The scale of the cyber security skills shortage is a reflection of the attacks businesses face, which continue to grow in ambition, sophistication and frequency.
Bletchley Park is back. The new National College of Cybersecurity planned for the home of World War Two code breakers such as Alan Turing is good news. Any investment in the UK’s defences against cyber risks has to be.
Set up by Qufaro, a new non-profit with representatives from Cyber Security Challenge UK, the National Museum of Computing and BT Security, it’s more evidence the industry and government are facing up to the challenges of skills shortages.
It also seems to be taking a smart approach – accepting the most gifted 16-19 year olds, selected through aptitude tests or on the basis of their technology skills rather than academic qualifications. As Qufaro’s (and the Institute of Information Security Professionals’) chairman Alastair MacWilson says, it should tap into critical talent we risk otherwise losing.
But it’s not enough. For businesses, particularly, the scale and immediacy of the challenge is one that not even a new generation of Bletchley code breakers can crack alone.
For a start, the new college won’t take its first pupil until September 2018. That May, the EU’s General Data Protection Regulation will come into force. By the time Bletchley even opens its doors, businesses will already face fines up to €20 million or 4% of global revenue (whichever is higher) for data protection failures, as well as new obligations to notify authorities and customers of any breaches.
Under the GDPR, as others have calculated, Tesco Bank would face a fine of up to £1.9 billion for its recent breach of security. Today, the maximum fine the Information Commissioner’s Office can impose is £500,000.
Given the long latency period before many security failures are discovered, it’s entirely possible the first fines under the new regulatory regime will be for breaches that are happening now. Businesses can therefore hardly afford to wait for the new generation of code breakers to complete their training.
Added to that, no single college, nor even the whole the whole Cyber Security Challenge initiative, can really hope to address the scale of the skills shortage. To look just at one aspect of the GDPR, again, the International Association of Privacy Professionals’ recent study suggests businesses worldwide need to hire at least 75,000 data protection officers (DPOs) required by the regulations in the next two years.
The 500-strong cohort of pupils that makes its way to the college in 2018 is a welcome contribution to the fight.