Cyber resilience: learning and skills action plan 2018-2020

Aims and Actions

This action plan sets out 4 overarching aims to successfully grow Scotland's cyber resilience learning and skills landscape. These aims are to:

A. Increase people's cyber resilience through awareness raising and engagement

B. Explicitly embed cyber resilience throughout our education and lifelong learning system

C. Increase people's cyber resilience at work

D. Develop the cyber security workforce and profession to ensure that skills supply meets demand and that skilled individuals can find rewarding employment in Scotland.

The Scottish Government, the National Cyber Resilience Leaders, Board and its partners have identified 37 key actions sitting under these aims, which we will take forward collectively during the period 2018-20. These actions are set out below.

Aim A: Increase people's cyber resilience through awareness raising and engagement

To get the most out of the online world, it is important that Scotland's citizens are enabled to get the "basics" right, and take a preventative approach to help themselves stay safe online. It is also vital that they know what to do if they are subject to an online attack so that they can get back up and running safely. We need therefore to encourage basic cyber awareness and readiness in people's everyday use of digital technologies.

The take-up of even simple measures to improve personal cyber resilience appears to be low in Scotland. According to recent research commissioned by the Scottish Government, just over half of adults interviewed claimed to regularly install software updates; fewer than 1 in 10 protected their mobile devices with a password; and only 13% checked that a website was secure before divulging personal data ^[8] . Simple measures can prevent or minimise threats.

Furthermore, research from 2017 by the Carnegie UK Trust ^[9] found that people living in the most deprived communities in Scotland were least likely to use a password, to turn off location services or use a different online name. This reminds us of the need to target people living with disadvantage.

There is a wealth of advice and guidance available from national campaigns, most of it useful. However there is so much of it, and from multiple sources, that for citizens it may feel confusing or overwhelming. We will work with national partners to ensure cyber resilience messages are communicated effectively in Scotland using actual experiences to make the most impact. Working with Scottish intermediary organisations will be vital, as they are often best placed to reach particular audiences. Messages will be communicated in a positive way through their channels, with cyber resilience understood as an enabler, to ensure that individuals are not deterred from engaging with digital online technologies. Evidence demonstrates that peer learning can also be useful for building shared knowledge and trust in raising awareness.

A number of ambassadors/champions' networks already exist to promote key messages to particular audiences, for example, the Scottish Government's Digital Champions Development Programme and Police Scotland's Web Constables network. Working closely with these and other networks we can identify opportunities to deliver targeted messages about cyber resilience in the communities where they have influence.

The actions to increase people's cyber resilience through awareness raising and engagement (Aim A) are as follows:

1. The Scottish Government will work with partners in Scotland and the wider UK (for example, Get Safe Online ^[10] ) to disseminate general and targeted cyber awareness messages to key audiences including citizens, businesses and organisations. Ongoing.

2. The Scottish Government will offer communications support to its national partners to deliver their own cyber resilience messages for their audiences, and ensure those messages are aligned with authoritative sources of advice ( i.e. Cyber Aware, NCSC). Ongoing.

3. The Scottish Government will work with key partners, including Police Scotland, to identify ambassadors and champions who can deliver cyber resilience messages. Ongoing.

4. The Scottish Government will work with partners, including the UK Government, to monitor changes and improvements in cyber resilience behaviours among the general Scottish population. Ongoing.

Aim B: Explicitly embed cyber resilience throughout our education and lifelong learning system

The need for individuals to be cyber resilient has never been greater. It is vital that everyone, whatever their age, whether they are working or not, is able to keep safe online and know what to do if they experience a cyber attack.

From Early Years education, children and young people need opportunities to develop appropriate knowledge, understanding and behaviours to become more cyber resilient, for their present and future lives. Parents, grandparents and carers also need opportunities to develop their own understanding so that they can support their children and those dependent on them. People in Scotland are increasingly relying on online services to maintain their independence, access services, connect with families and their communities and manage their health and wellbeing. Being resilient online is therefore becoming increasingly important.

