Cybersecurity apprenticeships help UK companies fill the skills gap

Apprenticeships allow organisations to recruit entry-level talent that they can train to fit the needs of the business and give the trainee a broad set of security skills.

Well-established in fields such as plumbing or carpentry, apprenticeships are becoming popular in technology: 72% of respondents in the 2019 UK CIO100 survey stated they were running IT apprenticeships schemes, up from 65% the previous year. ”Building the UK’s own talent base is a must and apprenticeships are at the heart of that,” TechUK’s deputy CEO Antony Walker said last year.

However, starting an apprenticeship programme isn’t a quick recruitment fix or simple to set up. It requires the CISO to assess the current capabilities of the security team, dedicate time to new recruits, and work with the wider business and outside partners.

When to consider cybersecurity apprenticeships

“Cybersecurity teams need to be constantly replenished as demand increases and high salaries tempt many to look elsewhere,” says Richard Cornell, digital end-point assessor at BCS, The Chartered Institute for IT. “Developing and growing that talent from within creates a more stable environment with a cohesive culture that you can mould. Running your own apprenticeship scheme will bring in new talent that understands new technology and has a fresh way at looking at things with enthusiasm and a keenness to learn, in the most cost-effective way.”

Cornell adds that an organisation doesn’t have to be large to run an apprenticeship programme. It only needs the capacity and desire to develop new talent. Transport for London (TfL) started its apprenticeship programme three years ago and has three people on the scheme.

“Recruitment is very difficult in this area as the market is very competitive and the most impressive individuals tend to get snapped up quickly,” says Andy Fontaine, security operations centre manager for TfL’s Cyber Security and Incident Response Team and leader of the company’s TfL Apprentice Scheme. Its goal is to find the “talent and enthusiasm” the company expects from its cybersecurity team. “It’s a commitment on our side to work with those individuals looking to build a long-term career with us.”

Apprenticeships can help find talent that might not have had the opportunity to pursue higher education or may be more well-suited to on-the-job learning. They can also help organisations increase their diversity and aid social mobility amongst people.

“Over the course of two years, [apprentices] spend the entirety within cyber learning the different functions including cyber defence, threat intelligence and awareness,” says Fontaine. “We can help shape and mould the best of what we would be looking to recruit on the open market. By the time they are ready to complete their apprenticeship, they already know the organisation, are fully immersed into the team, and understand what’s required to be part of this team.”

Types of cybersecurity apprenticeships

Apprentices must work toward a UK government-approved apprenticeship standard or framework and their training must last at least 12 months. Levels of apprenticeship most relevant to cybersecurity include:

• Level 4: Equivalent to the first year of university
• Level 5: Equivalent to the second year of university
• Level 6: Equivalent to getting a bachelor’s degree

Courses include Cyber Security Technical Professional. a Level 6 apprenticeship typically lasting 48 months, or the shorter Cyber Security Technologist, which is a Level 4 and lasts around 24 months. BCS’s Cornell says Cyber Security Technologist is the popular choice and is split into either a technical or more risk analysis-focused track depending on whether the goal is more hands-on or governance, risk and compliance (GRC)-based.

TfL’s apprentices focus on the hands-on Cyber Security Technologist role — responding to threats, risk and threat intelligence, developing use cases, and gaining a deeper understanding of network design and the security protocols behind them. “The apprenticeship in cybersecurity isn’t easy,” says Fontaine, “We want our apprentices to come through with flying colours, but we also want to see them grow as individuals as well, which is just as important a part of the scheme as learning the trade.”

Picking the right role for apprentices depends on their maturity level and functions in place within the organisation. Looking at what tasks are outsourced, current requirements within the business, how many places you have available, and your company’s experience working with apprentices will inform which roles to open.

What to look for in cybersecurity apprentices/apprenticeships

Prerequisite education requirements are set by the employer. Higher apprenticeships require A levels, NVQs, or a BTEC relevant to the field. Cybersecurity has a minimal presence in the syllabus of UK education, so TfL’s programs don’t have specific education/training prerequisites. Interest or experience in IT subjects is beneficial, as is involvement in schemes like the NCSC’s Cyber First initiative as they provide exposure to tools that schools and colleges might be unable to provide.

“Candidates who makes a good fit for an apprenticeship in cybersecurity are those [who are] eager to learn and can quickly gain clarity and direct understanding of the critical nature of this function,” says Fontaine. “Patience is also key as it may take time to get to the ‘fun’ work as the basics and fundamentals must be learnt first in order to excel later.”

