Richard Cornell CISSP CISM CITP MBCS MCIIS, Digital End Point Assessor at BCS, explores when is the best time for a company to take on an apprentice in cybersecurity, whether there are any particular business conditions or thresholds required - and why it’s worth the effort.

Like any new and relatively inexperienced member of the team, an apprentice needs a certain amount of support to be productive and to grow into an independent contributor who can take on responsibility.

The key to this is a mentor who can provide time, expertise and act as a role model. The organisation for which that the apprentice works doesn’t have to be large and clearly structured, but it does have to have the capacity and desire to develop new talent. Having established processes and clear professional development plans will help, but it’s not essential that these are in place already.

Within any business function, there needs to be clear leadership to ensure the apprentice is tasked with appropriate work in an environment where they can succeed. Having a supportive and collaborative culture, will enable the apprentice to learn quickly and to make their mark.

To succeed as a cyber security apprentice, there must be opportunities to demonstrate the prescribed competencies in real work situations. If it is not immediately apparent how this will be achieved, consideration of how the business is developing and which teams the apprentice can spend time with will be important.

‘Being an apprentice in a small and rapidly growing business can be a great start to someone’s career and a chance to develop quickly - if they have the right qualities to take advantage of the situation.’

How can an organisation best identify which particular apprenticeship is best for them?

Cyber security apprenticeships are currently available at level four (equivalent to foundation degree) and level six (as a cyber security technical professional integrated degree) but, there is also a level three (equivalent to ‘A’ level), which launched this year.

There are two level four cyber apprenticeship standards at the moment: cyber intrusion analyst and cyber security technologist. The latter is the most popular route and is further split into two options: a more technical option and a risk analysis option. Later this year, these level four standards will be merged into one with three options.

The cyber intrusion analyst route (soon to become the cyber defender and responder option) is aimed at security operations and is typically chosen by those who are working in a security operations centre (SOC). The main competencies look at data collection and analysis, understanding alerts and incident response, whereas the risk analyst option is aimed at those working in a governance, risk and compliance environment, with a focus on risk assessment and user awareness.

The technologist route is more general and covers roles with a more hands-on element and includes security architecture as well as selecting, designing and implement technical controls.

The role the apprentice will have in the organisation will dictate which standard and which option is best. The type of real-world tasks the apprentice will be required to perform and the additional opportunities they will need to gain experience in other areas must be carefully considered.

‘Its not uncommon for large organisations to take on several apprentices at the same time, or to have overlapping cohorts. Having an apprentice that is halfway through their two-year training programme mentor a new starter offers great experience for the former and vital support for the latter. Its also helpful to the apprentices to have a colleague at the same stage of the process so they can support each other.’

The number of apprentices will be dependent on the organisation’s ability to provide a real job for each and an adequate mentoring resource. The balance of apprentices to experienced staff needs to be considered, along with the type of work that needs to be done. Can most of the work be done with inexperienced staff with a small number of experienced people to guide them, or is it more demanding, so only one apprentice can be accommodated in the team?

What kind of experience and what kind of candidate makes a good cyber fit?

Having a good grounding in general IT is probably essential, but this could have been gained informally. Becoming a proficient cyber security professional in two years is challenging enough, but if the apprentices doesn’t know about basic networking and client-server interactions, it’s going to be tough.

Some of the best cyber security apprentices have been graduates from other non-related disciplines, or more mature candidates who understand how businesses operate. As with anything, having the right attitude is the most important attribute along with attention to detail, problem solving and a degree of creative thinking.

There is one group of individuals who are often very well suited to a career in cyber security and that is the neurodiverse. The traits of someone on the autistic spectrum, like Asperger’s Syndrome, for example, can include attention to detail, ability to spot patterns others can’t see, ethical views, loyalty and dedication to the task in hand. These individuals can produce outstanding cyber security professionals, given the right environment and support.

How much day-to-day management is involved with cyber-apprenticeships?

‘The amount of direct support an apprentice will need will quickly reduce as they adapt to the workplace and gain enough knowledge to perform useful activities. Care should be taken not to give apprentices menial jobs that do not provide any scope or opportunity to learn new skills. They are not only there to make the tea!’

