recently agreed to help e-Skills engage financial services employers in reviewing
their cyber security skills programmes, not just to find the gaps but also those
willing to help fill them. So far I have found some good news and some bad
news. The good news was that those concerned with recruiting information security
staff thought the current frameworks (see the City and Guilds Documentation for Level 3 and Level 4 Apprentices plus the appendix mapping these onto existing industry qualifications for a detailed example of their practical implementation) were a good checklist. The bad news was that almost
all employers are looking for experienced staff, not trainees - and few have the skills in-house to organise a training programme. There is, however,
serious interest in using the frameworks on a modular basis to upgrade the skills of those in post
and to cross-train users who understand the business.
am now on the second phase of my study: circulating a draft report for feedback
with the aim of identifying those interested in using early participation in the follow up to gain competitive advantage by developing and retaining the skills they need to protect themselves and their customers against fraud and abuse.
I am happy
to send copies of that report to those with responsibility in their organisation managing and controling risk, reducing vulnerability and combating abuse. I am
even happier to supply copies to those with responsibility for recruiting, developing
and retaining the skills necessary. You can e-mail me for a copy and/or e-mail
e-skills directly for an invitation to participate. Please include your name, job
title, responsibilities, organisation and the areas and skills of most interest.
If you can put the latter in order of priority that would be most helpful.
the mean time readers may be interested in the headlines from my draft report.
Some are obvious, in retrospect. Others may well be controversial, particularly for those who put their own agendas above that of preserving the reputation of the City of London as the premier, globally trusted, international, on-line trading hub.
1. The UK Financial Services Industry is Internationally
focussed not UK-Centric
services career paths are increasingly global. Major players are concerned to
meet overseas, particularly US, regulatory standards, not just those of the UK.
The US is not, however, the only, or even the most important, trading partner
and global customers (e.g. sovereign wealth funds) expect their activities to
protected against all-comers (including "our" security, surveillance, and cyberwarfare
operations as well as "theirs"). This gives the opportunity to take a lead in
setting global professional and security standards. It also, however, means that UK-centric requirements
and co-operation arrangements are of limited interest.
2. Cyber is a turn-off and information Security is boring.
The drivers are a mix of fraud prevention, resilience, customer confidence and
directors are interested in "information security" and "cyber" is a turn-off. Boards
are, however, concerned about the consequences of insecurity: impersonation, fraud, industrial espionage,
sabotage, extortion and other forms of abuse and predatory behaviour. The
skills sought come under a variety of headings: from compliance through intelligence,
investigation and risk to security.
to action on skills, other than to fill known vacancies, appears unlikely
without support from Board members who are seriously concerned to ensure
compliance with regulatory requirements, maintain customer confidence, handle
the transition to secure mobile transactions (already over 50% and accelerating)
and improve the corporate ability to respond rapidly and effectively to major
is because policy and budgets for recruitment and training are rarely controlled
by members of the professional bodies currently engaged with the cyber security
or information assurance agendas.
3. Understanding of the business is essential for those
roles which cannot be "co-sourced". Most require skills mixes which cut across
days of "in-house" or "outsourced" are gone but attitudes are still different
according to whether functions are handled in-house or "co-sourced" using
shared service operations (e.g. to handle fraud reporting and investigation
cross an industry sector) and trusted partners (e.g. retainers with audit practices
and others to help with major incidents).
management and security roles in financial services require understanding of
the business (objectives, constraints, priorities and vulnerabilities) and cut
across people and technology processes as well as across electronic and
physical security. Few are purely
"cyber" and many of these are more concerned with fraud prevention and
resilience rather than information security.
Security is subordinate to those with responsibility for "Risk", "Fraud" and
"Compliance", except where it is directly involved with the design, acceptance
testing, operation and monitoring of people and technology processes and
supporting systems. Many of those with cross-cutting roles have come in from
other disciplines and need cross-training in information security.
services employers therefore wish to mix and match modules from a variety of
disciplines to update and broaden the skills of those who they already in place
more than they wish to use these to develop the skills of new recruits. In
consequence success entails co-operation with the Financial and Legal Skills
Partnership , Skills for Justice , The Security
Institute and others.
4. It is easier to get support for Continuous Professional
Development and update programmes but widespread use of outsourcing presents
serious complications with regard to delivery.
and co-sourcing mean that even large organisations often have in-house security
teams that are too small for customised skills development programmes. More-over
many security professionals are self-employed, individually accredited and/or
responsible for their own training. Most employers are currently focussed on external
recruitment to fill those in-house roles which cannot be filled by training users
with security skills more easily than by educating outsiders to understand the
is therefore easier to get interest in, but not necessarily commitment to,
support for frameworks for "continuous professional development". Those with graduate
intake and apprenticeship programmes for accountants, bankers and lawyers might
be persuaded to extend these to include information security skills. However, given
the limited number of employers able to organise in-house apprenticeship or CPD
programmes, a better way forward might be to get recruitment agencies, HR consultancies,
colleges and universities, to look at the economics of providing this as a
service to local employers and/or alumni.
