Responding to a joint select committee report, government fails to commit to mandate ongoing training

Credit: Stefan Rousseau/PA Wire

The government has refused to commit to making all civil servants undergo ongoing cybersecurity training, but said it is willing to “think creatively” about how to address the need for cyber skills after MPs and peers raised concerns about its capacity to deal with security threats.

In its report in July, the Joint Select Committee on the National Security Strategy said the government should “explore more creative options in building cybersecurity capacity” both within its departments and in businesses that uphold critical national infrastructure such as the NHS.

The committee said all civil servants should be made to undergo basic cybersecurity training and continuing professional development, and called for an online portal setting out the material and financial support available to all organisations involved in critical national infrastructure to help them recruit people with cybersecurity skills and upskill existing employees.

In its response, published today, the government said civil servants are required to undergo training on the government’s security classification policy, “including basic elements of cybersecurity”. 

“Different departments set their own mandatory training on the basis of their particular circumstances, including their own risk profiles,” it added.

Related content

• Next steps for UK cybersecurity: legislation; skills; and security by design
• Whitehall ‘not cool enough’ to attract top cyber security talent
• Digital Strategy looks to industry for increased skills, government innovation and productivity

However, it did not address the committee’s call for mandatory continuing professional development in cybersecurity skills.

Responding to the recommendation to set up an online portal, the government said there were already various mechanisms for sharing information about skills-related support for organisations, but added: “Given the importance of CNI (critical national infrastructure), we will consider what more can be done to make this easier to navigate and provide more tailored advice,” it said.

It also responded positively to the committee’s call to rollout the Industry 100 initiative – which sets a target for the National Cyber Security Centre to work closely with at least 100 industry professionals – to government departments, critical national infrastructure operators and regulators that lack the skills they need to combat cyberthreats.

“Extending the Industry 100 initiative may be a creative option to build more capability,” read the government response. 

It said more assessment was needed of the differences between the initiative’s existing model and the one proposed by the committee.

“The government accepts the need to think creatively about current and future challenges relating to cyber skills,” the report said.

“This is a start,” said the committee’s chair, Margaret Beckett. However, she added: “The committee remains to be convinced that government has grasped the immediate challenge of keeping critical national infrastructure secure from cyberthreats. Many of the plans set out in this response will come to fruition in a decade’s time. It fails to answer our questions about today and tomorrow – and this is concerning.”

In its July report, the committee had said it was “struck by the government’s apparent lack of urgency in addressing the [national] cybersecurity skills gap”. Publishing a cybersecurity skills strategy should be the government’s “urgent priority”, it said.

In the response, the government confirmed it would publish the skills strategy by the end of this year. It would meet many of the requirements set out by the committee, it said, including assessments of the existing cybersecurity skills gap and of future skills needs; engagement with the devolved administrations; and an implementation plan.

The committee will examine the skills strategy once it is published to ensure it lives up to the government’s promises, Beckett said.

The response also confirmed that the government is preparing a response to its consultation on developing a cybersecurity profession, which it has already said will be overseen by a new cybersecurity council.