Cyber resilience within formal learning

Formal learning is delivered in Early Years learning settings, in schools, colleges, third sector organisations, universities and through training providers. Learners work towards formal qualifications or credit.

Work is being taken forward by the Scottish Government and partners to ensure that cyber resilience is recognised as core to digital literacy and digital participation. This is already being reflected in policy, for example within Scotland's refreshed Digital Strategy ^[11] and Enhancing Learning and Teaching Through the Use of Digital Technology ^[12] , as well as in projects to develop the digital capacity and resilience of schools. It is also reflected in the STEM: Education and Training strategy, published in October 2017, which sets out a comprehensive programme to drive improvement in STEM learning throughout the education and training landscape. This strategy recognises digital skills and the importance of cyber resilience as part of STEM.

At school level, cyber resilience is now embedded in Curriculum for Excellence, within Experiences and Outcomes (Es and Os) of Digital Literacy, alongside internet safety ^[13] . Whilst not a formal 'Responsibility of All' i.e. on the same footing as literacy, numeracy and health & wellbeing, curriculum guidance is clear that Digital Literacy should be placed at the heart of all learning and that outcomes can be delivered by staff in all curricular areas and at all levels. This guidance was published in March 2017 and Education Scotland has committed to providing support for implementation of the new statements.

SQA is reviewing the ICT Core Skill framework, and this review is likely to highlight cyber resilience as a significant aspect. It is important that providers of education such as schools, colleges, community-based provision and others that support vocational learning, such as training providers, are equipped to support their learners to be more cyber resilient as well.

Cyber resilience within non-formal and informal learning

Non-formal and informal learning takes place in all of the settings mentioned above, for example in after-school clubs, but also in youth work, community learning settings and workplaces.

Cyber resilience learning is beginning to happen in some parts of this landscape such as digital youth work and work with disabled adults, and in training for practitioners in the non-formal learning sector. Examples include Young Scot's Digital Academy ^[14] including its work on 5Rights ^[15] (which looks at supporting people to understand their rights in the digital world), Lead Scotland's Getting Digital ^[16] programme, and its formal learning module Thinking Digitally ^[17] (which is worth 12 credits at SCQF level 6), and the Digitally Agile Community Learning and Development project ^[18] .

There are numerous learning resources available but they are not often packaged for or targeted at those working in non-formal learning settings. Practitioners in non-formal learning settings need access to appropriate guidance and training on how to build cyber resilience into their work with individuals and groups. Education Scotland, national youth and lifelong learning organisations have a role to play in contributing to the development of this guidance.

The actions to explicitly embed cyber resilience throughout our education and lifelong learning system (Aim B) are as follows:

5. The Scottish Government will work with Education Scotland and other partners to look at ways to embed cyber resilience into Early Years education and will produce a plan of action by autumn 2018.

6. Education Scotland will work with education Regional Improvement Collaboratives to raise the profile of cyber resilience in regional planning for education, from spring 2018 and then on an ongoing basis.

7. The Scottish Government will work with key partners to ensure that, when relevant skills frameworks are under review, cyber resilience is embedded appropriately. In the immediate term, this will include working with Scottish Qualifications Authority ( SQA) on its review of the ICT Core Skill, by summer 2018 and then on an ongoing basis.

8. Education Scotland will collate and disseminate existing learning and teaching resources to schools to support the learning of cyber resilience within the curriculum area of Digital Literacy. The Digital Skills Partnership ^[19] will support the dissemination of the resources. This will be done by spring 2018 and resources will thereafter be refreshed as required.

9. The Scottish Government will work with organisations involved in non-formal learning, such as Scottish Council for Voluntary Organisations ( SCVO), Young Scot, Lead Scotland, Youthlink Scotland, Learning Link Scotland and the Community Learning and Development ( CLD) Standards Council, to develop and publish guidance for providers on the delivery of cyber resilience learning, by spring 2019.

