Lack of co-operation on cyber skills costs London more than membership of the EU costs the UK

I have been asked to change the headline of my blog yesterday on the case for supporting a London Cyber Security Skills Partnership. It was said to be as misleading as the headline arguments for Brexit or Remain. Instead I should have begun by saying that the amounts lost by Londoners and London-based businesses as a result of cyber crime, whether actually stolen or including business lost as result of intrusive security or lack of customer confidence, are greater than the UK contribution to the EU, whether gross or net. And the main reason for those losses is our failure to take effective action on training, to develop, maintain and use systems that are secure by design rather than attempt to rely on awareness, education and layers of re-active security.  Hence also the reason we need a London Cyber Security Skills Partnership which looks locally and globally – as opposed to a national partnership oriented towards the needs of cyberwarfare and the state.  The skills overlap but the perspective, mix and priorities are different.

Therefore, I will begin again, under a corrected heading.

I have blogged before on my position on the referendum: the result matters less than what we do afterwards, whether in or out. I have also blogged on the cost of our failure to help Europe unravel the toxic politics of privacy, security and choice.  Today I would like to put forward the plan for creating a London Cyber Security Skills partnership to move from bleating about the problems of information security to taking world leadership in implementing the solutions – whether from inside or outside the European Union.

London has over 50 Universities and Colleges, some world class, but its employers regularly complain of skills shortages and contract or recruit overseas while many Londoners cannot get on the jobs ladder. “Blended learning” (technology assisted on-the-job training, mixed with off-the-job motivation modules, supervised work experience and mentoring), makes it quicker and cheaper to train raw talent or existing staff than expensively trawl for some of the skills in shortest supply, such as that those to secure on-line operations. But the skills to organise such programmes are in even shorter supply than most other high tech skills. More employers are currently looking for experienced security trainers than for experienced security architects! London has a kaleidoscope of skills programmes: from mentoring, work experience and careers advice in schools through apprenticeships (including both pre- and post- graduate) to conversion and returner programmes. But these are fragmented and rarely have promotion or marketing budgets.

The needs of Londoners, whether employers or those looking for work, vary by sector and geography, from where employers compete to attract talent into known career paths, such as the City, through technology clusters which need fast-changing, innovative skills, such as Shoreditch, to insular, sink estates, where hope is gone (and there is a win win if recruit the talent before it turns to the dark side). The all-party Digital Policy Alliance is therefore working on the concept of local, partnerships, led by employers (seeking to meet their own skills needs), professional bodies and trades unions (seeking to place their members into work) and parents (wanting better informed choices and opportunities for their children) with a particular aim of engaging with networks of FE Colleges, who are all-to-often left out of mainstream digital skills programmes because large employers and national bodies lack the bandwidth to engage with them.

Success will depend on the cost-effective use of this with blended learning skills to mobilise “subject experts” to help students acquire the industry recognised qualifications and certifications currently expected by employers and recruiters (e.g. Comptia, CISCO, IBM, ISACA) in the course of their apprenticeship. The necessary materials are often available, at no charge, to the participating colleges, along with subject experts competent to support delivery and assessment: a common problem with programmes start from scratch as opposed to building on what already exists. That will enable the scarcest resources to be focused on modules to meet emerging needs such as “security by design in digital marketing“: i.e. securing the now ubiquitous but notoriously vulnerable on-line apps.

It just so happens that security by design in digital marketing is the core technical skill for rebuilding confidence in the on-line world. It is also a black hole when it comes to finding training on how to do it. BCS and IET has just got round to mandating security components in the degree courses they accredit (from 2017 onwards). But most app developers do not have computer science degrees and those already practicing … Plugging that gap, including by supporting a proposal for a co-operation between a group of London FE Colleges and the Tech Partnership for a new generation of collaborative degree level apprenticeships will be one of “starter” projects for the new London Cyber Security Skills Partnership.

The other “starter project” is expected to an exercise to address another black hole, the skills to help London’s 900,000 SMEs to secure their systems to at least the level of IASME: the best known of the certifications being mandated for those in the supply chains of central government, telcos, financial services and on-line retailers. Most of London’s SMEs are one man bands who really need to learn only how to secure their smart phone. But some, for example those in Fintech supply chains, may be honeypots for access to ten or hundreds of millions of pounds worth of transactions. And many well known data breaches involved entry via a supplier or partner.

The aim is to use such “starter projects” to test the practicality of creating trusted co-operation across boundaries to build on what is already being done or planned. The ambition is, of course, much greater. But we are following “Internet Rules” – think big but start small small and either fail fast or scale on success.

There is a worldwide cybersecurity skills crisis with employers trying to recruit ten times as many “professionals” (usually they really mean competent technicians) as are being trained. There is lots of talk and a plethora of initiatives but none are on the scale needed and most of those affected have no idea who to work with and how to help them address the consequences.  This hits London particularly hard, as a global financial services centre, under sustained and serious attack at all levels from script kiddies through sophisticated and organised crime to nation states.

The concept is to bring together those who are serious about working together to achieve results, beginning with a basic project, to achieve specific objectives in an area of common concern:

  1. To package existing material (Get Safe On-line, Action Fraud, Operation Falcon, IASME, Cyber Essentials, CIFAS, CISCO, IBM, Intel, Microsoft, Symantec, Trend Micro, ISC2, ISACA, Comptia, City & Guilds, OU etc.) for delivery via FE colleges to SMEs, using information security professionals, suggested and supervised by law enforcement, skills partnerships and professional bodies.
  2. To use success to open up the large scale delivery of relevant professional qualifications, including via apprenticeship, cross-training and staff update programmes via partnerships with Universities and Commercial Providers, including those recruitment and staffing agencies who are already helping clients organise training and staff development, both in-house and external.
  3. To also use the exercise to help SMEs identify those who can help them achieve, for example IASME accreditation and otherwise meet the requirements of their customers, suppliers and insurers

It is the context that makes the proposal so “interesting:

  1. SMEs (under 250 staff) in London may have multi-million (billion) turnovers or be in the supply chains of those who do. Their needs, timescales and priorities are different to those of GCHQ, MoD and Central Government (e.g. they may not only employ staff from, but have to work in close co-operation with customers and counterparts in, Brazil, China, India, Nigeria and Russia not just the EU) but co-operation and cross-fertilisation with the various UK Government programmes is highly desirable.
  2. The Falcon team has good material and case studies and is charged to run seminars for business (all levels)  but is fully stretched with operational needs. The FE colleges all want to deliver cyber/security courses but have few (if any) staff with the necessary expertise or experience. Both like the idea of working with each other, using pre-vetted industry experts who will not only put flesh on the packaged material but may also be available to professionally help those attending to implement what they have learned.
  3. The problems are acute among Fintech companies in the “graveyard slot” (with staff and finances fully stretched during the gap between start-up and venture capital funding).
  4. Competent security trainers of known provenance (e.g Security vetted or CIFAS cleared) are in even greater demand and shorter supply than, for example, Security Architects.

This will fail if it is just another bid for OPM (other people’s money).

The aim is bring together those who have good business reasons for working together – outside government funding frameworks as necessary. Those who want to contribute, either because they have staff or customers they wish to train or retrain or are planning to take on trainees or apprenticeships, or because they have products and services for which they want to organise training, or because they have training courses, materials or facilities should contact the Digital Policy Alliance with details of what they would like to bring to the table.

Please put 21st Century Skills Group in the subject line. By all means copy me but I am now only an advisor – the invitation lists are being maintained via the DPA until the partnership is ready to have an existence of its own.