I recently agreed to help e-Skills engage financial services employers in reviewing their cyber security skills programmes, not just to find the gaps but also those willing to help fill them. So far I have found some good news and some bad news. The good news was that those concerned with recruiting information security staff thought the current frameworks (see the City and Guilds Documentation for Level 3 and Level 4 Apprentices plus the appendix mapping these onto existing industry qualifications for a detailed example of their practical implementation) were a good checklist. The bad news was that almost all employers are looking for experienced staff, not trainees – and few have the skills in-house to organise a training programme. There is, however, serious interest in using the frameworks on a modular basis to upgrade the skills of those in post and to cross-train users who understand the business.
I am now on the second phase of my study: circulating a draft report for feedback with the aim of identifying those interested in using early participation in the follow up to gain competitive advantage by developing and retaining the skills they need to protect themselves and their customers against fraud and abuse.
I am happy to send copies of that report to those with responsibility in their organisation managing and controling risk, reducing vulnerability and combating abuse. I am even happier to supply copies to those with responsibility for recruiting, developing and retaining the skills necessary. You can e-mail me for a copy and/or e-mail e-skills directly for an invitation to participate. Please include your name, job title, responsibilities, organisation and the areas and skills of most interest. If you can put the latter in order of priority that would be most helpful.
In the mean time readers may be interested in the headlines from my draft report. Some are obvious, in retrospect. Others may well be controversial, particularly for those who put their own agendas above that of preserving the reputation of the City of London as the premier, globally trusted, international, on-line trading hub.
1. The UK Financial Services Industry is Internationally focussed not UK-Centric
Financial services career paths are increasingly global. Major players are concerned to meet overseas, particularly US, regulatory standards, not just those of the UK. The US is not, however, the only, or even the most important, trading partner and global customers (e.g. sovereign wealth funds) expect their activities to protected against all-comers (including “our” security, surveillance, and cyberwarfare operations as well as “theirs”). This gives the opportunity to take a lead in setting global professional and security standards. It also, however, means that UK-centric requirements and co-operation arrangements are of limited interest.
2. Cyber is a turn-off and information Security is boring. The drivers are a mix of fraud prevention, resilience, customer confidence and compliance
Few directors are interested in “information security” and “cyber” is a turn-off. Boards are, however, concerned about the consequences of insecurity: impersonation, fraud, industrial espionage, sabotage, extortion and other forms of abuse and predatory behaviour. The skills sought come under a variety of headings: from compliance through intelligence, investigation and risk to security.
Commitment to action on skills, other than to fill known vacancies, appears unlikely without support from Board members who are seriously concerned to ensure compliance with regulatory requirements, maintain customer confidence, handle the transition to secure mobile transactions (already over 50% and accelerating) and improve the corporate ability to respond rapidly and effectively to major incidents.
That is because policy and budgets for recruitment and training are rarely controlled by members of the professional bodies currently engaged with the cyber security or information assurance agendas.
3. Understanding of the business is essential for those roles which cannot be “co-sourced”. Most require skills mixes which cut across professional boundaries.
The days of “in-house” or “outsourced” are gone but attitudes are still different according to whether functions are handled in-house or “co-sourced” using shared service operations (e.g. to handle fraud reporting and investigation cross an industry sector) and trusted partners (e.g. retainers with audit practices and others to help with major incidents).
Risk management and security roles in financial services require understanding of the business (objectives, constraints, priorities and vulnerabilities) and cut across people and technology processes as well as across electronic and physical security. Few are purely “cyber” and many of these are more concerned with fraud prevention and resilience rather than information security.
Information Security is subordinate to those with responsibility for “Risk”, “Fraud” and “Compliance”, except where it is directly involved with the design, acceptance testing, operation and monitoring of people and technology processes and supporting systems. Many of those with cross-cutting roles have come in from other disciplines and need cross-training in information security.
Financial services employers therefore wish to mix and match modules from a variety of disciplines to update and broaden the skills of those who they already in place more than they wish to use these to develop the skills of new recruits. In consequence success entails co-operation with the Financial and Legal Skills Partnership , Skills for Justice , The Security Institute and others.
4. It is easier to get support for Continuous Professional Development and update programmes but widespread use of outsourcing presents serious complications with regard to delivery.
Outsourcing and co-sourcing mean that even large organisations often have in-house security teams that are too small for customised skills development programmes. More-over many security professionals are self-employed, individually accredited and/or responsible for their own training. Most employers are currently focussed on external recruitment to fill those in-house roles which cannot be filled by training users with security skills more easily than by educating outsiders to understand the business.
