How BT’s cybersecurity boot camp is bolstering a technology talent crisis

Research from the UK government shows that nearly 700,000 businesses lack the skills they need to carry out basic tasks like setting up firewalls, storing personal data, and detecting malware. Like many other industries struggling with a skills shortage, there is a cybersecurity talent crisis, concentrated in the UK.

New research from IBM shows that British companies have been the target of 43% of all hacks in Europe over the last twelve months, with London’s financial sector as one of the prime targets. The UK urgently needs to stiffen its cyber-security defenses to meet this challenge, but the cyber skills talent crisis has become a chasm after years of under-investment. The UK’s biggest fixed and communications company is determined to fill this gap. BT, which traces its lineage back to the invention of the telegraph in the 1840s, is determined to mobilize its huge workforce to help Britain meet the challenges of web3 and digital. Oonagh Ryden, BT’s HR Director for Global Cybersecurity and Finance, takes up the story.

How BT is cooling the cybersecurity talent crisis

Last March, BT launched a retraining program in partnership with CAPSLOCK, an accredited cybersecurity boot camp. An initial cohort of 30 employees was reskilled over the course of 17 weeks, in a scheme which, as Oonagh Ryden, points out, is designed to break down the invisible barriers that prevent many from venturing into this field.

“We targeted CAPSLOCK at those looking to learn cyber skills but unsure how to begin doing so. Demystifying the world of cyber was a key objective of the program. We wanted to make clear that you don’t need a degree in computer science or a background in security to break into the industry.

“The program was driven by our desire to create high-value career paths within BT Group and to build a pipeline of talent to help keep BT and our customers safe online. There’s a well-documented cyber skills shortage worldwide… [and] all organizations are facing a very competitive labor market as a result. BT is no exception.

“We see this program as an investment in our people that will reap significant rewards in a high-priority business area for BT. But each individual also invested massive time, energy, and enthusiasm to make their training a success.”

Identifying applicants for reskilling

None of the program’s graduates had any cybersecurity experience before they started. Most came from call centers, non-technical and non-managerial roles.

Oonagh and her team did, however, seek out individuals who were capable of training on.

Each of the 200 applicants was invited to complete a pre-learning form and assessments, set via the skills evaluation platform Immersive Labs. Interviews revolved around scenario-based questioning. Applicants rated their PC and IT literacy, both to ensure competence and focus training on the right skills gaps.

“We did look for synergies in [applicants’] existing experience and skillsets that could transfer well into cyber roles,” Oonagh explains. “But the most important characteristic we looked for was a desire to learn and embrace a new career.”

Instead of imposing fixed targets for diversity, equality, inclusion, and belonging (DEIB), “we had a core commitment that we wanted to have a diverse mix of people within the program.

“We achieved this naturally rather than through a formal process. But as supporting and increasing social mobility was also a key focus in our selection process, this also encouraged broader diversity. This resulted in an over 40% gender/ethnicity split, and strong age diversity too. We had applicants with a prior length of service ranging from 1 to 25 years.”

Training in a digital classroom

Despite all the advances in remote communication achieved since the outbreak of Covid-19, distance learning courses remain blighted by problems. Students, trainers, and commentators often report problems such as ineffective communication, late and insufficient feedback, and a lack of clarity over tasks and expectations.

To head off these potential issues, CAPSLOCK has created a digital classroom in which it divides learners into small groups. It provides classes via Teams and personal communication via Zoom and Slack.

The program is based on both interactive content and lab-based activities. CAPSLOCK delivers practical training, simulating the kind of challenges that cyber-security consultants face every day, rather than bombarding learners with complex theories.

“Real industry problems are solved by learners working in teams,” Oonagh says. “They start from day 1 as a consultant… and work towards creating innovative solutions to cyber problems.

“An example might include creating a new cyber information policy or joiners, movers, and leavers process, conducting a risk assessment or reviewing a penetration test report and creating a remediation plan.”

BT and CAPSLOCK assessed participants every week at individual, group, and project levels, working towards accreditation from the Chartered Institute of Information Security (CISSeC). Along the way, they received mentoring from BT’s team, both from security operation center managers and staff who had experience with the company’s other talent entry programs.

A growing body of research supports the use of mentors in e-learning. Jonathan Muir, of Leeds University Business School, has written that mentoring “can prove useful in helping colleagues develop the required skills and competencies while providing personal support, encouragement, and empathy.” Oonagh is equally positive, saying that her mentors “could provide direct, real-world knowledge of what it’s like to work in cyber” while providing “as broad a range of insights and perspectives as possible.”

100% completion: The outstanding results of BT’s boot camp

Indeed, all the metrics suggest that the program has been a resounding success.

All 30 members of the cohort have successfully completed both the CAPSLOCK Cyber CE-CSP accreditation and the ISO20K requirement certification, having achieved an average score of 86% across all assessments (completion required 70%). Ten of the initial intake have chosen to take on additional courses, assisted by mentors. CAPSLOCK’s evaluation of technical aptitude found that three learners were average, 12 were good, nine were very good, and five were excellent.

Eight months on from graduation, all learners are now working in cyber roles at BT, tailored to their specific achievements within the course. BT gave allocated roles in governance and assurance to those that scored well on the governance topics. Meanwhile, those who performed more strongly on technical modules are working in fields such as DDoS, security architecture and design, and forensics.

To aid their assimilation, BT will evaluate graduates from the CAPSLOCK program alongside their peers in ‘standard’ annual and ongoing performance assessments. It will also tailor quarterly coaching sessions to each graduate’s new role.

Anecdotal feedback suggests several graduates are already leading customer meetings and making recommendations. And the feedback from the learners themselves is even more telling.

The course has been tough, no doubt; one learner has admitted to suffering imposter syndrome during the course, while another said they were “mentally and physically exhausted.” However, the graduates have been quick to praise CAPSLOCK’s “amazing team-based approach” and “detailed structure learning path.”

What’s more, the course has unlocked a huge amount of potential which might otherwise have remained untapped. As one team member put it, “to come from where I was when I was growing up to now is such a strong achievement. If I can do it, anyone can.”

Continuing CAPSLOCK: Further plans for solving the cybersecurity talent crisis

It is little wonder, then, that Oonagh and her colleagues are looking to run the program in the Autumn. Over 1,000 colleagues have already expressed their interest in future cohorts; Oonagh says that recognition inside the company “is definitely not an issue.”

What’s more, other companies are now looking to follow suit.

“Other organizations have spoken to us about our experiences of reskilling via the CAPSLOCK program,” Oonagh says. “We’re happy to share learnings and experience with other companies.

“Tackling the cyber skills gap can’t be achieved by any one company in isolation. It requires a collaborative effort across the industry.”

BT’s work to solve the cybersecurity talent crisis is not just a pioneering step forward to shape the future of cybersecurity in the UK. It also serves as an excellent example for those organizations in any industry that aim to address talent shortages through careful training, reskilling, and inclusivity.