Sergey Nivens - Fotolia
UK businesses are currently the least likely to offer incentives to cyber security staff to reward them for their performance and efforts, a global report reveals.
Some 42% of UK organisations – the highest proportion globally – do not have incentives for information security professionals, according to the report by Intel Security and the Center for Strategic and International Studies (CSIS).
The report, which polled 800 infosec pros, examines the difference between the incentives available to IT professionals who defend against cyber attacks compared with the incentives for attackers.
The report suggests UK businesses can learn more from the incentives on offer to attackers, and can use this knowledge to attract, motivate and retain information security professionals more effectively.
Attracting and retaining people with cyber security skills is challenging for most companies in the face of a worldwide shortage, with 1.8 million infomation security-related roles expected to remain unfilled worldwide by 2022, according to the latest Global Information Security Workforce Study from (ISC)2.
“Misaligned incentives between attackers and defenders mean that the decentralised market in which cyber criminals operate makes them adapt and innovate faster and more efficiently than defenders, whose incentives are shaped by bureaucracies and top-down decision making,” said the report.
According to the report’s authors, this means companies and governments will need to rethink how they measure, reward and incentivise those working in cyber defence.
Read more about information security skills
- Anti-millennial recruitment stance will widen cyber security skills gap, experts warn.
- Companies struggling to fill infosec roles should focus on finding people who can do what they need, not qualifications, according to a security industry panel.
- Information security professionals need to grow their skills, engage with the business, increase security awareness, set business goals and tailor their messages, says a panel of experts.
- The information security profession has reached an inflection point and is poised for growth, says Adrian Davis, managing director for Europe, Middle East and Africa at (ISC)2.
“The cyber crime market is efficient, and the incentives for cybercriminals are clear and compelling,” said the report. “The same is not true for defenders. Criminals flourish in this market, but most defenders work in bureaucracies. In most companies, cyber security is the responsibility of a diverse range of groups and individuals using different (and sometimes conflicting) metrics for success.
“Incentives are not only misaligned between attackers and defenders, but also in companies.” This indicates the need for a cultural shift in the way defenders are recognised and rewarded.
Different countries seek different incentives
According to the report, respondents in different countries displayed a range of views on incentives, with Japan and the UK valuing recognition or awards higher than other incentives, while Mexico and Germany valued them the least.
Respondents in Brazil, Mexico and the US were most likely to place the most value in financial compensation. Japan, Mexico and Germany put a higher premium on paid time off than other countries.
Opportunities for individual recognition
UK organisations, therefore, need to pay more attention to providing recognition and awards for information security professionals, with 65% of respondents indicating they would like more of that type of incentive.
“There are many ways to incentivise people, and if you solely look at financial, employees will be there only until they get a better financial offer,” said Raj Samani, chief technology officer at Intel Security for Europe, Middle East and Africa.
There are many ways of incentivising information security professionals, and employers should look at things like satisfying employee curiosity by tackling interest projects and providing opportunities for internal and external recognition through boosting their public profile, he told Computer Weekly.
Some organisations have programmes for recognising an individual’s achievements by awarding them the tile of fellow or principal engineer.
“Unless organisations start thinking about different ways to incentivise people beyond financial compensation, I don’t think they will be able to attract the staff they would like in such a competitive market,” he said.
For example, Intel Security, soon to be spun off as an independent company under the McAfee banner, provides opportunities for employees to achieve international recognition and build their personal brand in the information security world through publishing research, speaking at conferences, speaking to the media, and blogging on cyber security topics.
The company also promotes discoveries by information security researchers through social media and has an internal achievement awards programme. “It is a great environment to be in, it inspires people to do more and that is why people are attracted to working at the company,” said Samani.
Companies that fail to value and enable recognition for achievements, he said, are likely to find that talented individuals will seek employment elsewhere.
Promoting cyber security jobs in schools
At the same time, however, he said more people need to be attracted to the information security profession in the first place, and that should start at the grassroots level in schools.
According to Samani, employers of cyber security professionals should be thinking about how they can go out and demonstrate that this is an exciting career choice.
“I am not really seeing this at a primary and secondary school level,” he said. “Schools are typically visited by army, police and legal sector representatives, but not cyber security.”
Samani, who is a regular speaker at schools, said Intel Security is planning to look at other ways to attract people to the profession, and that other companies should do the same.
Rewarding good behaviour
The study also found the UK is the least likely market for employees to be dis-incentivised from engaging in risky cyber security behaviour through fines.
Only 26% of respondents reported fines being imposed by their companies for risky behaviour, compared to global average of 42%.
Samani views this in a positive light. “We need to enable, encourage, reward and promote good behaviour, rather than using punitive measures to discourage risky behaviour.
“The result of rewarding good behaviour and having incentives adds value to organisations around the world.
“I think there is a need to look at alternative ways to incentivise people to collaborate,” said Samani, citing the No More Ransom initiative as good example.
Joining forces to fight ransomware
A joint initiative by the Dutch National Police, Europol, Intel Security and Kaspersky Lab to fight ransomware, No More Ransom is an online portal aimed at informing the public about the dangers of ransomware and helping victims to recover their data without having to pay ransom to cyber criminals.
“This was done through an incentivised approach, whereby there was recognition in collaboration, and it was highlighted as a proofpoint whereby if you think differently in terms of collaboration, there are benefits,” said Samani.
Another good example, he said, is the Cyber Threat Alliance (CTA), a cross-industry initiative set up to foster the sharing of information about cyber security threats in an automated way by Palo Alto Networks, Fortinet, Symantec and Intel Security.
“Our researchers were incentivised to collaborate in cutting-edge research because they were getting access and visibility. Their intellectual curiosity was satisfied by seeing what other companies are working on,” said Samani. “The research findings not only benefit participating companies but also provide recognition for the individuals involved.”