10. The Scottish Government will work with appropriate teacher education institutions, Education Scotland, College Development Network and universities to plan how to strengthen the focus on cyber resilience in initial teacher education and career long professional learning in cyber resilience for teachers in schools and lecturers in colleges and universities, a plan to achieve this will be ready by autumn 2018.

11. The Scottish Government will work with Education Scotland to identify opportunities to embed cyber resilience into education inspection frameworks. In the first instance Education Scotland will embed cyber resilience in the reviewed quality framework for colleges, How Good is Our College?, within the principles of leadership, governance and curriculum, by autumn 2018, and thereafter as opportunities arise.

12. The Scottish Funding Council ( SFC) will analyse colleges' and universities' steps towards embedding cyber resilience within their curricula and other activities in order to identify future activity required to support these institutions, by summer 2018.

13. College Development Network will explicitly identify knowledge, understanding and skills of cyber resilience as a key standard for lecturers within the upcoming review of the Professional Standards for Lecturers in Scotland's Colleges, by summer 2018.

14. The Scottish Government will work with SDS and the Scottish Training Federation to identify options for engagement with independent training providers that can support their trainees' cyber resilience, by winter 2018.

15. The Scottish Government will work with the National Parent Forum of Scotland and other relevant organisations, to identify activity to develop parents' and guardians abilities to engage with their children's learning in order to ensure their children become more cyber resilient, by winter 2018.

16. The Scottish Government will work with public, third and private sector organisations involved in supporting the upbringing of children and young people to identify and implement measures to support children and young people to become more cyber resilient, by winter 2019.

17. The Scottish Government will work with care providers whose staff are well placed to support their clients to be more cyber resilient, by winter 2019.

Aim C: Increase people's cyber resilience at work

Workers who use digital technologies to perform their roles, often referred to as "digital end-users", are often the most important "link" in terms of cyber resilience for organisations.

A report ^[20] by the Federation of Small Businesses on skills and training has identified that over a fifth of small businesses are failing to take advantage of the digital world partly because their staff lack digital skills (22%) but also because of concerns about cyber security (21%). Guidance and training for employers is available from a number of trusted sources to help build their workforces' cyber resilience. In addition, there are a number of high quality self-learning programmes available, including e-learning modules — some are free, and others need to be bought under licensing arrangements.

Cyber resilience should be embedded in workplace practices and integrated into workplace learning and development, with as much emphasis as organisations place on health and safety. The role of unions is important too, as they often support workplace learning.

It is not, however, just the general workforce that need to build these capabilities. It is critical that senior managers understand the importance of having a cyber resilient workforce, and that they lead on embedding cyber resilience practice in the workplace. They themselves need to understand and be able to manage cyber risk, ensuring that it is part of risk registers, that it informs incident management and response plans, and is embedded within communication and organisational development workstreams.

We are beginning to see growing commitment and action being taken by employers, particularly in larger private sector organisations, in public bodies, and in some third sector organisations, to increase their workforces' cyber resilience. Employers have expressed an appetite for more national guidance on training programmes. For example, there has been significant demand from employers, unions and employees for the government funded Scottish Union Learning's programme of cyber security training for workers (which can be delivered in all sectors and not just for union members).The Scottish Business Resilience Centre has been working to drive up good cyber hygiene in Scottish private sector organisations, particularly within SMEs. This has included encouraging Cyber Essentials certification. Highlands and Islands Enterprise have reached over 130 businesses in 2017 to raise awareness of the importance of cyber resilience in the workplace. In the public sector, as part of the Public Sector Action Plan ^[21] , there is a range of training programmes and materials being rolled out to support staff at all levels to become more cyber resilient.

The actions to support employers and individuals to increase cyber resilience at work (Aim C) are as follows:

18. The Scottish Government will work with key partners to provide/signpost best practice guidance on how to build cyber resilience effectively into workplace learning, as identified in the public, private and third sector action plans, by autumn 2018.

