From Talk to Action - Joining up Cyber, Resilience, Fraud and On-line Safety Skills.

I recently used forty years of hindsight (with past digital policy studies and skills initiatives) to digest the recent DCMS Cyber Security Sector and Labour Market Analyses and 2021 Data Breach Survey into a five minute elevator pitch to set help the scene for the SASIG Cyber Security Skills Festival session on finding and attracting talent. I will add a link to the recordings when they are available on line. Meanwhile the key points and follow up actions are below.

Four points emerge:

  1. The recruitment pool is shallow and dominated by the needs of GCHQ, MoD and about twenty large outsource suppliers, plus those (different) of a thousand large users, mainly in finance and the public sector. These collectively employ about 100,000 full time cyber security professionals plus another 75,000 in risk management roles which include part-time responsibility for cyber security, (commonly alongside compliance, business continuity, fraud control etc). There are about a million more with nominal responsibility for cyber in smaller organisations. Most of these have had little or no training or certification – beyond being named as data controller on the form sent to the Information Commissioners Office.
  2. The current pipeline supplies less than half the demand. Most of that demand is not for full-time professionals with technical skills. It is for those with the people skills to manage business risk and ensure continuity – with cyber as a subset, essential but not sufficient.
  3. Barely 60% of cybersecurity graduates and under 10% of computer science graduates go into Cyber because pays less. Three years down the pipeline 90% of the job ads for cyber professionals and nearly 80% of those for roles which include cyber, call for graduates. And they tend to offer 30% more than those for other IT roles.
  4. Medium to large users outsource some or all of their cyber security. Most small organisations do not because they cannot find credible and affordable local suppliers. Hence the importance of the support plans of the Cyber Resilience Centres, linked to those for quality-controlled skills incubators, including the Cyberhubs being attached to Universities and Career Colleges.

There is also an elephant in the room. This is not covered in the reports but was raised later in the SASIG event, employment fraud. Most of the jobs advertised on-line do not exist. Those that do, are commonly not in the gift of those advertising them. And somewhere over a third of applicants tell lies. Hence the reason for the launch of Jobs Aware

So what should YOU do?

  1. Be clear as to what skills YOUR organisation needs. There is considerable overlap between the cyberwarfare and critical intrastructure protection skills of those in GCHQ, MoD, the major Telcos/ISPs and their supply chains and the skills needed to protect large users (particularly in financial services and aerospace and petrochemicals) whether these are in-house or, more likely, contracted out to a relatively small number of large providers. There is less overlap with the skills needed to protect and support the million or so SMEs.
  2.  Offer more in order to get your choice of trainees (graduate or otherwise). Then reinforce loyalty with an apprenticeship or other training contract. I have written and blogged on this over several decades. It works but it requires you to also think and plan ahead. Loyalty cuts both ways.  {I used to write regularly on this in the context of digital skills. The same applies to Cyber}
  3. Trawl for in-house talent for those jobs where it is quicker to train a user with the cyber skills they need than to train an outsider to understand the business. Focusing on external recruitment risks alienating your in-house talent. It is not just wasteful. It is dangerous.
  4. Make use of the Cyber Resilience Centres and their embryonic skills partnerships to develop and test (try before you buy) the talent you need (whether in-house or employed by some-one you trust to support you). You should also use participation to help quality control your processes for vetting recruits, nurturing talent, monitoring performance and reinforcing loyalty.

I maintain a guide to current cyber (broadly defined) policing and skills structures and initiatives. It includes links to those partnerships which have gained traction and are producing results. If I have missed any that you rate highly, please let me know and I will add after checking provenance.

The most “time-friendly” way of identifying partnerships likely to help meet your needs is probably to join the Digital Policy Alliance Group identifying and supporting those with the potential to succeed.  The next meeting is on 26th May. One of the items for discussion is support for a pilot in the South East (outside London) to join up across a Cyber Resilience Centre, Grid For Learning, Careers and Enterprise Company Region, Local Enterprise Partnership, a DWP Restart Region and branches of relevant professional bodies and trade associations.

The group intends to use the framework of the Cyber Security Centres to help join up local action, not just discussion, across Five “Pillars”:

  1. Risk and Governance awareness: including addressing the myth that Cyber Security is all coding and technical.
  2. Diversity and inclusion: to tackle issue of inclusion and attract and nurture talent across the full spectrum of humanity, women, BAME, neurodiversity, physical abilities etc.
  3. SME and supply chain security and support – by region, sector or both.
  4. Technical challenges – including the ever-evolving nature of connected devices, systems and dependence on digital, communications, cloud, artificial intelligence and machine learning. nd
  5. Cyber-Physical Security – including vetting, access control and tracking reliant on vetting, authorisation and telecoms databases, AI based CCTV etc.

Success will entail joining up the programmes of those national players who are seeking to help secure business customers and those in their supply chains across the UK with local support via channels they trust, at costs they can afford, using messages to which their leadership will relate.

One of the messages from the Data Breaches survey was that the NCSC guidance goes down well with those who access it, but far too many do not think it is relevant to them, until they are introduced to it by some-one they trust, who has put it into the context of their own business.

The deliverables need to include putting “cyber” messages into the context of reporting the rising tide of spam (text, phone, e-mail etc.) to some-one who will  something, realistic guidance on what to do if you (or one of your staff have responded) and how to reduce your exposure to risk, including of:

  • losing your ability to process credit cards (the most common business driver for action)
  • business and/or personal impersonation (with all the hassle entailed)
  • selling controlled goods to some-one under-age
  • your systems being used to access or host hosting illegal material

Hence the aim of working with and through the local channels, such as neighbourhood watch, business watch, schools and colleges (under heavier attack, often from their own pupils, than most businesses) and mainstream work experience and careers advice services for all age groups.

The meeting on the 26th is for DPA members and registered observers, but those interested in becoming members are welcome to attend as a “taster”. Before further participation they would be expected to join.  More details are available at: https://www.dpalliance.org.uk/join-us/.

P.S. It is just over a year since I made a call for 100,000 cyber volunteers to help handle the on-line security and impersonation challenges of Covid. Some listened. I recently sat in on meeting where I heard of those who helped secure the NHS. It is time to discuss how to exploit the flexibility that has existed since 2011, to allow security professionals to be both military reservists and special constables. The processes refer to the need for safeguards against abuse. We need to debate what those safeguards should be, and pilot them, locally, rather than treat the topic as “too difficult”.