At BT Security, apprentice job roles include SOC, operations, risk, compliance and design roles. Apprentices transition into the role they have been learning, which is usually in an area where BT expects growth or changes in the cyber landscape.

“Apprenticeships are a core part of our talent strategy, and we employ apprentices at BT Security for our medium- to long-term growth as we want to develop and retain our own talent,” says Lee-Anne Gill, security apprentice programme lead at BT. “Apprentices are not to backfill recent vacancies we may have, but for our future plans.”

As a BT apprentice, Thomas Crowther monitors systems and reacts to security events. He has also helped develop a new incident management tool, reverse-engineered malware, and worked with the forensics team. ”My apprenticeship allows me to put into practice things I learn at university into real-world scenarios, which helps a lot in fully understanding the topics,” he says.

Apprenticeship details

Apprentices can be of any age and count as full employees with the same rights – such as sick leave and holiday pay – as other staff. Apprenticeship agreements outline details such as employment length, working conditions, training provided, and the qualifications they are working toward. Employers are required to pay apprentices at least the National Minimum Wage.

Around 20% of apprentices’ working time should be spent on off-the-job training, including lectures, role playing, simulation exercises, online learning or manufacturer training.

Organisations must work with training providers to meet government requirements. TfL’s training provider, Firebrand, defines the core tasks required from the apprentices and ensures adequate evidence and journal updates to reflect those requirements.

Day-to-day apprentice management

BCS’s Cornell says that the amount of direct support an apprentice needs lessens as they adapt to the workplace. It’s important not to assign only menial jobs. “They are not there to make the tea!” he says. “Shadowing more experienced members of staff is only one way to learn. Actually doing the job with the right level of support is far more valuable.”

Fontaine says his role is to ensure the apprentices have the platform, support and environment to succeed and express themselves. Each apprentice has their own assigned buddy within the security team who meets with them regularly, tracks progress, and provides written feedback and reviews.

“Having a buddy assigned to work with an apprentice works very well in terms of relationship building, mentoring and providing a journal of feedback both ways,” Fontaine says. “Once an apprentice is shown the nuts and bolts of the daily work carried out, we like to give freedom to experiment with the state-of-the-art tools at our fingertips to help improve the capabilities of the security team.”

Some apprentices work better with frequent supervision; others like to be shown once and ask when they need help. Evaluating your capacity as a team and time available to commit to the process is important to consider. “Consider whether you can provide the platform required for this process, preferably before they are in situ,” advises Fontaine.

The business case for cybersecurity apprenticeships 

Apprenticeships are a familiar part of many business functions, and CISOs will likely compete with other parts of the company for a limited number of apprentice openings the business can afford and manage.

Working with HR is important. They will have visibility of the apprenticeship levy they are paying. While BCS’s Cornell acknowledges that cross-training and developing staff from other areas of the business can help solve some demands around cybersecurity skills, it’s not as cost-effective as developing new starters to the profession. The business case for apprentices “is a no-brainer.”

“It might be prudent for the head of cybersecurity to talk to HR about why they need [apprentices],” Cornell advises. “Examples of difficulty in recruiting qualified staff, the cost of salaries together with the rise in corporate risk should do the trick.”

Larger organisations might have dedicated personnel for managing apprenticeships. Gill says BT has approximately 5,000 apprentices across the business, but the HR team dedicated to apprenticeships works closely with the different parts of the business as needed to gain feedback on how well they are working.

Companies on their first intake of apprentices should probably start with one or two. Cornell says it’s not uncommon for large organisations to take on several apprentices at once or have overlapping cohorts to support each other (a model that BT used to support new apprentices in their first months).

“Having an apprentice that is halfway through their two-year training mentor a new starter is great experience for the former and vital support for the latter,” says Cornell. “It’s also helpful to the apprentices to have a colleague at the same stage of the process so they can support each other.”

TfL’s HR development team is responsible for appointing training providers, designing the program (in collaboration with training provider and the business), and recruiting the apprentices. Each business area is responsible for the apprentices assigned to them and making sure with support from HR that everyone has the support and guidance they need.

Apprenticeships are not a short-term solution and businesses should feel invested in the program to ensure they are successful. “It is a long-term commitment to finding the right people and certainly not a quick fix, so an organisation must gauge their business needs and environment prior to making that commitment,” warns Fontaine. “The very nature of cybersecurity and the function it plays in any organisation make these points even more critical.”