2015: The Year of the Compliance-Created Cyber Confidence Collapse?

We are bombarded with messages to promote new security technologies when most organisations the lack skills to make effective use of existing products and services to protect themselves and their customers against fraud and abuse. Too many compete for supposedly competant and experienced experts, rather than retrain those who already know the business. In consequence, turnover among those who can tick the boxes of the certifications in current demand and have a gift of the gab is spiralling up and actual security is spiralling down.  The problems are being compounded by layers of regulation that reward bad practice and open up more vulnerabilities than they address.

The biggest security risk now faced by employers is not outside hackers. It is compliance experts who stay just long enough to help you tick the latest regulatory boxes, having acquired the necesary understanding of your systems and security credentials necessary to do so. The drive by the European Commission to address supposed “data protection” problems, supported by the US obsession with “Data Breach Notification”, could not have done a better job in opening up opportunities for serious fraud (both high value and mass market) if they had been actively planned by organised crime.

Autumn 2014 saw an explosion in recruitment effort for supposedly permanent compliance officers, well ahead of cybersecurity specialists and other assorted digerati. The average length of stay is now under 18 months. A quick scan of applicants shows that many have not stayed anywhere for more than a year since before the banking crash.

Next year will probably see the nadir of trust in the on-line world.

Part of the solution is for those who are serious about security to stop recruiting external staff of uncertain provenance (beyond the certification of their technical knowledge) for roles which should never be entrusted to those whose loyalty to the organisation is untested. Instead they should retrain long stay staff, particularly who might otherwise be made redundant or otherwise become disaffected after being passed over. This requires the organisation, however, to be serious about trying to rebuild the reciprocal loyalty that has been put a risk by a decade or more of outsourcing.

They should also start investing for the future by using the growing number of modular degree, apprenticeship and internship programmes to recruit and train the next generation, using the Tech Partnership Funding available and training contracts to enable them to claim exemption from national insurance at the same time as reinforcing loyalty by providing serious CPD training for existing staff. The combination of changes and launches over the past month has dramatically change the cost/risk calculations that should underpin the choice between retraining and recruitment. Add in the need to reinforce staff loyalty and competance to reduce the dangers of insider assisted fraud and it should be a no-brainer. Change does, however, require the Head of Information Security to stop talking cyberbabble and FUD and start talking business cases and staff development programmes with the Finance and HR Directors before putting plans to the Board.  

I started writing on the need for programmes to address our mounting e-crime problems in 2004. In 2011 I blogged on the need to ACT “before the shit hits the fan”  . Earlier this year I warned the crisis was about to come to a head  with an accelerating merry-go-round  for those claiming relevant skills and experience. I then agreed to help e-Skills (now the Tech Partnership) look for employers to help identify gaps in the new cybersecurity learning pathways  supply of training. My subsequent report was accepted and I am currently helping the Tech Partnership identify those training providers trusted by major employers to help them fill skills gaps.  I say “trusted” because training providers, like compliance officers, are among those able to work across security barriers without raising eyebrows.

When prioritising the security skills gaps the technology employers identified “Big Data” (including its use to detect fraud as well as its own vulnerabilities), “Cloud” (from access devices and networks to the hosting centres) and “Mobile” (including “Bring Your Own Device“) as their top three. Financial Services commonly have a different, but not necessarily incompatible, perspective. Their focus is on “Identity and Access Management” in all its dimensions. These range from registering, identifying and locating the devices (often BYOD) allowed access to services (often cloud based), to the use of Big Data to analyse digital footprints to decide who should be given access and to monitor their subsequent behaviour (Vetting and Monitoring), including good practice in the use of those services already offering precognition reports based on on-line behaviour: where financial services employers have mixed views.

But the biggest issues are less to do with the technologies that the people processes they should be supporting. What is legal, let alone good, practice in the vetting and monitoring of potential recruits, employees and current or would-be customers?  Hence also the critical nature of my recent blogs on the Government Verify system and the obsession with trying to remove any face-to-face element in the creation of new digital credentials to replace those in which trust has been lost – in order to meet yet another deeply flawed  EU initiative to address the problems of the last century. 

The world has moved on. As part of my work with the Tech Partnership I am helping organise round tables in the New Year to bring together employers, recruitment agencies, training providers and members of relevant professional bodies and interest groups (including CIPD, CPHC, IAAC and SASIG) to identify those willing to work together on training needs analyses and the provision of relevant courses and material to meet the needs of t oday and tomorrow. 

In some of the most critical areas the first task is to identify what good practice is.

For example one of the areas is reporting: to whom should you report what, how and what should you expect to happen? Here the training needs analysis has to begin by “negotiating” the answers with law enforcement and major ISPs because the answers are not at all clear. The situation is equally unclear with regard to checking the CVs of potential recruits and assessing the probity, not just technical competence of those who could destroy the security of the organisation. Then there is the confusion over what is good practice in monitoring staff behaviour over time, given that signs of stress are more likely to be to do with health, finances or family issues leading to the propensity for mistakes and bad judgement rather than fraud. 

However, the exercise will be of little value unless we also address the reasons why employers are not retraining existing staff and the support for apprentice programmes is poor and may even have been falling . Hence also the importance of the work with which I have also agreed to help the Digital Policy Alliance (I remain a member of the unpaid advisory committee) on why so few employers invest in training. The DPA Skills working group suspended activity for the duration of the House of Lords Digital Skills Select Committee. Instead we urged members to submit evidence. The Committee has received over a thousand pages of evidence and those who have followed the oral hearings will have noticed a number of themes emerging. The DPA Skills group therefore plans to reconvene in February, after the Committee has reported, to discuss how to help implement the recommendations. That will probably entail focussing how to help make the break out from Groundhog Day : the 50 Year long, (to date), cycle of Skills Reports that have never yet lead to action. 

The Chancellor made a great start this month by exempting apprentices aged under 25 from National Insurance and funding some excellent Tech Partnership programmes but that will not be in time address the compliance-created cybersecurity crisis of 2015 as short-stay insiders help loot those organisation which place no value on corporate loyalty – unless employers make good use of the funding available for CPD programmes.