A phrase often linked to the IT sector is “skills crisis”. From opportunities in emerging areas such as data science and artificial intelligence, to more traditional but ever-changing areas such as storage and security, there seems to be a constant need for skills that are in short supply.
Currently, IT leaders are being asked to accelerate post-Covid business transformation plans, which generally involves ramping up cloud-native DevOps skills. The pandemic led to more than two years of remote working, which meant formal security training took a back seat as companies raced to ensure staff could remain productive.
But, according to the annual TechTarget/Computer Weekly IT Priorities survey, this is now changing. Over the next 12 months, security awareness training will be the most popular IT project in the UK and Ireland, with 66% of survey respondents planning to spend in this area. This is followed closely by multifactor authentication, in which 51% plan to invest.
Data privacy, governance and regulatory compliance – think General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), and so on – are on the agenda for 43% of buyers, while threat detection also remains a top concern looking ahead, with 40% planning some investment in this area.
Although the pandemic delayed or disrupted many projects, especially “on-premise” projects, the survey points to a recovery in 2022 at or above pre-pandemic levels, with a strong emphasis on IT security initiatives to support hybrid working and hybrid clouds.
Although in the mid to long term, developing core skills internally is critical to IT-led business transformation initiatives, IT leaders often need to make tactical choices and consider outsourcing and using contractors, where appropriate, to supplement and build out existing in-house expertise. On-the-job knowledge transfer can be combined with online or classroom-based training.
Building tech skills for cloud transformation
To manage the IT skills gap, Lydia Leong, distinguished vice-president and research analyst at Gartner, advises organisations to start by supporting, monitoring and measuring the progress of the management team against cloud skills initiatives. “To facilitate this progress, ensure roles across the business are divided by expertise, allowing for achievable hiring goals,” she says.
When looking at training existing staff, Leong recommends that organisations upskill current employees with cloud skills, using relationship-based and experiential learning from experts. She emphasises that the skillset of more technical staff members must span different IT domains. “Ensure that the technical leaders overseeing your organisation’s cloud initiatives are strategic thinkers with business acumen, big-picture perspectives and team-player mindsets who can communicate with diverse audiences and be agile in thought and action,” she says.
Maureen Lonergan, vice-president of AWS Training, says one of the most effective ways to invest in comprehensive training is through broad organisational learning programmes. This requires foundational cloud training for all staff and deep technical training for IT staff. “Regardless of the size of your organisation, there will be challenges and objections to overcome,” she says. “The most important thing is to see upskilling and reskilling your people as a strategic imperative to your business growth and agility.”
Leong urges IT leaders to assess whether they need to build up the internal skills with new recruits. “New employees will also have to take time to learn the business and IT environment, but recruitment can be streamlined towards key, experienced hires who accelerate such cloud computing initiatives,” she says.
This can be supplemented by bringing in contractors from staffing agencies or by hiring independent contractors, which can be a useful way to acquire junior and mid-level people to perform cloud-related tasks and work on cloud projects.
Leong believes hiring senior-level contractors offers IT leaders one of the swiftest and most effective ways to acquire the necessary skills, but she warns that it is important not to allow such senior-level contractors to make strategy or policy decisions.
Beyond individual contractors, organisations can also seek assistance from an external source, usually in the form of a managed service provider (MSP). This can be taken as a project-based approach, or a medium- to long-term managed services approach.
MSPs also often offer skills transfer as part of the services they provide to clients.
Cyber training
Looking at cyber security, Tom Everard, a cyber security expert at PA Consulting, points out that the threat landscape is ever-changing. He says the workforce, in many cases, has not received sufficient cyber security training and yet staff often work in an environment where it is difficult to meeting the requirements of their role while remaining secure.
“Some people respond to training; some don’t,” says Everard. “If an individual is unhappy at work, they might do something they would not normally do and put security at risk. Good security training and a security culture should reduce the likelihood of this happening.”
