Skills shortage threatening UK cybersecurity 'could last for 20 years'

Skills shortage threatening UK cybersecurity 'could last for 20 years'

Summary: A report into the UK's Cyber Security Strategy has found that a lack of workers with the right security skills is making it difficult for the country to defend itself online.


The UK's ability to defend itself online could be compromised by an ongoing IT security skills shortage that could last for decades.

In a report (PDF) into the UK government's progress in delivering its Cyber Security Strategy, the National Audit Office names "addressing the UK's current and future ICT and cybersecurity skills gap" as a "key challenge".

The strategy, launched in 2011 with a £650m budget, detailed the government's plans to help businesses and individuals use the internet safely, protect organisations doing business online, protect the UK's infrastructure from online attack, and strengthen the UK's cyberdefence capabilities.

However, in order to meet its objectives, the UK will need to address the question of a shortage of workers with relevant skills, both within IT and elsewhere. "According to the government, the number of ICT and cybersecurity professionals in the UK has not increased in line with the growth of the internet. This shortage of ICT skills hampers the UK's ability to protect itself in cyberspace and promote the use of the internet both now and in the future," the report, published on Tuesday, says.

"Interviews with government, academia and business representatives confirmed that the UK lacks technical skills and that the current pipeline of graduates and practitioners would not meet demand," it adds.

Skills gap

The NAO highlights the ongoing drop in IT student numbers — between 2003 and 2010, the number of students taking computer science at university in the UK fell by 27 percent (PDF) — as well as the public sector's difficulties in attracting the best talent in the face of competition from private companies.

"Those we interviewed from academia considered that it could take up to 20 years to address the skills gap at all levels of education," the report said. "The government is working to address this and has said that it intends to overhaul ICT teaching in schools to make it genuinely about computer science rather than office skills. It expects cybersecurity to be a strong strand of the future GCSE computer science syllabus."

As well as IT workers, the report says that the UK is in need of psychologists, law enforcers, corporate strategists and risk managers to help draft cybersecurity policy and "other professionals such as lawyers and accountants" to aid businesses in identifying and tackling the risks posed by online threats.

Other challenges facing the Cyber Security Strategy include making sure end users are not the weakest link in security chain, and the ability for the government to determine the strategy's value for money.

"The NAO recognises, in particular, that there are some challenges in establishing the value for money of the cybersecurity strategy. There is the conceptual problem that, if cyberattacks do not occur, it will be difficult to establish the extent to which that was down to the success of the strategy. There is also the challenge of determining the relative contribution to overall success or otherwise of different components of the strategy. And there is the challenge of assigning a value to the overall outcome, to set against the cost of the strategy. The government has work underway to measure the benefits of the strategy," the NAO said.

Topics: Security, Government UK, United Kingdom

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • In other words "We don't want to pay for something of such dubious value."

    At least, that's what the last paragraph seems to indicate. Same thing goes on here in the US all the time, so the most popular solution seems to be the H1B solution. Good luck with that. The band of sophomoric Mouseketeers running most of American companies' IT business are incapable of making any sort of judgement about any type of IT expenditures, so as they say, "When in doubt, cut it out!". I'm so glad I am no longer in the business, and having to listen to the ignorant bleatings of those morons.
  • Train 'em

    Recruit kids right out of high school, send them to college as CS majors with an emphasis on security and help them find jobs when they graduate.
    John L. Ries
    • Train them Yes, but much younger and at all levels!

      Train ém at ALL levels starting now at all levels. Right out of high school is at least 10 years too late.
      Kids are on computers starting from preschool now. My 18 month old granddaughter knows how to turn on a smart phone, locate and play Sesame Street videos using her finger; my three year old grandson knows how to use the Nintendo Wii U, compose full sentences and paragraphs and play most of the educational games.
      So the proper approach is to integrate safe computing from the very first keystroke, as soon as there is an understanding that information comes from a place. Would you hand a sharp knife to a toddler? of course not! The same approach must be used with computing.
      Teach that information is a commodity, that computers and information are tools, and information can be manipulated for good and bad purposes.
      Later in the education process when students begin to use social networking, teach simple safeguards, teach how to reduce vulnerabilities, how to detect exploits and protect against them.
      This needs to be propagated immediately to today's young engineers who are designing controls in Critical Infrastructure using a smart phone GUI with absolutely no security safeguards, creating serious vulnerabilities.

      Glenn Merrell, CAP
      ICS-ISAC Workforce Development Director
      Glenn Merrell, CAP
  • 20 years

    It only seems like it takes that long to read through CCSE.