How the UK Cyber Security Council Careers Route Map addresses workforce shortages

The UK Cyber Security Council is the self-regulatory body for the UK’s cybersecurity profession. It develops, promotes and stewards standards for cybersecurity in support of the UK Government’s national cybersecurity strategy. A key component of these aims is supporting cyber education, skills and career pathways in the UK.

As such, the Council recently launched its Careers Route Map—a free resource that helps jobseekers enter and succeed in cybersecurity roles. It details 16 cybersecurity specialisms and suggests pathways through and between them, along with providing information on important job-related factors. The specialisms include roles in areas such as incident response, threat intelligence, security testing, audit and assurance, and identity and access management.

Speaking to CSO, the Council’s newly appointed CEO Simon Hepburn explains that, whilst the Careers Route Map is primarily aimed at supporting job seekers, it provides key benefits for hiring organisations, security leaders, and the sector in general amid ongoing cybersecurity workforce shortages.

Why has the Council created the Careers Route Map?

It was important for the Council to identify career pathways to support the longer-term development of the profession. By identifying the pathways as they are seen today allows us to recognise areas of development. The profession needs to adapt and change, and for us to do this we need to understand what the profession looks like today to develop a better future for those looking to enter the profession.

How does the Careers Route Map help attract and support newcomers to cybersecurity?

It reminds us that there is more to filling our cyber gaps than attracting new people. We need to try harder than ever not just to attract talent but to engage it, develop it, and retain it. Most companies forget everything but the attract stage. Just as we have to consider the whole lifetime of new systems we implement or procure, we need to apply those principles to our people as well. If we don’t engage and develop our people, they’ll simply leave and go to a company that will engage and develop them.

What impact can this have on tackling cybersecurity workforce shortages?

The map helps address current cybersecurity workforce shortages because it exists to help standardise job roles in the industry. For example, each specialism contains information on the typical responsibilities and tasks, the skills and knowledge required, and information on useful prior experience for those hoping to enter each specialism from outside cybersecurity. It also includes a list of common job titles and average salary ranges, which will help potential employers when it comes to recruiting cybersecurity staff.

What benefits does the map provide organisations in finding and recruiting cybersecurity talent?

It helps by looking outside pure cyber and attracting people who might have good soft skills including communication, marketing, reporting, and logical deduction. Individuals with such skills can be invaluable to modern cybersecurity roles even if they’re not pure cyber people, and by broadening the pipeline in this way, organisations and security leaders have more talent to consider, hire, and train.

How can organisations best retain security talent once they have it?

Treat them sensibly and make sure we look after the end-to-end scenario, from initial attraction right through to retention—even keeping in touch with those who do leave, as there’s always a chance of retrieval. Cyber people need to be kept interested, and they need their skills to be kept up to date. These are not easy for us as employers to deal with but they make all the difference. Cybersecurity professionals need to be treated and respected for the critical role they fill. The work of the profession is often ignored and considered a cost centre as opposed to the classic areas seen as investment to gain a return. Poor cybersecurity will have significant impact on a company’s bottom line, and it is important for C-suite professionals to realise the role of the cybersecurity professional and acknowledge its importance in the profitability of a company.