UK Companies Facing Cyber Security Staff Shortage (theguardian.com) 138
Bruce66423 writes: According to a recent survey of recruitment agencies, 81% expect a rise in demand for digital security staff, but only 16% saw that the demand would be met."
Resorting to 'neuro-diversity' [...] "We were originally plucking people from IT and bolting skills on but we changed our entire recruitment policy including targeting different kinds of people," said Rob Partridgeat BT Security. "One area we've looked at is neuro diversity. We know, for example, that some people with Asperger's are highly suited to cyber but don't always have good communication skills so we changed our approach to the way we source and interview candidates.
Resorting to 'neuro-diversity' [...] "We were originally plucking people from IT and bolting skills on but we changed our entire recruitment policy including targeting different kinds of people," said Rob Partridgeat BT Security. "One area we've looked at is neuro diversity. We know, for example, that some people with Asperger's are highly suited to cyber but don't always have good communication skills so we changed our approach to the way we source and interview candidates.
Re: Brexit (Score:2)
Re:Brexit (Score:4, Insightful)
Why cant the UK and Ireland educate their own students to some "different kinds of people" standards and fill the few advanced Cyber Security jobs and many technical support jobs?
For the very average Cyber Security work just use vocational education so people can swap out server hardware, use the GUI and enter the command lines they are told.
Cover both the top end and ow end of computer education rather than early computer education. Support the people who want to use computers don't just fill every class room with new computers every year.
The very average students don't learn and the a low budget for university education takes away from the good students who can be educated.
No migrants with issues needed if a nation can educate it own in a good university setting and offer technical training.
That's the problem, not the solution (Score:4, Insightful)
> vocational education so people can ... use the GUI and enter the command lines they are told.
The PROBLEM is that admins and programmers follow a set of instructions that might have been okay for one situation, without understanding and carefully considering the ramifications for *their* situation, on *their* network, considering *current* threat trends. Often they get the commands to enter or the GUI buttons to click from sites like Stackoverflow or Serverfault. The answers on Stackoverflow might more or less answer the question and might more or less work, they do turn on the requested function.
If you don't fully understand what you're doing though, and what "enabling RPC" actually means, that's when you create a giant security hole.
What makes hacking "hacking" is precisely that's it's outside-the-box thinking, coming up with how to leverage things in ways nobody intended. Information security thinking is precisely the opposite of following a standard checklist. It's all about finding the "cheat", not following the rules.
There certainly IS a role for people with basic IT knowledge. Mostly working under someone with advanced IT knowledge with their work reviewed by a security professional. The security person should be a devious, clever type who comes up with ways to get around the rules.
Re: Brexit (Score:2, Insightful)
Leaving the EU wasn't about stopping all immigration. It was about the UK regaining full control over its immigration policies, rather than letting distant, unaccountable EU bureacrats control such matters. The citizens of the UK are fine with letting certain people into the nation, if these people can contribute positively. What isn't wanted are third-worlders who want to leech off of the UK's social programs without contributing anything of value, for example. I know your kind on the political left want t
Re: Brexit (Score:5, Insightful)
Some type of points system before the guest worker is allowed into the UK to work on cyber security?
Speak english? Get some points.
Educated? Get some more points.
Healthy and can pass a medical examination? Get more points for not been a burden to the UK medical system on the first day. No transmitting infections.
Can do the job they get offered? Get more points for having an education that is accepted in the UK.
Understand they go back to their own country after that job ends.
No criminals.
Once a person can show they are educated, have needed skills and are not sick, then consider them for short term work to cover cyber jobs that cant be filled.
When the work is over, they return to their own nations again.
Will fit into UK culture and is of good character. No past issue with a faith that demands the UK submit to their faith.
A win for the UK. A win for a good person who is not sick, not a criminal, has an education that is ready for work in the UK.
Re: (Score:2)
No later than
Understand they go back to their own country after that job ends.
you'd get a "LOL, no". From pretty much anyone capable of doing an IT security job.
Unlike most other jobs, we're talking about something where you have about a tenth of the people capable, willing and able to do the job that would be required. And I mean worldwide.
In other words: You don't get to set the conditions.
Re: (Score:1)
You don't get it, do you? Blacklisting an itsec worker actually willing to work for you hurts you, not them.
There is a BIG shortage of experienced IT security personnel. The very last thing you need is that word gets around that your country treats them like shit, as some countries in the middle east had to learn the hard way recently.
Re: (Score:2)
Where would this magical land be? I don't know a single country or company for that matter that isn't looking for IT-security and can't find any experienced security people.
