that we’re getting interest to learn from the beginning and people can see jobs.

Additionally, with AI coming along, there’s going to be a lot of jobs where you don’t need as many people. Potentially, where organisations are restructuring, they can migrate some of those people into security roles, because they know the business, which is critical for security, and they’ve got transferable skills in areas like project management.

IE: What role would you like to see security teams play in educating colleagues about the dangers of AI?

AF: This is where the whole communications skill will come in. What we’re going to be seeing with AI is that attacks are going to be far more targeted. It’s not going to be the Nigerian prince asking you to send money, you’ll be seeing the attacks more tailored so they’re harder to spot. We have to enable the workforce to see these more easily.

The National Cyber Security Centre (NCSC) recently spoke about this regarding the elections coming up in the UK and US, with the concern over the impact of deepfakes. Within the organisation you need to make people understand how much the world is changing and how to protect themselves, which in turn will protect the company. 

Enjoyed this article? Make sure to share it!

Looking for something else?