igor - Fotolia

Why is hiring a government chief security officer such a tricky business?

Security bosses and CIOs weigh in on why they think the government is struggling to recruit a chief security officer

This article can also be found in the Premium Editorial Download: Computer Weekly: Tackling legacy systems by making IT evergreen

When civil service boss John Manzoni billed the job of government chief security officer as the “biggest and most important security job in the UK”, he may have inadvertently dissuaded interested applicants from applying for the role.  

As Computer Weekly reported earlier this month, the government has found it tough to recruit for the position, with implementation minister Oliver Dowden admitting in Parliament that the original recruitment campaign had been unsuccessful.  

The campaign has been so unsuccessful that the Cabinet Office has changed tack and is seeking a temporary candidate to take up the position on a two-year fixed contract. Thereafter, the government will once again try to fill the post permanently.

The role was originally created in 2016, and was held on a temporary basis by civil servant Campbell McCafferty until the government was ready to recruit for a permanent position – and it seems as if the government is choosing to go down the same path again, something that junior shadow Cabinet Office minister Jo Platt is concerned about.  

Platt, who had asked Dowden for an update on recruitment for the position, said the role is “critical for our national security and requires the stability and dedication of a permanent, long-term appointment”.

“It is shocking that the government is scrambling around to find a temporary fix after failing to recruit the right person, despite having two years to do so,” she said.

A massive undertaking

So why has the government failed in recruiting someone for a £150,000 role that we were led to believe was an attractive proposition?

David Clark, head of security at the Francis Crick Institute, the biomedical research centre in London, believes the position as it stands could be too daunting.

“The remit would be so widespread, it would be a massive undertaking for someone to get their teeth into, and a role like that feels like inevitably, sooner or later, your head is going to be on the chopping block – no matter what you do,” he told Computer Weekly at the recent Cyber Security Connect UK conference in Monaco.

“Some of the implementation is going to be down to them, and sooner or later something’s not going to go right and it will be that poor person whose head will be on the chopping block,” he added.

However, Mark Walmsley, chief information security officer (CISO) at law firm Freshfields Bruckhaus Deringer LLP, disagreed.

“Most CISOs expect there to be constant pressure and for the industry they’re in to be demanding. Many work for multi-billion dollar businesses – is that any different to working for government? The volume of attacks that a global bank would see compared to a government department or entity is much higher,” he said.

The initial job ad stated that the government’s chief security officer would be responsible for implementing and driving the Transforming Government Security Programme, and for “protecting government’s people and information” from several threats, including cyber crime and terrorism.

They would also be responsible for the delivery of a classified information network across government under the Foxhound IT programme.

With such a broad scope of responsibility, David Clark believes that it would help if the person selected for the role was well deputised, and that this was made clear on the job description.  

The government is recruiting a deputy director of security for the Government Digital Service (GDS) in a £100,000-a-year role, that would involve advising the chief security officer as well as GDS director Kevin Cunnington on security issues. But that may not be enough to spread responsibility among a team of people.

“There has to be someone at the top of the tree, but if they’re well deputised, that could make a difference. A suite of four deputy CISOs with derived responsibility would be a better way to approach it,” Clark said.

The job description is an area that the CIO for UK military operations overseas at the Ministry of Defence (MoD), Nicholas Lloyd, highlighted could have been an issue from the outset.  

“Maybe the response they’ve had is because the way they’ve described the job, the role and the accountabilities to go with it – if you want to attract a certain type of person, you want to be pitching the job that aligns with the skills that they have,” he said, adding that he hadn’t seen the details about the job itself, which suggests that it is not as big of a role that Manzoni had hyped it up to be.

The age-old pay package dilemma

For such a big job, the government’s £150,000 salary doesn’t quite match up to the criteria either.

“The person they need is going to be very experienced, very qualified and someone at the top of their game – that person is going to be very well paid for what they’re doing currently, so to attract them into this high-stakes, high-risk environment, you have to offer really big money,” said Clark, adding that the government would need to offer at least 25% more just to get people of the right calibre to apply.

Walmsley echoed Clark’s views, adding that some CISOs working in the private sector were earning “millions of dollars a year”.

But the pay isn’t the only constant difference between the public and private sectors.  

Walmsley suggests that working as a CISO for government “is just not as sexy”, with the bureaucratic nature of Whitehall a big deterrent.

“It may just be that [security officers] think that implementation will be slow, and CISOs want to react quickly to risk – most industries you’ll get that, but in government you wouldn’t,” he said.

The government’s change in strategy to bringing in an interim chief security officer also comes with its own issues, as it suggests a different type of position.

“Generally speaking, if you want an interim it’s because you want something delivered that’s normally change-related, you want to get from where you are to where you want to be – rather than sustaining,” MoD’s Lloyd emphasised. This makes the fact that the government is changing strategy to hire an interim security officer even more surprising.

But, Clark concluded: “Someone will be crazy enough to take it on at some stage”.

Read more about government IT

Read more on IT for government and public sector