The churn of information security staff is even more dangerous than the shortfalls in quality

You might like to scroll down and read the last paragraph of this blog entry first.   “The Consultant” was first published in 1978 during the run up to a previous “IT Skills Crisis”. It was based on a cautionary industry case study. Think what has changed since. Be afraid. Be very afraid.

Last year a Frost and Sullivan survey indicated that chief information security officers around the world were more concerned about staff shortages than hacktivism or cyber-terrorism, with over half having under-staffed departments and demand for skills growing at 10% per annum.
We have had regular IT Skills crises over the past 50 years but the overall shortage has rarely been more than 15% (1987-9 “crisis”, “cured” by the 1991 recession: page 17 of 1996 IT Skills Trends report). The 2014 RSA Conference was told that the current shortfall for Information Security staff is 25% and recent US legislation cited a vacancy rate in the Department of Homeland Security alone of 22%. Hence the sharp rise in US spend on cyber security skills programmes.

As yet, the equivalent UK programmes are significantly more modest but competition for experienced staff, the salaries on offer for those with the skills in most demand and staff turnover have all accelerated sharply since I forecast trouble earlier this year.

I therefore spent much of Quarter 2 helping e-Skills trying to get employers in the Financial Services sector to look at the skills frameworks for information security apprentices (both pre- and post- graduate) and continuous professional development and identify any changes needed to help meet their needs.

I blogged on my interim report in June  and you will find a summary below, headlining areas where those I contacted could find little or no relevant training on offer.  I am about to go back the employers to find out who they would trust to train their staff, with a view to inviting the named providers to co-operate on needs analyses and short course modules for launch in Quarter One of 2015.

First, however, I should comment on why the rising turnover rate is even more dangerous than the shortages.  Annual turnover among supposedly permanent staff has rarely been more than 20% (1987 – 90 and again during the run-up to Y2K) and the 2013 ISC2 Information Security Workforce study  found a churn of barely 11% p.a. among its professional members. However, a more recent Ponemon study found a churn rate of 25% among technical information security staff, rising to over 30% among managers and 40% among CISO and Security Directors.

There appears to be a growing gulf between those who focus on giving skills in current demand to loyal, long stay staff, while training their own “apprentices” (of all ages), and those who say this is too difficult and would rather bid against each other for plausible individuals who claim to already have the skills and experience being sought.

This gulf also exposes the real danger. A lot is aid about the need for soft skills. Unfortunately, the most eloquent can include the “front men” for organised crime. In the last century (how long ago that sounds) I used to warn that the organised crime families of South London (where I grew up) were encouraging the brightest of the next generation to go on computer science courses and specialise in information security: not just to learn for themselves but to befriend the high fliers and identify their preferences (sex, gambling, drugs etc.) with a view to future “co-operation”.

I was therefore appalled when looking at current information security skills frameworks to see how little attention there is to processes for selecting and vetting recruits (even topics as basic as “how to check a CV” appear missing) and for monitoring personal behaviour (where is there anything about processes for colleagues to report concerns over suspicious behaviour?).

The relevant paragraph in my report to e-Skills read as follows: ” Financial services organisations are concerned with the motivation and not just competence of staff and several sectors and professional bodies have mandatory requirements (e.g. the Chartered Institute of Securities and Investment programmes to develop and assess attitudes towards good practice). The FLSP has specifications covering the recruitment, selection and retention of colleagues. There is a good case for co-operation with the CPNI  and the Chartered Institute of Personnel Development (CIPD)  on shared modules, including processes for CV checking and behaviour monitoring (including over social media).”  I was therefore delighted to learn last week that the CIPD was not only happy to lead on work in this area but has already assigned staff to do so.

The context and full list of areas that need to be better addressed was included in the summary of my report:

Key Constraints and opportunities

•    The UK Financial Services Industry is internationally focussed not UK-Centric.
•    The drivers are a mix of fraud prevention, resilience, customer confidence and compliance.
•    A focus on cyber and information security results in contact being delegated to those with operational rather than budget responsibility.
•    Roles which do not require understanding of the business are increasingly “co-sourced”, to joint operations serving a peer group and/or to trusted partners providing securities services. Those roles which are not outsourced commonly require skills mixes which cut across professional boundaries.
•    It is therefore easier to get support for adding security components to employers’ existing training and continuous professional development and update programmes but the degree of “outsourcing” and “co-sourcing” means that the in-house skills to organise such additions are often lacking.
•    It appears (needs to be confirmed) that it is more effective to promote action on the part of those with budget and strategy responsibility via sector-based peer groups.

The Skills Gaps identified to date

•    There was favourable comment on the e-Skills “Learning Outcomes Draft”  as a check list to aid the assessment of recruits

•    The Generic Gaps, common to all sectors, found to date were:

o    Mobile: including identity, authorisation, data access, transactions and privacy
o    Big Data: both for detection and for protection
o    Cloud: including secure access and regulatory and liability issues
o    Website Security, including and the handling of abuse and impersonation
o    App Security, including the application of security by design disciplines
o    Collaboration across cultural and professional boundaries
o    Process Control: alias SCADA, Internet of Things, Ubiquitous computing

•    The Sector Specific Gaps, albeit often with common underlying disciplines and technologies, were:

o    Putting risks into business context and justifying spend
o    Intelligence led Security: direction, collection, analysis, reporting
o    Access Control: who has access to what, under what circumstances
o    End User Skills and Processes: including for access control and authorisation
o    Vetting and personal behaviour
o    Identity Management: including individuals, organisations and devices
o    Authorisation Processes: including PCI-DSS, HMG, major suppliers/customers
o    Governance/compliance: inc. AML, KYC, SARS, Data Retention and Protection
o    Support for Small Firms, generic and those in the supply chains of large firms
o    Incident Response: damage limitation, notification, consequent liability, public relations etc.
o    Reporting: what to report to who and how, what response to expect.
o    Investigation: forensics, evidence collection/preservation, co-operation with law enforcement
o    Asset Recovery: local (not just in the UK) and cross border

Action Plan

Organise follow up activities to identify priorities, those willing to comment on their needs in sufficient detail to enable suppliers to address them, plus those willing to work together to achieve common objectives in identifying, recruiting and harnessing talents.


Please contact me if you already provide relevant training, are looking for it or would like to help organise and deliver relevant modules. I also remind you that a sector skills council needs to act as a clearing house for those looking at all levels (from end-user and SME, through pre- and post- graduate apprenticeship to continuous professional development) and all channels (from on-line moucs to personalised  face-to-face).

There are serious business  opportunities in this space which are better addressed  by using the sector skills partnership and exploiting the evolution of e-Skills into the Tech Partnership In that context I also recommended reading the report on which current BIS cyber security strategy appears to be based . I do not agree with the emphasis on commerical opportunities with regard to the SME marketplace (unless the arguments elsewhere about the need for segmentation are taken to also apply to the SME marketplace) but it is, otherwise, more thoughtful and thought-provoking than most such studies.

My big concern is, however, that those who seek to recruit cyber-security specialists on the open market, as oppose to retraining existing long-stay employees, lay themselves open to recruiting skilled insiders who will unlock their defences without them ever knowing  who was responsible.

Younger generations will not have had the opportunity to read or watch “The Consultant”  written by John McNeill, one of the founders of Logica. It was supposedly based on a case study he used when advising clients on the risks of hiring information security consultants whose provenance they did not know.

Plus ca change …