19. The Scottish Government will work with SDS and industry partners to explore opportunities for strengthening cyber resilience across occupational standards ^[22] , by autumn 2018.

20. Scottish Union Learning will measure and report back to the Scottish Government on the impact of its autumn 2017 – spring 2018 government-funded cross-sectional cyber resilience workshops, by summer 2018, after which next steps will be decided.

Aim D: Develop the cyber security workforce and profession to ensure that skills supply meets demand and that skilled individuals can find rewarding employment in Scotland.

The cyber security skills shortage

In common with other countries, cyber security skills supply in Scotland is currently not meeting demand. At a global level, the workforce gap has a projected shortage of 1.8 million professionals by 2022 ^[23] . In Scotland, this gap in cyber security skills is one of the most critical ^[24] in the digital sector.

We can estimate that there were likely to be 360 – 480 unfilled vacancies in 2017. In the absence of positive interventions to increase skills supply, these figures are expected to rise by 20% per year in Scotland (in line with the rate of growth in demand for cyber skills UK-wide).

Based on these trends, a conservative estimate for unfilled (or contractor-filled) vacancies in Scottish cyber security jobs in the future is as follows:

Year 2018: 430 – 580

Year 2019: 516 – 700

Year 2020: 620 – 840

Reasons for cyber skills shortages

There are a number of reasons for current skills shortages:

• Not enough people are identifying cyber security as a career option (at school and for career transitioners and changers).
• Not enough school pupils (particularly girls) are choosing STEM subjects or are aware of cyber security careers.
• Not enough school leavers are pursuing relevant degrees (especially young women).
• The cyber security cluster in Scotland is at a relatively early stage of development.
• We are not retaining enough skilled individuals in Scotland, with many graduates moving to London or elsewhere upon completion of their degrees.

The need to actively promote cyber security as a career

Cyber security is a rapidly changing and expanding field. This expansion requires skilled workers to help organisations perform a range of cyber security functions. As organisations identify what is needed to adequately manage current and future cyber security risk, leaders need to consider their cyber security workforce capabilities and capacity as part of this. Cyber security should be regarded as an accessible and inclusive career option, open to people from all backgrounds.

The Scottish Government is keen to see more promotion of, and more pathways into, cyber security as a career option. This includes promoting the current range of pathways into cyber security which includes an Information Security Modern Apprenticeship and a Cyber Security Graduate Apprenticeship. Skills Development Scotland continue to actively promote cyber security as a career through their career channels and programmes.

There are some pockets of non-formal or extra-curricular activity aimed at promoting cyber security as a career to young people. These include the competitions and games promoted by Cyber Security Challenge UK, activity led as part of NCSC's CyberFirst programme, and the Cyber Christmas Lectures, aimed at engaging the interest of young people. More work is required to the Scottish curriculum and to make appropriate links with Scotland's schools and other learning providers.

Several schools now offer SQA's National Progression Awards ( NPAs) in Cyber Security and a number of colleges offer introductory computing courses with a cyber security element as well as the NPAs. SQA's forthcoming HNC and HND (with linked Professional Development Awards ( PDAs) in Cyber Security should increase delivery of cyber security learning opportunities in colleges.

We are keen to encourage engagement with schools and colleges by employers (both public and private sector), higher education institutions, professional associations such as (ISC) ², ISACA and ISSA, as they can support the development of future cyber professionals. This support can include offering Foundation Apprenticeship work placements, engaging with schools, colleges and universities to develop/deliver course content, employing interns, mentoring of students, and sponsoring and supporting PhD and MSc students and undergraduates.

Skills development pathways

Scotland is steadily building a strong pipeline in cyber security qualifications. We have attached at Annex B a snapshot of qualifications that are available (or will soon be available) in Scotland for developing cyber security skills across our education system.