The amount of job-specific expertise will develop over time through the training provided, but another good way to start is to give the apprentice time to work with different teams, so they get to see the whole picture and can build relationships. Shadowing more experienced members of staff is only one way to learn - actually doing the job with the right level of support is far more valuable.

If the apprentice is in a relatively small team, time spent ensuring they can be productive with specific tasks is less of a strain on others and is more beneficial to the whole organisation. Once they have mastered a task, they can be shown another and gradually build up confidence and versatility.

Are apprenticeship schemes largely led by HR, the business function or a wider collaboration?

The impetus to have an apprentice often comes from the HR department, as they will have visibility of the levy they are paying and they will want to get the best value for money. The last thing anyone wants is to forfeit the money to HMRC at the end of the year.

The HR department will have an idea of the optimum number of apprentices they should have in the business, so it will be up to each department to put forward their case. It might be prudent for the head of cyber security to be thinking about this and talking to HR about why they might need an apprentice. Examples such as difficulty in recruiting qualified staff and the cost of salaries, together with the rise in corporate risk, should do the trick.

The relationship with HR will also be important in the recruitment stage, as an advert for a position in a high-profile organisation for a role in cyber security, which doesn’t demand existing industry-specific qualifications, will attract a lot of applicants. Once the apprentice is on board, there will be a degree of liaising with the training provider and professional development planning.

As well as the usual company inductions, there will be job-specific training to organise and not all of it will be provided by the course the apprentice is on. If there are apprentices in different parts of the business, it’s a good idea to get them all together from time to time so they can form a support group and develop those all-important networks.

What’s the best way to figure out which tasks and materials a cyber-apprentice should have?

The apprenticeship will require 20% off the job training time. Some of this will be structured training at the training provider’s venue and some will be time for the apprentice to do their own study, research and report writing.

The training provider will provide generic IT and cyber security courses and associated materials to ensure the apprentices have the underpinning knowledge required to pass the associated knowledge module exams. These exams will cover cyber security basics, networking, vulnerabilities and threats, risk assessments, security controls design and selection, basic cryptography, security standards, business processes, ethics and legislation.

Training providers are competing with each other and so will often provide added value training and certification options like CompTIA. Any training required for specific technologies and vendors will have to be organised by the employer.

The training provider will also provide a learning mentor for the apprentice, so it’s worth shopping around to see how much time and support they will offer the apprentice over the whole course duration. As always, the experience of others who have already been through the process is the best place to start.

How can security teams ensure that cybersecurity receives a portion of the apprenticeship levy?

The business case for apprentices is a no-brainer. In cyber security, there is a shortage of suitably qualified and experienced candidates, which is driving up salaries. For many organisations, this has been partly solved by cross-training and developing their own staff from other disciplines. This can be a fast track way of creating excellent cyber security staff from experienced business savvy professionals; however, its not as cost effective as developing new starters to the profession.

‘All businesses need to invest in the next generation of cyber security staff as the current pool is far too small to meet everybody’s needs.’

Advice for CISOs considering running their own cybersecurity apprenticeship

Cyber security teams are made up of individuals with different skills and experiences who work together towards the common goal of reducing risk and enabling the business to grow. That team needs to be constantly replenished as demand increases and high salaries tempt many to look elsewhere.

Developing and growing that talent from within creates a more stable environment with a cohesive culture that you can mould. Running your own apprenticeship scheme will bring in new talent, that understands new technology, has a fresh way at looking at things with enthusiasm and a keenness to learn, in the most cost-effective way.

An apprenticeship is just the beginning

A level four cyber security apprenticeship is the starting point for a career in cyber. So what’s next? Apprentices can join BCS and CIISec (and work towards full membership); after their end point assessment, they can join RITTech.

Apprentices could also consider the level six cyber security technical professional integrated degree. Many also go on to take CREST exams, SSCP or ISO27001 implementor / auditor qualifications, depending on their chosen pathway.

Find out more about BCS digital apprenticeships

If you’re an employer considering an apprenticeship programme, read these case studies from Invotra, Softcat and Etherlive