OMDURMAN, SUDAN – APRIL 30: In this handout image provided by the Ministry of Defence, Image of UK military personnel seen here preparing to leave via an RAF aircraft from Wadi Seidna Air Base bound for Cyprus, on 30th April, 2023 in Omdurman, Sudan. RAF flights are continuing between Wadi Seidna airport in Sudan to Larnaca International Airport, following three evacuation flights that took place late overnight between Tuesday 25 April and Wednesday 26 April. The UK government assisted by the British Military has evacuated British Citizens from Sudan. The Ministry of Defence has been working to support the Foreign, Commonwealth & Development Office in evacuating civilian UK nationals from the airport. The operation involved more than 1,200 personnel from 16 Air Assault Brigade, the Royal Marines and the Royal Air Force. (Photo by MoD Crown Copyright via Getty Images)

Upskilling existing staff could be key to narrowing the cyber skills gap, according to the CISO of the Ministry of Defence (MoD). Major Andrew McGrane says his team has been able to set up testing environments to assess staff, giving them “a safe space where they can fail” as they build their knowledge of cybersecurity.

The Ministry of Defence aims to retrain existing staff as cybersecurity experts. (Photo by MoD Crown Copyright via Getty Images)

McGrane was speaking at the Infosec Europe conference in London this week on a panel entitled The Achilles Heel of the Cybersecurity Industry – Cyber Talent Management and Focussing on the Human Deal.

MoD CISO on narrowing the cyber skills gap with internal talent

Both public and private sector organisations are battling to secure the services of a limited pool of cybersecurity talent, and demand is increasing all the time. The world needs 3.4 million cybersecurity experts to support today’s global economy, according to a report released last month by the World Economic Forum.

McGrane said the MoD is addressing this problem by trying to identify potential cybersecurity stars within its ranks. It has set up test beds to allow staff to assess their aptitude for cybersecurity. “What we’ve done is to set up a training environment which then gives the opportunity to bring the less experienced workforce into new positions, where they can be tested in a safe environment,” McGrane explained.

Once the staff have been tested in this environment, they can be assessed for key strengths and areas for improvement, mapping out an “upskilling plan” to develop their cybersecurity skills, McGrane said.

How to retrain as a cybersecurity professional

Both the (ISC)2, a non-profit membership association for cybersecurity leaders, and the Chartered Institute for Information Security offer courses and exams to help employees to develop their skills in this regard, to change their role within a company.

What is often not realised is how much potential for cybersecurity talent there is within a qualified workforce, said Amanda Finch, CEO of the Chartered Institute of Information Security. “You’ll have a team that is made up of somebody with a geography degree, an IT degree, or a philosophy degree, and because they haven’t been exposed to security or technology beforehand, they don’t actually realise they’ve got an aptitude for it,” she said.

Providing a chance to requalify can encourage staff to stay in an organisation, argued Jules Gascoigne, CISO at Transport for London. He said it’s important to set up a continuous training and development programme so that a cyber talent pipeline can be established, as staff that have retrained are likely to get other opportunities elsewhere.

“The reality is, [cybersecurity] is a really hot industry,” he added.

Read more: The UK badly needs to fix its digital skills gap