Critical response: a forecast for cybersecurity in HE
What does the current cybersecurity landscape look like?
The UK’s cybersecurity industry is currently worth around €8.3bn. According to the DCMS’ UK Cybersecurity Sectoral Analysis 2020, the number of active cybersecurity firms in the country has increased by 44% in the last two years, with 846 firms reported in 2017, to over 1,200 in 2019.
IBM’s 2019 Cost of a Data Breach report also reveals that the global average cost of a data breach is US$3.29m. This equates to around US$150 per lost record, with the average size of a data breach being 25,575 records. The report also demonstrates that “the costs of a data breach can be felt for years after the incident”. These costs, known as ‘long tail costs’, span across sectors, with education being a key target. The National Cyber Security Centre (NCSC) reported in 2019 that, “cyber crime will probably present the most evident and disruptive difficulties for universities.”
And the sector will only continue to grow, predicts Sian John, chief security advisor at Microsoft UK. She told ET: “In the next decade, as governments and organisations expand cybersecurity strategies to protect critical infrastructures, the demand for cybersecurity careers will certainly increase. Today’s leaders are realising that a knowledgeable, sophisticated cybersecurity workforce is essential, both now and in the future.”
It is little surprise then, that this booming sector is one that can offer numerous employment opportunities to students today. But in an industry that’s growing so quickly, how is higher education keeping up?
Cybersecurity in HE
The NCSC has a number of certified cybersecurity degrees, a list that has been growing since it was first published in 2017. As of the time of writing, there are 18 fully certified MSc programmes, a further nine provisionally certified MSc programmes, eight provisionally certified bachelor’s or integrated master’s programmes, and one fully certified bachelor’s.
Clare Johnson, head of cybersecurity at the University of South Wales, reports a “rapid increase” in the university’s BSc Applied Cyber Security course, “which has gone from 18 students in 2017, to 40 students in 2018, and 60 students in 2019”. This increase is in contrast to a general decline in applications across many other subject areas at the university, Johnson told ET.
You might also like: Using tech to save the planet
As well as a number of cybersecurity degrees – including many additional courses not certified by the NCSC – there are also numerous extracurricular activities that are aimed at developing cybersecurity skills. One such event is Cyber Security Challenge UK, which states a mission to “ensure a thriving and inclusive pipeline of talent into the cybersecurity industry”. The initiative was established in 2010, and runs a series of national events including competitions, networking and learning programmes “designed to inspire and enable more people from diverse backgrounds to become cybersecurity professionals”. As part of the initiative, Cyber Security Challenge UK works with universities to “humanise and demystify the cybersecurity industry” through networking events, careers advice and training camps. Students are able to meet prospective employers and get to know how the industry really works.
However, despite this increase in focus, there is still a significant skills gap, with the (ISC) Cybersecurity Workforce Study reporting that the global cybersecurity workforce needs to grow by 145% to meet industry demand. There are also specific gaps in knowledge, says John, commenting that “we still need an increased focus on cloud, mobility and security architecture as part of these traditional degrees to really prepare students for the rapidly changing technology landscape”.
What skills will students need to succeed?
There will be increasing focus on soft skills as cybersecurity roles “become even more essential to the day-to-day running and protection of organisations,” says John. She adds that whilst there will be “a continuation of the technical cybersecurity careers that exist currently”, in 2030 there will also be a growth in less technical roles such as legal and policy, psychology, and security architecture.
However, Johnson adds, since technology moves so quickly, it’s difficult to pinpoint the exact skills required of the cybersecurity workforce in 2030. She says: “What is clear is that businesses both large and small will recognise that they are facing increasingly complex security challenges, and they will need to demonstrate that they are managing these challenges appropriately.”
John Chapman, head of the security operations centre at digital solutions non-profit Jisc, agrees that the rate of change is a key factor in the inability to exactly predict the future of cybersecurity. However, the fact that attackers continue to develop new tools means that there will likely be a continuation of certain roles, adds Chapman. He says: “I would strongly suspect that there will still be a need for incident responders, threat intelligence analysts, security architects, penetration testers and digital forensics specialists, but the tools and techniques will all have evolved.”
In fact, these techniques are already evolving, with IBM utilising artificial intelligence to address cybersecurity threats. IBM Security vice president of strategy and design, Kevin Skapinetz, says that the company is “leveraging AI and advanced analytics to not be programmed around a threat, and have a pattern, but be able to change and alternate how they understand what’s good and what’s bad and to formulate that on the fly”.
‘Security is everyone’s responsibility’
But employability is not the only desirable outcome of cybersecurity training, says John. There is also an onus on education to “ensure the next generation of the workforce understand the threats that may come from the use of technology, and ensure that we are building and using it responsibly for the benefit of society”.
Johnson agrees that in our “highly digital world”, cybersecurity is an issue that has moved far beyond the tech industry: “Our children need to understand the risks of communicating online at the simplest level, and our national security and day to day functions depend on robust and reliable systems, that don’t collapse when under cyber attack.” Johnson also cites recent national cyber-attack WannaCry as an example of how cybersecurity is a concern for every citizen. She says: “The effect that WannaCry had on the NHS is a clear example of the impact such attacks can have on the things we take for granted.”
At the end of the day, “security is everyone’s responsibility,” says Chapman. This means that no matter what your desired job is, there is a chance you will require some kind of cybersecurity knowledge: “If you want to be a computer programmer, then you need to know how to code securely; if you want to be a doctor, you need to know how to look after patient data security; if you run your own business, you need to be able to look after your staff, customers and their data.”
Ultimately, a “very diverse range of skills” is required within the sector, says Johnson. “Academics contribute to the knowledge base and research, whilst hand-on practical people can have a very direct impact on the way we approach the challenges. Thinkers, doers, facilitators and communicators all have a place.”
What is clear is that cybersecurity training will only continue to grow, and its impact continue to spread.