Why you need to act now
The Heartbleed fiasco, with the requirement for an audit and update effort akin to that of Y2K, together with advice to end-users that mixes the unrealistic, incomprehensible and misleading with opportunities for further malpractice, has brought forward a skills crisis that was building steadily. As with Y2K, it is unclear how serious the problem really is, but few have the skills to work out whether they are at risk. As with Y2K, some of the plethora of tools available add to the confusion by, for example, flagging as unsafe sites that do not use or need Open SSL
Meanwhile the rising tide of on-line fraud and abuse, facilitated by leaks from insecure transaction processing systems and by increasingly sophisticated phishing attacks linking phone, mail, text, e-mail and physical contact (e.g. courier fraud ), threatens to overwhelm those with neither the in-house skills to understand what is happening nor the skills and resources to respond effectively. The problems are about to be compounded by ill-considered regulatory intervention, e.g. data breach notification, and (of course) the post-Snowden fall-out.
There is a serious and growing shortage of those with the skills to help organisations follow good practice in self protection and take effective action when they or their customers come under attack or disaster strikes.
Even before the Heartbleed incident there were estimates that the vacancies to be filled will more than double this year. Supply is not keeping pace. Demand for those with two years or more of relevant experience is estimated to be four times the trainee intake last year, let alone the year before. Those who do not act now to train their own will have difficulty in retaining existing staff, let alone recruiting, as the salaries on offer to those with two or more years experience rise sharply.
Those who recruit graduate trainees also know that they will have to compete harder for the best, diversify the sources they use and ensure they have employment policies that enable them to retain more of those they train.
Your three pronged strategy to turn problem into opportunity
1) Retain and retrain those you already have in post in the face of offers from consultancies, audit practices and law firms bidding for experienced staff as well as from your peers and your competitors.
Seeking to recruit experienced security staff (often of uncertain quality) on the open market at a time of skills shortage can actually be counterproductive, especially if it also takes longer for outsiders to understand the business than for existing staff, including users, to acquire the skills needed. But effective retention and retraining programmes require organising and supervising rapid, modular skills acquisition, while using trusted contractors to handle those tasks which can be outsourced.Training and apprenticeship contracts, with repayment of costs in the event of departure within two years, are legally enforceable, Strathclyde v. Neal was the test case, but remember that these cut both ways, the training and work experience must be delivered.
An obvious "solution" is therefore to offer apprenticeship contracts to those you wish to retain or redeploy, to fill the gaps in their knowledge, as well as to new recurits, and then volunteer to help review and test the skills frameworks for the apprenticeship programmes being piloted via e-Skills as part of the Government Cyber Security Skills Strategy. These are based on bringing together the relvant sections of the main industry skills frameworks (SFIA, IISP, CESG etc.). The published result can be found in the City and Guilds handbooks for their Level 3 and Level 4 diplomas. The City and Guilds handbook covering technical knowledge for the Level 4 diploma maps these onto relevant materials and examinations, including CISCO. Comptia, Linux, Microsoft, Oracle and VMware qualifications.
I have agreed to help e-Skills identify employers, particularly from the financial services sector to review the new frameworks against their own needs, suggest any necessary extensions and help pilot the result. Early feedback has been very positive although I expect suggestions for extensions and new material to better cover compliance with the identity, authorisation, access control and reporting standards particular to financial services, from the Payment Card Industry standards, through those for fraud detection, money laundering, asset recovery and co-operation with law enforcement, including internationally, to meet the requirements of the Bank of England, the Financial Conduct Authority and regulators and law enforcement agencies around the world.
I would like to hear (copy to e-skills) from employers in the financial services industry willing to work with their peers and their suppliers to help ensure that the frameworks do indeed meet their needs, particularly from those wanting to use participation in the pilots to help recruit and retain their existing staff and their 2014 recruitment intake. I still have some places available at a couple of round tables next monday (28th April) on the eve of Infosec to identify those interested in working together and excpect to organise more.
That leads me to the second strategic prong
2) Try before you buy using active participation in careers, work experience and internship programmes to pre-select better prepared and motivated trainees from school, college and university and position your organisation as an employer of choice, assessing potential employees outside an artificial interview situation and letting them see what life will like, working for you.
Those who complain about the quality of recruits, but do nothing to help improve their attitudes and abilities and better inform their study and career choices, have only themselves to blame for the quality of those available for them to select. Those who engage locally, not just nationally, providing mentoring, work experience and internship opportunities, also acquire the opportunity to choose from the best without having to pay upper quartile salaries. Those willing to offer flexible working conditions for mature entrants and returners can also expect well above average retention rates for those they retrain.
There are a wealth of programmes to help educate potential recruits and make advance contact with the brightest and best - from the Computer Clubs for Girls (I have blogged before on why women are better suited to information security than men ) that reach over 150,000 girls from over 4,500 schools, through careers materials such as the Secure Futures section of the e-Skills "BigAmbition" careers website and the Behind the Screen for the curriculum and mentoring programmes such as Cyber Champions and the STEM Ambassadors programme to the Cyber Academy internship programme , which publicises opportunities of 3 - 12 months for undergraduates taking IT-related degrees or postgraduates on specialist Masters courses with employers providing meaningful work, mentoring and a fair rate.
The competitions in the annual Cyber Security Challenge are used by a growing number of well known employers to attract and assess entrants of all ages and backgrounds, outside a formal interview situation, for a variety of security related careers. Support for the local and national heats of the competition(s) of your choice is an inexpensive and enjoyable way of also publicising the opportunities you offer to participants.
I have blogged before on the final prong, beginning with how to get support from the board .
3) Use awareness programmes for all staff and those in your supply chains to build strength in depth as an organisation which protects its staff, its customers and the families of both: The attitudes of your staff towards protecting their own information, as well as that of the organisation and its customers are essential to building trust and competitive advantage, in a world of increasing consumer cynicism. Being seen to be serious about educating your staff and their families in how to protect themselves, as well as the organisation, has a major impact on attitudes and loyalty. Working with those in your supply and distribution chains is also essential to reduce the risks to you and your customers if their systems are compromised.
So where do you go for assistance to turn you skills strategy into an action plan?
"Cyber Security Skills: a guide for business", produced in support of the recent BIS publication "Cyber Security Skills: business perspectives and next steps" lists the main initiatives recognised by Government or in receipt of public funding. I am in the process of trying to summarise it into a short web-based action guide, structured around the above three prong strategy and would be happy to hear from potential reviewers before I put my first draft up as a blog entry in the near future.