5. There are significant issues to do with updating and
content needed in the modules will evolve over time in line with changing
threats, technologies, opportunities and market structures. Generic structures
which seek to avoid obsolescence by avoiding reference to particular
technologies are, however, difficult for employers to relate to. They are concerned
with developing the skills to address current problems - not looking into the
fog of future needs.
6. A variety of marketing fronts and delivery channels will
be needed to promote and present the content in forms to which the target
audiences of employers and employees will relate.
7. The skills gaps identified to date:
most of the gaps identified there is a need for modules at all levels from
process specification and system design, through operations, to end-user training,
plus end-over-end performance monitoring. The frameworks and materials
necessary to fill several of the gaps have potential global markets.
of the gaps below are addressed by the Financial and Legal Skills Partnership (FLSP),
albeit with specifications focussed on the people processes to meet accounting,
legal and regulatory requirements. Others are similarly addressed by Skills for
Justice and the Security Institute.
mechanisms for co-operation in ensuring the delivery of "joined up" material,
covering both technology and people processes, when, where and how
employers require are unclear.
7.1 Putting risks into business context and justifying spend
requires an understanding of the business, an ability to quantify and balance
the risks it faces (including of losing business because of intrusive or slow
security processes) and turn problems into opportunities. The skills are not specific
to information security but do require an understanding. It may be worth
exploring use of the COBIT framework for linking security to business
7.2 Mobile: including identity, authorisation, data access,
transactions and privacy
programmes were planned before the transition to mobile gathered pace. Mobiles now
account for over half of all financial services transactions and there are
skills gaps at every level from system and application design, through the use
of trusted computing technologies (including to identify the device and
location being used and, with less certainly, the individual using the device),
to educating end-users in personal security and safety using their own or
corporately issued devices.
7.3 Investigation: inc.
forensics and the collection/preservation of evidence & co-operation with
This is best organised in
co-operation with the programmes planned by the National Crime Agency, City and
Metropolitan Police, Crown Prosecution Service and others. The reasons are partly
to ensure common standards and partly because training together is a good way
of building the trust that is essential for co-operation. The programmes also
needs to cover international processes because few major incidents are purely
intra-UK. This area would benefit from close co-operation with Skills for
Justice and those organising similar programmes to serve other parts of the globe,
including, but confined to, the EU and US.
7.4 Asset Recovery:
inc. local co-operation with overseas law enforcement and others
Financial services organisations are
usually more concerned with asset recovery under civil law, rather than the
cost and uncertainty of securing action under criminal law. The techniques
available and disciplines involved overlap with 7.3 above and 7.5 and 7.6 below
but are by no means identical.
including Anti-money laundering, know your customer, suspicious activity
reporting, customer protection, data retention/protection etc.
services have a great many governance and compliance requirements which require
technology support or the vetting of those who provide technology support.
These include "know your customer",
anti-money laundering, suspicious activity reporting, data retention as
well as protection, bring your own device policies, red flag behaviours, zero tolerance, bribery,
corruption and customer protection. FLSP has modules covering many of these
from a legal perspective. The technology perspective also needs to be covered.
7.6 Intelligence led
Security: direction, collection, analysis, reporting
and reporting require understanding of the organisation's objectives,
priorities and culture (including to make reports on risks and threats
meaningful to those running the business). Collection (logging, reporting, open
source etc.) and Analysis (from historic log analysis to the real time use of
big data tools) can be outsourced but the skills are in short supply (see 7.10).
7.7 Identity Management:
including individuals, organisations and trusted devices
need is for the skills to make effective use of the many ID systems and
methodologies in current use and to enable the organisation to work with suppliers
and customers using different approaches.
A particular problem is to bridge the different approaches of public and
private sector. There is also the need to manage corporate identities,
including on-line and along supply chains.
7.8 Access Control: who
has access to what, under what circumstances, inc. age verification
much wider than Data Protection but similarly links to identity management and
authorisation. It may benefit from being organised in co-operation with other
regulated industries (e.g. Credit Reference, On-Line Gambling and Adult
Content) where reputations for security and privacy are core.
