lolloj - Fotolia

The IT security skills crisis and the Boniface Dike Test

The security skills gap is well known but as Nick Booth finds out it is not as easy as getting people trained to fill those vacancies

Candidates for a career in IT Security need to be good at riddles. So here’s one about solving the skills crisis.

Only one industry figure has been brave enough to take the test so far. Paul Smith is the director of Glassblade, which writes code and builds hardware to fortify its clients against attacks.

OK, Mr Smith, what does Boniface Dike mean to you?

He’s a nurse on the surgical ward at Croydon University Hospital, answers Smith correctly. Research says he’s got a degree in IT security. But even though the IT industry is supposedly crying out for security talent, this keen graduate can’t get hired, confirms Smith.

Correct. So, why is he monitoring my blood pressure today (I’m writing this column while in hospital) when he should be managing hackers? Or at least beefing up the Mayday hospital wifi, which is frankly rubbish.

Can you enlighten us on this, Mr Smith?

“IT security recruitment seems to be based on arrogant presentation and sounding like a clever dick,” Smith says. Good honest answer! Admitting the problem is the first step.

“I’ve met some brilliant IT security chaps outshone only by their smugness,” says Smith. Entry to any IT environment is easier for a generalist at the lower end who shows some spark. Your chance will come to show your colours in your area of expertise - show your ability to learn on your feet.

Does the IT security industry lack imagination? Are they too lazy to bring talent through?

The whole Big IT board level management model can be lazy, he says. Like all board level activity, it’s often geared towards cronyism and belligerent claims and actions, says Smith. Meanwhile they’re totally lacking in actual coalface skills. 

“My spies in Big IT they tell me terrifying stories of consultants being hired and sweeping away all before them. They get away with it because they are all so dependent on the idiotic behaviour of everyone else at that level,” says Smith.

You suspect these are the same people who lecture the rest of us about innovation, diversity and corporate empathy.

“The cheques are effectively blank,” says Smith, “don’t fight that, just learn that it’s the environment you are acting in.”

How does an emerging talent like Boniface get desk time?

Tricky, says Smith. You have to make your face fit, at the entry level you need to appear confident but humble - and claim you can do anything! Start with agencies getting placements – do some general stuff for charities for reference work.

Sounds like neither the channel nor the private sector wants to help too much: Do the IT security crowd secretly love the skills crisis?

“Secretly? It is at the heart of the industry – there is no shortage of wit and imagination, it’s a total vacuum,” says Smith.

Actually there is a huge amount of wit and serious clever thinking, Smith says, but it’s all at the coalface.

Tomorrow’s IoT Networks are going to be desperately insecure . Should we be getting more people like young Mr Boniface into the system as we’ll desperately need them in five year’s time?

“Absolutely! IoT is going to be significant but deployment initially will be fragmented and low value. Until the things join up to provide an AI-driven optimised environment it will be hard to get a foot under the door,” says Smith. 

We need drastic measure to prepare for the looming IoT insecurity crises. There needs to be vastly better education about cybersecurity, says Ian Glover president of security accreditation body CREST.

Never specialise too early. A young person might want to go into medicine or law but not necessarily as a specialist brain surgeon or litigator. But we can’t describe real careers in technology and cyber security. Careers advisors, parents or guardians don’t know about these new careers and cannot easily identify someone to help.

We need to bridge this gap with media and language that young people understand. Otherwise we’ll widen the skills gap and raise heighten the UK’s exposure to risk, Glover says.

But who is actually going to do something about it?

Defining our terms would be a good start, says Amanda Finch, general manager at the Institute of Information Security Professionals (IISP).

We are not defining what we need in business terms, so people think a job in cyber security is a boring technicality, Finch says.

“We need people with eclectic skills, from cyber to psychology. There are roles for everyone,” says Finch.

Courses should focus on the employer’s needs rather than pure study. New recruits need to understand issues such as risk, project management and links to other areas of the business.

None of them ever do though. As I note from reading young Boniface’s CV. So there is a massive gap in the market for a decent training organisation with a bit of imagination.

Someone in the channel needs to develop courses to educate people for employment. There’ s massive opportunity even for people who run crap courses. Imagine the demand for your services if you could run something good! That would put a Boniface on the problem.

Read more on Data Protection Services