Discussing whether cyber training should be run in-house or provided by external trainers, Tim Holman, CEO at security consultancy 2-sec, suggests cyber security training should not be considered an annual exercise to satisfy FCA, ISO or PCI compliance. “The phenomenon of training fade is by now well proven,” he says. “Staff simply forget what they’re taught after a few weeks, or a few months if you’re lucky. Some do so in a few days.”
One way to address this, says Everard, is to have an easily accessible resource where staff can look up what to do in a particular situation. This could include policies, guidance and bite-sized snippets of training that are referenced in the core training module and make it easy for staff to do the right thing.
As an alternative, Everard suggests organisations provide training in bite-sized chunks throughout the year. He says this is most easily delivered through an outsourced platform and can be one of the best ways to ensure the workforce adopts good security behaviour. “There are also numerous specialist providers of security training that have built their platforms on behavioural science and research,” he says.
Everard recommends that organisations complement outsourced provision with insourced training of leadership, management and security champions to help strengthen their security culture.
Holman believes in-house training can work if the organisation has a dedicated trainer, or in-house security awareness champions. This is a route some larger companies will take, he says. But the question for IT leaders is whether in-house staff training is cost-effective and is the best fit for the organisation and its employees.
A decent suite of continually improving cyber security training courses, videos, email campaigns and so on will be a fraction of the cost of an in-house trainer, given that the average salary in London is about £35,000.
In security circles, continuous training is key to the idea of the human firewall. “People are the lynchpin,” says Merry Song, an analyst at Turnkey Consulting. As Song points out, people drive training programmes, which are created around their needs.
“The best benchmark of a good programme is employee engagement, along with the contribution the training makes to ensuring that a robust security culture exists within the organisation,” she says.
For Song, training metrics can include the way employees interact with training activities: what are the completion rates for the various modules, for example, and do users undertake training in good time or leave it until the last minute? These details can point to the quality of the training content and how effectively it communicates the importance of the topic, she says.
“Monitoring any increases in security-based activities is also a useful guide to trainee buy-in,” says Song. If the programme content includes measurable calls to action, such as reporting phishing emails or encouraging users to use password managers, these behavioural changes can be observed and measured, she adds.
Training metrics and methodologies
Describing his own experience in training, IT expert Junade Ali recalls a recent experience when he worked with a team that was building a software training platform to help improve management decisions. According to Ali, the team he was working with was finding it hard to present information in a way that would incentivise managers to learn more about their teams and drive performance improvements.
He advised the team to adopt heuristics developed by The Behavioural Insights Team, a company formed about a decade ago from within government to help nudge citizens to make smarter decisions about health, wealth and happiness. One of the mental models it published was the East (easy, attractive, social and timely) framework.
Ali says more advanced frameworks, such as Mindspace, introduce other factors that can be used to nudge behaviour, such as leveraging the fact that people like to act in ways that make them feel better about themselves.
In Ali’s experience, these small interventions can have big effects. For example, The Behavioural Insights Team found that by using text message reminders in adult education programmes, there was an 8% increase in the likelihood of passing exams over an academic year in a control group.
When making more complex improvements at scale, especially where prior evidence is more limited, Ali says it is important to measure the impact to make sure these interventions are not doing more harm than good. For instance, he says scientifically robust randomised control trials, in which people are randomly allocated into control and trial groups, can provide conclusive answers quickly in a large user base, but “this can be tough when designing a training programme for a small audience who are trying to move a north star metric that has a slow feedback loop”.
Overall, most companies will need to develop some internal training, or have training tailored to their specific situation, says Paddy Francis, chief technology officer (CTO) at Airbus CyberSecurity. Regarding more general-purpose security training, he says buying can be a better route, because of the cost of developing the training and maintaining it in a changing cyber environment.
Irrespective of what type of training is required and how it is delivered, IT leaders need some mechanism to measure its effectiveness. This can be as broad as looking at the level of IT security incidents where the root cause is user error, or a measure of the volume of cloud-native project ideas. Success will depend on the metrics going in the right direction in the long term.
It is here where more regular training has an advantage over annual courses. There may even be a place for Ali’s “small interventions”, where a friendly reminder encourages good practices or inspires someone to try out a new idea that they learnt about on a recent course.