In our schools and colleges, there are currently low numbers of Computing Science teachers. To support the effective delivery of these new qualifications, we need teachers who are confident and able to teach cyber security and who are supported by high quality learning and teaching resources and best practice in cyber security techniques.

Some businesses look for a wide range of professional qualifications and accreditations, (see Annex C for a list). Others seek advanced-level academic study. It can be resource-intensive for individuals to maintain the range of accreditations/professional body memberships. There is a requirement to better understand, explain and promote the existing professional qualifications and accreditation landscape.

Skills and academic development in universities

Traditionally, cyber security has been embedded into computing science degree-level and postgraduate courses in the form of accredited modules. Over recent years, the increased demand for cyber security graduates and specialists has led to a growth of dedicated cyber security degree-level and postgraduate courses in our universities. Graduate level apprenticeships in cyber security are gaining momentum as a result of funding from Skills Development Scotland and the European Social Fund. A Graduate Level Apprenticeship in Cyber Security has been developed by Skills Development Scotland, and Napier University, for example, has recently launched its own BSc Graduate Level Apprenticeship in Cyber Security and Forensics.

As the demand for skilled professionals in cyber security increases, it is important that government, the private sector and academia work together to categorise and describe cyber security work. This would support academic institutions to standardise curricula and certification where appropriate, and employees, employers and employability services to best match skilled people to skilled jobs.

Our universities have a critical role in inspiring and supporting future cyber security professionals, through engagement with schools and colleges. There is also an opportunity for academia and the cyber security industry to work together to develop cyber security related curricula. For example the Palo Alto Cyber Networks Cyber Academy Programme provides technology and services for use in the classroom – at no cost – to any higher education institution. They work with academic partners to develop bespoke curricula and, so far, have worked in partnership with Abertay University, Glasgow Caledonian University and Glasgow Clyde College.

NCSC has a role to play in boosting the outcomes of our universities. Universities should be encouraged to achieve NCSC certification for their undergraduate or postgraduate degrees to raise their profile on the global stage. In addition, NCSC's CyberFirst Bursary scheme is available to fund studies at undergraduate level in any STEM subject. ^[25]

Cyber security research and innovation

Scotland is already home to five of the world's top universities and there is a pedigree and increasing depth of expertise in cyber security across our higher education institutions. The University of Edinburgh, for example, is an NCSC-accredited Academic Centre of Excellence in Cyber Security Research and other Scottish universities are working effectively to build their offer in respect of cyber security research. One method of boosting research activity would be to increase numbers of PhD students taking forward cyber security-related research that can contribute to innovation and inclusive growth in the Scottish economy. One potential step towards this would be to establish a Centre for Doctoral Training to link industry with researchers. This may also assist in attracting the best talent to our universities.

Scotland's cyber security goods and services industry is, in line with the rest of the world, growing at a significant rate. Expert technical skills are in demand, but so are the skills to drive innovation and research.

The role of cyber security has grown significantly in Scotland's financial sector, creating jobs and opportunities, particularly in relation to "fintech", and this growth is expected to continue as new technologies roll out and our businesses and people become even more digitally connected.

Cyber security skills – an integral part of digital and many other skills.

The Scottish Government is clear that cyber security skills must be clearly identified as a key aspect of the Scottish Government's Digital Technologies Skills Investment Plan, as well as all Skills Investment Plans across other industries. All future reviews of Skills Investment Plans in other industries will include cyber security skills, where appropriate.

The key actions to develop the cyber security workforce and profession to ensure that skills supply meets demand and that skilled individuals can find rewarding employment in Scotland (Aim D) are as follows:

21. The Scottish Government will work with SDS to include cyber security within future skills planning, including through their work with the Enterprise and Skills Strategic Board. Ongoing.

22. The Scottish Government will work with SDS and the Digital Technologies Skills Group – the group responsible for advising on the Digital Technologies Skills Investment Plan - to ensure there is a robust evidence base to underpin future decision making on the development of cyber security skills in Scotland. This work will also include an ongoing review of other countries' approaches to developing cyber security skills, Plan produced by summer 2018 and implementation throughout 2018 and 2019.

