Chris Ensor, GCHQ, discusses the IT skills gap and the organisation’s new CyberFirst strategy, designed to support GCHQ and the UK’s future national security needs in cyberspace.

We keep hearing about the ‘cyber skills gap’ - what’s GCHQ’s take on the situation?

The barriers to carrying out a cyber-attack are coming right down, and so the task of the attacker is becoming simpler and the task of the defender is becoming harder.

All of this is reflected in the cyber breaches that we see reported with increasing frequency and increasing severity. In the summer of 2014, GCHQ dealt with, on average, 100 cyber national security incidents per month. By the summer of 2015, the figure was 200 a month. Each of these attacks damages companies, their customers, and the public’s trust in our collective ability to keep their data and privacy safe.

Maintaining public confidence in the myriad of services delivered in cyberspace is a key challenge; if we lose that public trust, then the significant strides we have made in creating a digital society in the UK are at risk of failure. Imagine a society where you are unable to order any goods online, book flights or pay bills. It’s a stark message and that’s why there is an urgent need for more people with the cyber skills that we need.

This year’s Global Information Security Workforce Study estimates that the global cyber security workforce shortage will widen to 1.5 million by 2020. If we do not act decisively, the skills gap will grow, and limit everything we wish to achieve in cyberspace.

So what is GCHQ doing to help fill the cyber skills gap?

Well first of all, there is no quick fix to this. GCHQ on its own can’t do all the heavy lifting but it can act as a catalyst for a change in approach and develop UK initiatives that both public and private sector organisations can join.

Over the last five years, we have been supporting DCMS in delivering the skills, knowledge and capability objective of the National Cyber Security Programme. Part of this has involved supporting initiatives in education which help drive up the cyber skills of young people. GCHQ has had specific responsibility for delivering the criteria for a GCHQ Certified Master’s degree in Cyber Security. To date, 10 universities have met the rigorous standard and are delivering 12 GCHQ Certified Master’s degrees in General Cyber Security.

CyberFirst is GCHQ’s latest initiative which began life in 2015 as a GCHQ student bursary designed specifically to identify and nurture exceptional young talent from the broadest range of backgrounds to support GCHQ and the UK’s future national security needs in cyberspace. Talented individuals are offered sponsorship to study a relevant undergraduate degree; working activities during summer holidays; and (providing they continue to meet the CyberFirst requirements), the opportunity to work in national security upon graduation.

So how has this gone?

In the first year, CyberFirst awarded 19 student bursaries, with each student receiving £4k/annum for the duration of their undergraduate studies (three or four years). The students were identified through their success in existing national competitions such as the Cyber Security Challenge and National Cipher Challenge, and through outstanding performance at one of GCHQ’s summer schools.

Only 19 students - that’s not many so what else are you planning?

You are absolutely right - the first 19 students were part of an initial pilot to test the process and we have been really encouraged by the initial results. Only recently, the Minister for the Cabinet Office announced plans for an ambitious expansion to CyberFirst, with the aim of having up to 1,000 students in receipt of a bursary by 2020.

In order to build a sufficiently large and diverse pool of talented and motivated students from as wide a demographic as possible, CyberFirst will begin to identify talent at an earlier age. For example, there are far too few girls taking up a career in cyber and so CyberFirst will be offering girls-only activities in order to cater for gender, ethnic or religious sensitivities. There will also be a real focus on CyberFirst Summer Residentials for students in Years 12 and 13 (AS and A-level students) and CyberFirst will continue to work closely with existing initiatives including the Cyber Security Challenge Schools Programme and the new schools initiative announced by the Chancellor in November 2015.

In 2016, we will see an additional 100 students in receipt of a CyberFirst Student Bursary, which presents an opportunity for private sector companies to join the CyberFirst community and become involved in identifying and nurturing future UK talent and raising the awareness of exciting careers in cyber from an earlier age.

You mentioned the opportunity for private sector companies to get involved with CyberFirst - how do they go about this?

We want CyberFirst to become a public/private partnership that will create a future talent pool from which the UK can benefit - it’s not just a recruitment process for GCHQ - it’s wider and more inclusive. In the first instance, private sector organisations working in an area of national security or critical national infrastructure are welcome to join the partnership.

Membership initially involves a commitment to sponsor and nurture a minimum number of students through education and into their first job. The commitment will be based upon the size of an organisation. Year one will be the start of the education year, September 2016, and initial membership will last three years. Members will pledge to meet certain criteria which support a student over the three (or four) year period.

As the scheme grows there will be further opportunities to sponsor CyberFirst Residentials and Cyber First Challenges, which aim to identify talent between 14-18 year olds - either through financial or technical support.

Is it just student sponsorship you are after?

A CyberFirst Bursary to support students through their undergraduate studies is certainly welcome. But becoming a member of CyberFirst also entails a commitment to help students develop their skills and their potential in order for them to succeed within a career in cyber.

It’s about nurturing and mentoring young cyber talent and members will be expected to provide students with work experience during holidays and offering a position of employment once the students have graduated, provided they meet the company recruitment standards.

Who do I talk to if my company is interested in becoming a member of CyberFirst?

In the first instance, companies should send an expression of interest to Cyber-First-Project@GCHQ.GSI.GOV.UK