The pressure on CISOs is well-recognised – growing cyber threats, static IT budgets, staff who ignore the most basic advice (password 123456 anyone?) and board directors who still think it’s all just an IT problem.
Yet on the other side of the scales, cyber security professional has to be one of the most coveted job titles around at present.
First of all there’s the personal dimension – exemplified by the senior official at global user group ISACA, who recently told ContraRisk that since the outside world decided he was in ‘cyber security’ not ‘IT’, his kids have thought he was really trendy. Clearly money cannot buy that kind of kudos.
Then there’s the career dimension – where, apparently, money can’t buy cyber security expertise either.
War for talent
Take the UK government and public sector. Earlier this month, the Met Police’s Cyber Crime Unit (e-Crime Unit as was…maybe this rebadged group is also populated by dads seeking street cred) announced it was heavily recruiting cyber experts to take on the online criminals.
But this was AFTER the Unit had lost its national cyber crime-fighting role to the recently formed National Cyber Crime Unit (NCCU) within the National Crime Agency – otherwise known as ‘Britain’s FBI’.
Less surprisingly, the NCCU launched its own rival online recruitment campaign on 1st November, seeking to scale up significantly by hiring 400 apprentice cyber crime fighters over the next year, even though it had just pinched nearly 60 experts from the Met. The assumption is that NCCU is going to train up rookies because it’s hard to find fully fledged cyber specialists.
The NCCU is also looking to bring in cyber experts from the private sector to act as ‘special constables’. The only response to which is: join the queue.
For, as last month’s ‘Global Information Security Survey’ from Ernst & Young reported, “lack of skilled resources” in their information security function is a major issue for two-thirds of organisations. EY information security director Mark Brown said at the time: “A lack of skilled talent is particularly acute in the UK, where government and companies are fiercely competing to recruit the brightest talent to their teams from a very small pool.”
The most well-publicised example of this ‘war for talent’ is the Territorial Army – sorry, the United Kingdom Army’s Joint Cyber Reserve Unit (enough with the name changes). The Government is spending £500 million to recruit hundreds of reservists as computer experts to work alongside regular armed forces – creating “a dedicated ability to counterattack and if necessary to strike in cyberspace”, as UK Defence Secretary Philip Hammond put it.
And so the unit’s pragmatic head, Lieutenant Colonel Michael White, hit the headlines last month when he told the BBC he would consider recruiting hackers to make up the numbers, providing they had the right skills and attitude, and could get through the vetting process.
The Government has recognised that the cyber skills shortage is a deep-rooted problem, and started to do something about it. For example it has piloted degree courses in these skills at De Montfort University, the University of Worcester and Queens University Belfast, as part of its £650 million National Cyber Security Programme.
Meanwhile, another initiative in the same programme is the Government’s long-running attempt to get corporate board directors to understand the level of cyber threat facing them and to do more about it.
The fact that this battle remains ‘uphill’ was confirmed last week by Context Information Security CEO Mark Raeburn (see also ContraRisk Podcast 0019), whose company has just been confirmed as a supplier of the Government’s Cyber Incident Response emergency service.
Asked if he felt the Board directors at Britain’s biggest and most important companies – the so-called critical national infrastructure – are now properly aware of the cyber threat, he said: “Much more needs to be done. It’s getting better but it’s a long way off perfect.”
Yet imagine for a moment if the policy paid off – and board directors took the cyber threat sufficiently seriously? They would only go out and try to hire more cyber security experts, making the skills shortage even more acute.
So, until enough trained people come out of the universities and apprenticeships, CISOs should enjoy their new-found trendiness and their scarcity value. Popular with your senior managers and your kids? You’re living the dream people, living the dream.