23. SDS will work with partners in the Digital Technologies Skills Group, and with wider industry, to produce a cyber security career framework that will support employers and individuals from all backgrounds to understand education and career pathways into and through the cyber security industry. This will also provide guidance for digital technology professionals who wish to develop their cyber security skills. The framework will include information about professional qualifications and accreditation, and will be finalised by autumn 2018.

24. SQA will support the delivery of current and new cyber security qualifications by developing teaching, learning and assessment materials. With Education Scotland and College Development Network, SQA will continue to support the professional learning of teachers and lecturers to deliver these qualifications. Roll out throughout 2018 and 2019.

25. The Scottish Government will work with SDS to consider options to support career changers or unemployed people to develop skills for cyber security roles. An options paper to achieve this will be produced by autumn 2018.

26. The Scottish Government, with lead partner Education Scotland, will work with the UK Government to identify opportunities to shape the UK national schools cyber security programme (called Cyber Discovery) for appropriate implementation in Scotland. A plan to do so will be produced by summer 2018.

27. The Scottish Government, in partnership with ScotlandIS, the cyber security industry, academia/ SICSA and the Digital Skills Partnership, will aim to categorise and describe cyber security work. This could be used by academic institutions to standardise curricula and certification, and by employees, employers and employability services to best match skilled people to skilled jobs. This work will be completed by spring 2019.

28. The Scottish Government, ScotlandIS and representatives from the cyber security sector in Scotland will work with the UK Government and wider UK industry to develop the UK Royal Chartered Professional Body for Cyber Security, with the aim of it having a strong Scottish presence and benefiting Scotland's cyber security sector, by summer 2018 and then ongoing.

29. SDS will work alongside industry partners to review National Occupational Standards for cyber security with a view to embedding cyber resilience competences appropriately in professional roles by spring 2019.

30. The Scottish Government, Education Scotland and SDS will work with partners at the UK level to ensure appropriate alignment of cyber skills development plans, ensuring that Scotland can benefit fully from UK-wide initiatives. Ongoing.

31. The Scottish Government will work with SDS and Industry Leadership Skills Groups to promote the importance of cyber security to all sectors, and ensure that cyber security is embedded appropriately into Skills Investment Plans where appropriate. Ongoing.

32. The Scottish Government will work with SQA to strengthen its portfolio of cyber security qualifications, through filling in gaps in the portfolio and keeping existing qualifications relevant. Ongoing.

33. Scottish Informatics and Computer Science Alliance ( SICSA) will lead work with universities and colleges to build capacity for cyber security courses (including cyber security within IT courses) at under- and post-graduate levels, as well as research opportunities. This will include working with the Scottish Government to consider establishing a forum for bringing together industry with researchers, such as a Centre for Doctoral Training. Throughout 2018 and 2019.

34. SICSA and College Development Network will increase levels of engagement with schools and communities aimed at inspiring young people to consider cyber security as a career. Ongoing.

35. The National Parent Forum for Scotland ( NPFS) will continue work with SDS to disseminate existing resources that seek to promote cyber security careers to parents/families. NPFS and SDS will review the need for new resources in this area and develop them if required. Throughout 2018 and 2019.

36. SDS will identify opportunities to further integrate cyber security skills into the Apprenticeships Family, and work with industry and employer groups to ensure widespread awareness and adoption of work-based learning pathways within the cyber security industry. Ongoing.

37. The Scottish Government will work with SDS and others to ensure a coordinated approach to develop a pipeline of future cyber professionals. This will include supporting Digital World and My World of Work careers campaigns; promotion of e-placement Scotland and other internship, placement and mentoring opportunities; and creating opportunities for industry to enhance the delivery of curriculum. The Scottish Government will produce a coordination plan by summer 2018.