Cyber Governors for London’s Schools

Or: Why cyber employers, professional bodies and trade associations should help provide, train and support governors who will help schools secure their systems and safeguard their pupils (guidance, fund-raising and procurement) at the same time as helping organise realistic careers guidance that is relevant to all, not just that subset for whom university is still the obvious choice.

The Cyber Resilience Centre for London was launched on 25th October. It is part of a national network  but it is also different. The security and resilience of the City of London and of Canary Wharf are critical to the UK economy as a whole. The people in its supply chain are both its biggest strength and its greatest weakness. I convene the advisory group, looking, inter alia, at the skills supply chain for the world’s greatest financial services hub outside the Americas. Signing up as a community member of the London CRC is free, but what you get out is proportionate to what you put in. Like the other CRCs, it is best viewed as an umbrella for local co-operation between law enforcement, business, academia and the public sector. In the case of London, local co-operation also has a global dimension.

As a “convenor” my role is to bring players together to discuss common problems and find collective solutions which they can realistically implement.  I will blog separately on the “Cyber Skills for London” programme, but on Thursday 10th I was asked to chair part of a conference on “Improving Cyber Security in Education”, from schools, through colleges to universities.

This exposed the near impossibility of the task most schools face in securing their systems, safeguarding their pupils and meeting their obligations to provide balanced and realistic careers advice. Meanwhile employers face the problem of retaining young cyber experts for long enough to turn them into rounded professionals who understand user needs and can secure the organisation and its supply chain against evolving threats – many first tried out in the world of education.

The idea of a collective exercise to use existing processes to address both problems in tandem has gone down well. Hence this blog post.

Please contact me via [email protected] if you would like to help turn the idea into reality.

Handling worsening problems of security and safeguarding at affordable cost

Comparison of the Educational institutions annex of the Cyber Security Breaches Survey 2022 with that for the previous year indicates how the situation has deteriorated since the report on   Cyber Security in UK Schools   produced  in parallel with the 2021 data breaches survey.

Few schools have the in-house expertise to comply with cyber essentials or the DfE guidance: Meeting digital and technology standards in schools and colleges – Cyber security standards for schools and colleges – Guidance . Too many of those that know they have a problem seem to think a “pen test” is the “answer” without understanding the question. Meanwhile most security “experts” do not know what is different about a school.

The Cyber Resilience Centres are tasked to help support schools in the same way as they are tasked to support SMEs and Charities, including by using supervised students from participating Universities. But it is a massive task and requires greatly improved understanding on all sides.

Hence the proposal that employers should, as part of their career progression and loyalty enhancement (alias retention) programmes, provide cyber security professionals with the time and support to train as schools governors to help the schools attended by the children of their staff and/or from which they hope to recruit.       

Addressing the cyber skills gaps by widening the talent pool

The UK Cybersecurity skills gap has widened by over 40% over the past year[1] as demand increased faster than supply. The most obvious bottleneck to supply is the reluctance of employers to take on trainees. But a key part of that reluctance is the cost of screening those expected to work on regulated systems (e.g. financial services) or government contracts (e.g. requirements for UK eyes only). That complicates attempts to diversify recruitment in line with supposed good practice.

Attempts to open up the supply chain also face the problem that currently fragmented cyber careers programmes[2] reach barely 2-3% of schools and colleges and an even lower proportion of potential mature entrants. Few cyber recruiters are aware of, let alone participate in the programmes organized via the Careers and Enterprise Company (see appendix) which help around 85% of schools meet their statutory obligations to provide careers guidance.

Every school and college should have a member of their governing body who takes a strategic interest in careers education and guidance and encourages employer engagement. The governing body must make sure that independent careers guidance is provided to all pupils throughout their secondary education (11 to 18 year olds) and students aged up to 25 with an education, health and care plan, and that it is:

  • presented in an impartial manner, showing no bias or favouritism towards a particular institution, education or work option;
  • includes information on the range of education or training options, including apprenticeships and technical education routes;
  • guidance that the person giving it considers will promote the best interests of the students to whom it is given. In schools, the governing body must also make sure that arrangements are in place to allow a range of education and training providers to access all students in years 8 to 13 to inform them about approved technical education qualifications and apprenticeships, and that a policy statement setting out these arrangements is published (the legal requirements of the ‘Baker Clause’). This should be part of a broader approach to ensuring that students are aware of the full range of academic and technical routes available to them at each transition point.’

Current in-schools careers programmes are heavily biased towards taking out £50,000 of debt to attend a full time degree courses because that is how most teachers were educated and the Universities run an annual marketing and recruitment programme that dwarves the spend of all others. UCAS alone turns over more than £50 million while the Careers and Enterprise Company has less than half that to help provide balanced guidance to all states schools.

Hence the proposal to work with Financial Services employers and those in their cyber security  supply chains  to work with the Careers & Enterprise Company,  Governors for Schools,  Careers CollectiveCareers Development Institute, the CEC London STEM hubs, London Grid for Learning and others to assemble a “London Cyber Careers Governors package covering:

  • Guidance for cyber employers as to why they should make staff available as schools governors
  • Guidance for cyber professionals wanting to become schools governors (e.g. tailored front end to existing generic materials)
  • Support packages, including materials and events, to help careers governors and leaders delver what us needed in their schools

The aim would them be to engage with CIISEC, COMPTIA, ISACA, ISC2, UK Finance and Tech UK and their employer members and supporters whose support is necessary for the exercise to succeed.

This initiative will not be enough to meet the wider Digital/Governance/Security/Resilience/STEM skills needs of London. There is a need to also explore wider co-operation to extend the remit of, for example, the Careers and Enterprise Company, to also serve those excluded from mainstream education and mature entrants, including those cross-training from other roles.

3) Addressing the vetting and screening problem

The vetting problem is multi-dimensional: screening potential governors and/or speakers in schools for competence as well as motivation and educating pupils on the need to avoid getting a criminal record or creating a social media profile which will exclude them from employment opportunities. There is also a need for more sophisticated screening to separate those who tick the wrong boxes from those who are a genuine risk. The proposal would be to involve the Better Hiring Institute with the aim of also reforming the public sector hiring policies and practices, including education and health, which are as much a part of the problem as is the current UK implementation of GDPR. We need to end the situation where It is easier to hire from overseas locations where applicants can erase or falsify their past, than from among the 5 million or so on benefits in the UK.

[1] Cyber security skills in the UK labour market 2022 compared to Cyber security skills in the UK labour market 2021

[2] Mapping informal cyber security initiatives for young people aged 5-19 – GOV.UK (

Data Center
Data Management