It is therefore easier to get interest in, but not necessarily commitment to, support for frameworks for “continuous professional development”. Those with graduate intake and apprenticeship programmes for accountants, bankers and lawyers might be persuaded to extend these to include information security skills. However, given the limited number of employers able to organise in-house apprenticeship or CPD programmes, a better way forward might be to get recruitment agencies, HR consultancies, colleges and universities, to look at the economics of providing this as a service to local employers and/or alumni.
5. There are significant issues to do with updating and marketing
The content needed in the modules will evolve over time in line with changing threats, technologies, opportunities and market structures. Generic structures which seek to avoid obsolescence by avoiding reference to particular technologies are, however, difficult for employers to relate to. They are concerned with developing the skills to address current problems – not looking into the fog of future needs.
6. A variety of marketing fronts and delivery channels will be needed to promote and present the content in forms to which the target audiences of employers and employees will relate.
7. The skills gaps identified to date:
Within most of the gaps identified there is a need for modules at all levels from process specification and system design, through operations, to end-user training, plus end-over-end performance monitoring. The frameworks and materials necessary to fill several of the gaps have potential global markets.
Some of the gaps below are addressed by the Financial and Legal Skills Partnership (FLSP), albeit with specifications focussed on the people processes to meet accounting, legal and regulatory requirements. Others are similarly addressed by Skills for Justice and the Security Institute.
The mechanisms for co-operation in ensuring the delivery of “joined up” material, covering both technology and people processes, when, where and how employers require are unclear.
7.1 Putting risks into business context and justifying spend
This requires an understanding of the business, an ability to quantify and balance the risks it faces (including of losing business because of intrusive or slow security processes) and turn problems into opportunities. The skills are not specific to information security but do require an understanding. It may be worth exploring use of the COBIT framework for linking security to business objectives.
7.2 Mobile: including identity, authorisation, data access, transactions and privacy
Most current programmes were planned before the transition to mobile gathered pace. Mobiles now account for over half of all financial services transactions and there are skills gaps at every level from system and application design, through the use of trusted computing technologies (including to identify the device and location being used and, with less certainly, the individual using the device), to educating end-users in personal security and safety using their own or corporately issued devices.
7.3 Investigation: inc. forensics and the collection/preservation of evidence & co-operation with law enforcement
This is best organised in co-operation with the programmes planned by the National Crime Agency, City and Metropolitan Police, Crown Prosecution Service and others. The reasons are partly to ensure common standards and partly because training together is a good way of building the trust that is essential for co-operation. The programmes also needs to cover international processes because few major incidents are purely intra-UK. This area would benefit from close co-operation with Skills for Justice and those organising similar programmes to serve other parts of the globe, including, but confined to, the EU and US.
7.4 Asset Recovery: inc. local co-operation with overseas law enforcement and others
Financial services organisations are usually more concerned with asset recovery under civil law, rather than the cost and uncertainty of securing action under criminal law. The techniques available and disciplines involved overlap with 7.3 above and 7.5 and 7.6 below but are by no means identical.
7.5 Governance/compliance: including Anti-money laundering, know your customer, suspicious activity reporting, customer protection, data retention/protection etc.
Financial services have a great many governance and compliance requirements which require technology support or the vetting of those who provide technology support. These include “know your customer”, anti-money laundering, suspicious activity reporting, data retention as well as protection, bring your own device policies, red flag behaviours, zero tolerance, bribery, corruption and customer protection. FLSP has modules covering many of these from a legal perspective. The technology perspective also needs to be covered.
7.6 Intelligence led Security: direction, collection, analysis, reporting
Direction and reporting require understanding of the organisation’s objectives, priorities and culture (including to make reports on risks and threats meaningful to those running the business). Collection (logging, reporting, open source etc.) and Analysis (from historic log analysis to the real time use of big data tools) can be outsourced but the skills are in short supply (see 7.10).
7.7 Identity Management: including individuals, organisations and trusted devices
A prime need is for the skills to make effective use of the many ID systems and methodologies in current use and to enable the organisation to work with suppliers and customers using different approaches. A particular problem is to bridge the different approaches of public and private sector. There is also the need to manage corporate identities, including on-line and along supply chains.
7.8 Access Control: who has access to what, under what circumstances, inc. age verification
This is much wider than Data Protection but similarly links to identity management and authorisation. It may benefit from being organised in co-operation with other regulated industries (e.g. Credit Reference, On-Line Gambling and Adult Content) where reputations for security and privacy are core.
