Google has obtained serious publicity for a modest “me too” exercise to train children to help address on-line bullying. I very much hope that this is not just gesture PR but a trial to see what works. If it works, I hope that Google will follow through with the muscle that only it can mobilise – working with others and not in isolation. Whether or not those in Google who decided to support this exercise saw it that way, they are addressing one of the points of leverage that will make or break the future of the public Internet as a safe, reliable and family friendly place to do business, as well as to learn and play.
I was lucky enough to join the Computer industry before there was any careers material to put me or tell me that, as a historian, I was not qualified to be a trainee computer programmer. My first publication, on why computer systems fail, (serialised in Computer Weekly in 1973) was linked to a study of why employers talk of skills shortages while failing to take on trainees or update their existing staff.
Nearly forty years on that is still the case. We hear talk of the need for 100,000 more IT professionals each year, but a recent report in Computer Weekly last week indicated that half those in post had received no training at all from their employers over the past five years – at a time when the half life of technology level security skills is down to little more than one year.
So why has nothing been done to address the systemic problems in the UK ICT skills market, despite reports and analyses every other year.
The reasons have not changed since Machiavelli summarized them five hundred years ago.
“There is nothing more difficult to take in hand, more perilous to conduct, or more uncertain in its success, than to take the lead in the introduction of a new order of things. For the reformer has enemies in all who profit by the old order, and only lukewarm defenders in all those who would profit by the new order, this lukewarmness arising partly from fear of their adversaries … and partly from the incredulity of mankind, who do not truly believe in anything new until they have had actual experience of it”
· Change is resisted by those who do well under the current regimes (taxation, funding, regulation etc.)
· Change is promoted by those who do not do well, or are greedy for more
· Those in charge of the regimes therefore protect the past from the future unless faced by crisis
But funding cuts mean that preserving the status quo is no longer a serious option for those running the UK regimes. If we do not give our existing workforce the skills in demand today and enable our children to acquire the skills of tomorrow (when they need them) there will be no-one left in wealth-creating UK-based jobs to fund the state and pay their pensions.
Now let us look at where an area where whole industries are at risk:
· UK Industry spends well over £3 billion p.a. on information security
· HMG spends £600 million p.a. and has announced an extra £640 million over 4 years
· In 2012 London will be a Global honeypot for e-criminals and cyberterrorists
· Who will need what skills to defend themselves and their customers, let alone you?
· How will they obtain them?
· How do we turn a problem into an opportunity to transform the UK skills market?
The gap between public and private sector information security policy is not just the level of spend. Government has spends much of its budgets planning and implementing new process. The private sector spends little on new processes, unless driven by regulatory change. Instead it spends on training and technology to implement, police and monitor processes that evolve over time and meet global, not just intra-UK, expectations of good practice.
The past few weeks have seen a lot of hype in the papers about cyberwarfare as cold-war warriors try to maintain defence spending. A more immediate risk is that the financial services industry, which spends most of industry’s £3 – 4 billion a year on information security, will move core operations out of the UK. That exodus may be blamed on fiscal and regulatory overheads but it is also easier to staff information security operations based in India or China – even though most major players would much prefer to base them in the UK.
That preference may, however, evaporate if we do not have the skills and there is a serious risk of cyberchaos in London during the Olympics. The influx of visitors to the world’s greatest financial center gives a unique opportunity to cyberfraudsters. Parodoxically that may reduce the risk of cyberterrorism because Cyberfraudsters wish to milk the on-line world, not disrupt it. They have, on occasion, taken brutal action against hackers who disrupt their cash flows.
Testing for the systems serving the Olympic venues is well under way and the security exercises for the critical national infrastructure are due to start in May. But there are serious concerns over plans to handle the technical level information security workload that assume ready trained staff will be available to short order. There should be no problem obtaining suitable candidates (quality as well as quantity) from among those currently out-of-work or about to be made redundant, but the individuals will need to be trained.
We are beginning to run out of time but, provided the necessary modular short courses programmes are operational by about September, this can be viewed as an opportunity to begin a long overdue transformation of UK ICT training provision – rather than a genuine crisis. Hence my strong support for the plans to get the security stream of the National Academy of IT Skills operational by then. One of the reasons for the gap between this and my last blog entry has been the time I have spent on the invitation list for a meeting to be hosted by David Blunkett next Monday to identify a cadre of employers to help ensure that the plans really do meet their needs. The response from Chief Information Security Officers in major organizations indicates serious interest and the meeting may be as comfortable as the black hole of Calcutta. If so, I will rejoice rather than apologize.
That is, however, only part of the transformation needed. We need networks capable of delivering short modules to global standards across the UK, (not just in London), at a variety of levels and in different volumes, (from basic skills to thousands and specific high level skills to dozens). I am delighted to say that those networks are being formed. I had lunch earlier this week with the Chairmen of the Council of Professors and Heads of Computing and of the BCS e-cademy to discuss how to knit some of these together, in co-operation with the e-Skills exercise.
But a short-term reaction to the stresses we will face in 2012 is not enough.
The Millennium Bugbusters training programme gave basic PC support skills to tens of thousands so that they could ensure there were no Y2K problems in widely used systems. But there was no follow up of the other skills needed. This time we need to ensure that the Olympic legacy includes a transformed attitude to ICT careers and career development – at all levels, from schools, through continuous technical and professional development to life-long learning.
We need to ensure that short term success (in building better bridges between Financial Services, Law Enforcement and Government to share their needs as employers, with those in the Universities who want to use the revenues from update programmes to stop going broke) also changes the way UK employers look at the choice between retraining and recruitment, as well as at helping programmes to enthuse and educate the next generation.
We need career development paths and guidance for mature entrants and those whose skills are no longer in demand – at the same time as exercises to enthuse the next generation, building on the BCS Computer Science 4 Fun programme and the Cybersecurity Challenge .
We need to match the Russian and Chinese programmes for patriotic hackers, correcting the idea that to become a skilled cyberwarrior you have to begin on the dark side. The recidivism rate is over 80%. That way lies chaos.
Instead we need to open up the route from on-line prefect, helping to police the virtual playground and protect the vulnerable against bullying and exploitation, to cyberwarrior helping win the bloodless (hopefully) battles of the future.
Once again the good news is that this concept has struck a chord, including with Google. The task is to draw in support to build on what already works, turning constraints and problems into opportunities, rather than starting yet more fragmented initiatives.
This is one of my priorities for my stint as chairman of the Security Panel of the IT Livery company. I look forward to hearing from readers who are willing to work with others in this space to help already planned initiatives to reach critical mass – and not just those who wish to launch their own exercises.