Processes: inc. PCI-DSS and those of major suppliers/customers inc HMG
should include both the evolving authorisation processes of the card and
payment clearing industries and those of HMRC (including for Real Time Information from employers), DWP (for
inter-actions with employers and Local Government), Cabinet Office and others
for those who have dealings with the public sector. This area may benefit from
being organised in co-operation with Local Government, HMRC and DWP, all of
whom have large numbers of staff to be trained at all levels from overall
process and system design to end-user routines and guidance on handling
End User Skills and
Processes: including access control and authorisation
large organisations run programmes to train all staff (i.e. not just those in
call centres or on help desks) in basic security (how to reduce the risk of
falling victim to social engineering and what to do if you think you have), the
control of access to systems and information (particularly personal information
on staff or customers) and incident reporting. There is a case for working with
those organising such programmes on a commercial basis and with the CPNI Homer
team to produce generic frameworks which can be used by those organising such
programmes and for certificating those covered (e.g. all our staff are
certified to XYZ).
Incident Response: damage limitation, through
notification requirements to public relations:
cuts across a great many disciplines from those involved with handling the
immediate response and restoring service through those handling the
consequences (including technical, regulatory, customer relations etc.) to
those handling image and reputational issues.
Big Data: both for
detection and for protection
skills needs range from understanding and using the techniques to analyse
traffic and logs for detection and investigation purposes, through real-time
authentication based on pattern analysis and
the means of assessing the security of services provided by others, to
protecting data retained for analytical purposes or because of regulatory and
law enforcement requirements. These range in level from the ability to
understand and use packaged services operated by others separately or in
partnership (e.g. Trend and IBM with "Deep Discovery" and "QRadar") to those to
develop and maintain such services on a customised basis.
including and the handling of abuse and impersonation
has produced some useful material in this area but there is a need to also
ensure sites meet legal and regulatory requirements (e.g. under the e-Commerce
Directive), are secured against hacking and abuse and contain routines for
reporting abuse or impersonation (and responding to such reports) which help
enhance confidence. There is also a need to address the security issues and
exploit the opportunities raised by the transition from IPV4 to IPV6.
Vetting and personal
services organisation are concerned with the motivation and not just competence
of staff. A number of professions (e.g. the Chartered Institute of Securities
and Investment) have mandatory programmes to develop attitudes towards good
practice. There are also regulatory and statutory requirements in several
sectors. This cross relates to 7.10 and FLSP has specifications covering the
recruitment, selection and retention of colleagues. The issues do, however, go
further and there is a good for co-operation with both CPNI and the Chartered
Institute of Personnel Development on shared modules covering processes for CV checking
and behaviour monitoring (including over social media).
Support for Small
Firms, generic and those in the supply chains of large firms
should include the skills to implement, advice and support the audits by IASME
or CREST that are to be made mandatory for SMEs supplying Government net and
well as any other requirements from Banks, Insurance Companies (including
PCI-DSS etc.). There is also a need to look at support for micro-businesses
(e.g. the FSB members who are too small for IASME. The skills in this area are
likely to cut across all others at the "foundation" level.
alias SCADA, Internet of Things, Ubiquitous computing
not part of the remit for this exercise but serious interest and potential
volunteers to help address the issues were found.
Current Action Plans
8.1 Follow up on contacts
made with ...
8.2 Work with ... on
surveys to obtain views on which skills are in short supply and the priorities
of those interested in participating in joint action.
up on contacts made with ... to look at organizing activities to identify employers
willing to work together on skills issues.
8.4 Follow up on
discussions with recruitment agencies and others to explore business models for
commercially attractive (to all sides) co-sourced CPD and apprenticeship
Identify security suppliers interested in helping specify
material that will help current and potential customers make effective use of
their products and services.
Identify training providers interested in participating
in the programmes with a view to supporting apprentices, those following
continuous professional development or cross training programmes or those
wishing to simply fill skills gaps I look forward to receiving comments, particularly from those with responsibility for protecting their employer and its customers and in helping with the specification, organisation and delivery of materials, courses and qualifications to fill some of the gaps above. I would also be interested in comments on how best to reconcile the various intra-UK, intra-EU and intra-NATO agendas with those of truly global players.
I am of the personal opinion that co-operation in education and training in the best means of reconciliation - but I remember being trained in the same signal school as those who were to man the signals rooms of the destroyers we had sold to Shah of Iran. We were strictly segregated. I subsequently came to appreciate the reasons. That said, the risk management and security teams of global trading operations have long needed to organise co-operation against common (criminal) adversaries between those whose governments do not trust either other. The development of cyber espionage and warfare merely adds a new dimension to the tensions between merchants and warlords that goes back to the dawn of civilisation.