7.9 Authorisation Processes: inc. PCI-DSS and those of major suppliers/customers inc HMG
These should include both the evolving authorisation processes of the card and payment clearing industries and those of HMRC (including for Real Time Information from employers), DWP (for inter-actions with employers and Local Government), Cabinet Office and others for those who have dealings with the public sector. This area may benefit from being organised in co-operation with Local Government, HMRC and DWP, all of whom have large numbers of staff to be trained at all levels from overall process and system design to end-user routines and guidance on handling exceptions.
7.10 End User Skills and Processes: including access control and authorisation
Many large organisations run programmes to train all staff (i.e. not just those in call centres or on help desks) in basic security (how to reduce the risk of falling victim to social engineering and what to do if you think you have), the control of access to systems and information (particularly personal information on staff or customers) and incident reporting. There is a case for working with those organising such programmes on a commercial basis and with the CPNI Homer team to produce generic frameworks which can be used by those organising such programmes and for certificating those covered (e.g. all our staff are certified to XYZ).
7.11 Incident Response: damage limitation, through notification requirements to public relations:
This cuts across a great many disciplines from those involved with handling the immediate response and restoring service through those handling the consequences (including technical, regulatory, customer relations etc.) to those handling image and reputational issues.
7.12 Big Data: both for detection and for protection
The skills needs range from understanding and using the techniques to analyse traffic and logs for detection and investigation purposes, through real-time authentication based on pattern analysis and the means of assessing the security of services provided by others, to protecting data retained for analytical purposes or because of regulatory and law enforcement requirements. These range in level from the ability to understand and use packaged services operated by others separately or in partnership (e.g. Trend and IBM with “Deep Discovery” and “QRadar”) to those to develop and maintain such services on a customised basis.
7.13 Website Security, including and the handling of abuse and impersonation
Nominet has produced some useful material in this area but there is a need to also ensure sites meet legal and regulatory requirements (e.g. under the e-Commerce Directive), are secured against hacking and abuse and contain routines for reporting abuse or impersonation (and responding to such reports) which help enhance confidence. There is also a need to address the security issues and exploit the opportunities raised by the transition from IPV4 to IPV6.
7.14 Vetting and personal behaviour
Financial services organisation are concerned with the motivation and not just competence of staff. A number of professions (e.g. the Chartered Institute of Securities and Investment) have mandatory programmes to develop attitudes towards good practice. There are also regulatory and statutory requirements in several sectors. This cross relates to 7.10 and FLSP has specifications covering the recruitment, selection and retention of colleagues. The issues do, however, go further and there is a good for co-operation with both CPNI and the Chartered Institute of Personnel Development on shared modules covering processes for CV checking and behaviour monitoring (including over social media).
7.15 Support for Small Firms, generic and those in the supply chains of large firms
This should include the skills to implement, advice and support the audits by IASME or CREST that are to be made mandatory for SMEs supplying Government net and well as any other requirements from Banks, Insurance Companies (including PCI-DSS etc.). There is also a need to look at support for micro-businesses (e.g. the FSB members who are too small for IASME. The skills in this area are likely to cut across all others at the “foundation” level.
7.16 Process Control: alias SCADA, Internet of Things, Ubiquitous computing
This was not part of the remit for this exercise but serious interest and potential volunteers to help address the issues were found.
8. Current Action Plans
8.1 Follow up on contacts made with …
8.2 Work with … on surveys to obtain views on which skills are in short supply and the priorities of those interested in participating in joint action.
8.3 Follow up on contacts made with … to look at organizing activities to identify employers willing to work together on skills issues.
8.4 Follow up on discussions with recruitment agencies and others to explore business models for commercially attractive (to all sides) co-sourced CPD and apprenticeship programmes.
8.5 Identify security suppliers interested in helping specify material that will help current and potential customers make effective use of their products and services.
8.6 Identify training providers interested in participating in the programmes with a view to supporting apprentices, those following continuous professional development or cross training programmes or those wishing to simply fill skills gaps
I look forward to receiving comments, particularly from those with responsibility for protecting their employer and its customers and in helping with the specification, organisation and delivery of materials, courses and qualifications to fill some of the gaps above. I would also be interested in comments on how best to reconcile the various intra-UK, intra-EU and intra-NATO agendas with those of truly global players.
I am of the personal opinion that co-operation in education and training in the best means of reconciliation – but I remember being trained in the same signal school as those who were to man the signals rooms of the destroyers we had sold to Shah of Iran. We were strictly segregated. I subsequently came to appreciate the reasons. That said, the risk management and security teams of global trading operations have long needed to organise co-operation against common (criminal) adversaries between those whose governments do not trust either other. The development of cyber espionage and warfare merely adds a new dimension to the tensions between merchants and warlords that goes back to the dawn of civilisation.