January usually sees a sharp rise in recruitment effort across the financial services industry, to replace those leaving at year end or who hand in their notice after the Christmas break. This year recruitment effort is down because of the uncertainties caused by the crash in oil prices and the expected cost to the EU of preventing Grexit. Except for risk and compliance staff – where staff turnover continues to spiral upwards as supply falls ever further behind demand. According to Alex on 9th February (that most authoritative of sources on CIty developments) there are now 17,000 compliance officers getting in the way of doing business.
Those who have not yet taken action to secure their staff must therefore do something different – now . GCHQ has shown the way by announcing 50 cybersecurity apprenticeships for school leavers applying by 15th March. Meanwhile the Tech Partnership cybersecurity internship programme has had an impressive take-up. E-mail Howard Skidmore if you wish to bid for some of those not yet matched (believed to be less than 20) or to offer placements for the next intake.
The rest of you also have to consider who you will trust to retrain your existing staff, including users, to handle those roles which you cannot afford to contract to those you do not know.
Before Christmas I blogged on the expectation that 2015 will be the year of the compliance created collapse in cyberconfidence .
Over 60% of significant security incidents (data breaches, fraud, network collapse etc.) involve insiders, albeit digititis (e.g. mistakes with maintaining legacy systems overlaid with fashionable vapourware) and ignorance (linked to equally vulnerable identity and access control processes) remains a more common cause than malice or criminal behaviour.
Debate on how to improve the security of businesses or their customers is almost entirely driven by those selling technology or outsource services and processes to help tick compliance boxes. But the travelling compliance “expert”, who stays long enough to help you tick the latest regulatory boxes and collect the understanding and credentials to open the trapdoors in your security firewalls, is now by far the biggest single risk. He, it is usually a “he”, is an even greater (and more unnecessary) risk than short stay security “consultants”, help desk staff or cleaners. Albeit the “over-ambitious chief executive” who ditches due diligence in his (it is nearly always a he) dash for growth remains a greater absolute danger.
I recollect conversations with those then in charge of “risk” at BP when they came to try to audit safety and security systems along the supply chains of the organisations they had acquired in the US as the basis for their entry into the Gulf of Mexico. Their worst fears came true with the incident which came close to destroying the entire business while enriching a whole generation of Southern lawyers. I recollect similar conversations after the Chief Executive of RBS cut short due diligence with regard to his US acquisitions, before embarking on the take-over too far which did destroy the business.
Due diligence along the security (including risk and resilience) supply chains of organisations being considered for take-over is now big business for the law and audit practices of the City of London and their demand for the skills necessary is helping fuel the current salary spiral and staff merry-go-round which threaten to destroy the security of those who cannot ensure the loyalty of those who manage risk on their behalf.
A couple of weeks ago I thoroughly enjoyed an evening with the Management Consultants Livery Company when I helped open a discussion of the impact of “Big Data” (which I view as a subset of the current state of “Management Science“) on the Management Consultancy profession. I was interested to learn that the market leaders all have a very strong focus on training their own staff, rather than outside recruitment, even though they expect to lose more half with 2 – 3 years. The following morning I attended an excellent NED Forum on the current state of the Dark Market and the analysis and intelligence services now available. I was interested to learn that, once again, the market leaders train their own analysts because the necessary Information Science disciplines are missing among the many recruits available from law enforcement or the military.
It is perhaps as well to remember that the cryptography operations of Bletchley Park were quite small compared to the Sigint (alias data analytics, or “Information Science”) operations which also maintained the symbiotic German Order of Battle (even down to the level of working out that two radio operators shared a girlfriend called Rosa) . The Sigint operation was entirely female and some of the techniques used have not yet been declassified – because they underlie that which even Snowden did not discover and leak.
Hence the importance of ensuring that update training in Management Science, alias the disciplines behind “Big Data” is available, when and where needed, to give existing security staff the skills they need to help organise intelligence-led security. It also makes good sense to trawl existing user staff, particularly female staff, for the necessary aptitudes before going outside for new recruits. When I ran the original Women into IT Campaign (1988 – 92) one of the surprises (at least to me) was the discovery that, on average, women stayed significantly longer than men, especially if offered flexible working conditions and other support to cope with family responsibilities (including elderly relatives, not just children).
Most compliance roles do not need cryptographic aptitudes or big data training but, if the exercise is to be more than just ticking the regulatory boxes, they do need an understanding of the business so as to ensure the compliance routines reinforce good customer service and do not get in the way of profitable business. The current demand for compliance staff and the rate of turnover among those who have no good reason for loyalty, means that is often both cheaper and quicker to retrain long stay user staff, particularly those who might otherwise become expensively redundant, than to recruit externally. The exercise also gives an opportunity to screen for those who might be brought into the main security team to help supervise those to whom those technical operations and support operations which do not need to be in-house are contracted.
But who do you trust to deliver that training? This is not a trivial question of “competence”.
Trainers, like compliance officers, can make trusted contacts across your Chinese walls. I have therefore agreed to help the Tech Partnership identify those who are trusted to deliver training in other sensitive areas so that they can be asked if they ar e interested in helping specify and deliver modular update training in some of the areas identified as being in critical shortage, such as Identity and Access management (from customer mobiles and bring your own device to tiered access to complex systems and multiple locations, such as a global financial institution or an international airport) or the use of big data (alias management science) techniques to identify risk. Then there as the skills needed by compliance staff, the selection and training of whom should also be used to identify your next generation of security staff. I gave a longer list last year of the skills gaps based on my work for e-Skills, but we have prioritised since.