Re: (Score:3)
For that they get to enjoy everything the UK has to offer a for a few years as a guest worker.
London, the Lake District , castles, Exeter, shopping, Victoria and Albert museum.
A wage and savings they can put towards something of real value back in their own country when they return.
Re: (Score:3)
Re: (Score:2)
Once the education system has caught up with that lack of graduates, the number of guest workers can be reduced.
Count every guest worker in, count every guest worker out after the set time for their job has ended.
If a person wants to stay in there UK, let them apply for that in a more formal way.
Staying on after been granted entry as guest worker and just expecting special consideration to stay?
Other people who applied to stay in
Re: (Score:2)
You do raise the idea of a separate, "more formal" path to permanent residence, but again I must ask why. What difference will there be in the vetting and othe
Re: (Score:2)
The people from the UK who stayed in university and graduated well? Why should they have their jobs taken by a person just wondering into the UK and demanding the right to work?
A more restricted guest worker placement system stops people entering the UK, taking a job and then demanding the "right" to stay in the UK and keep the job. Then demand an old age pension and to bring other people into the UK?
Government funded health care into old age?
Just for getti
Re: (Score:1)
There is a market called EU where you find this kind of profiles:
- democracies ...
- high average education
- same cultural background
- don't waste medical test, they are as much sane than in UK
- they don't even want nationality
-
Re: (Score:1)
Most of those requirements already exist for guest workers from outside the EU. From inside we get reciprocal benefits from freedom of movement.
Thing is, most immigration is not skilled workers. About 100k a year is family reunions. That's even with the Home Office doing its best to rip families apart and create more misery. Then you have students, the financial life line keeping our education system just barely affordable for British students.
And this idea that people have to go home as soon as their job e
Re: (Score:3)
Re: (Score:2)
Speaking English is generally a requirement for non-EU migrants, although most EU ones do speak it. It's a big problem for families.
Re: (Score:1)
Re: (Score:3)
And having regained control, increase it?
Don't think that's what the dipshits in Barnsley were intending, judging by what I saw on Question Time a few weeks back.
Re: (Score:2)
Re: Brexit (Score:2)
Which third worlders will be prevented from coming by leaving the EU?
Re: (Score:2)
Oh, it won't reduce it - it'll increase it. St. Theresa's city chums are desperate to get into India, but there's a ton of protectionist regulation in place at the moment. The Rupee pro quo will be something like H1-Bs, just you wait and see.
Business needs its cheap and compliant labour. It'll get it from Pakistan if it can't get it from Poland.
Re: Brexit (Score:2)
I wouldn't describe any of the Eastern Europeans I know as "compliant".
Re: (Score:2)
They put up with working hours and conditions that nobody else would. When you hear on the news about ten fruit pickers living in a caravan they aren't usually from Newcastle or Leeds.
Re: Brexit (Score:2)
You may be amazed to learn that people from the former Communist countries can also do things like accountancy and software development. They don't put up with any more shit than the locals in jobs like that from what I've seen.
Re: (Score:2)
I wonder if any of them are good at statistics? If you know any, ask what percentage are in those kind of jobs.
Re: Brexit (Score:2)
Most of the Eastern Europeans I know are in those kind of jobs. I'm wondering what point you're trying to make about them being inferior or something.
Re: (Score:2)
Re: (Score:2)
Easy solution: (Score:4, Insightful)
Pay people what they are worth! If you only offer people peanuts then you aren't going to get a warm reception.
You need more than high pay (Score:2)
Re: (Score:2)
Most cyber security 'specialists' wouldn't work for what they're actually worth.
It's an industry filled with bureaucratic idiots and pretty much everybody competent that I've met in it has a broader skillset that could get them a number of roles.
In that regard this company is doing the right thing. Find people with aptitude and get them up and running on it.
On the flipside, 90% of cyber security is people skills. Oops.
Security has no ROI... (Score:1)
Posting AC. I worked with a developer who told me the following:
"There is a reason why you don't find people interested in cyber security. Companies don't want them, because security has zero ROI."
"After years in DevOps, I will happily have my code run as root or require admin rights on Windows, if it gets the job done. Security isn't something I will give a care about, ever. Mainly because if a company gets sued for my insecure code, their lawyers handle it. If I don't make my deliverables, I get fire
Re: (Score:2)
The private sector can use a lawyer like person to cover for many random workers globally with no loyalty to the UK.
Why hire 50 people from the UK to work on a project who can pass UK security when 1 UK person can sign for the work of 49 low cost foreign workers?
The paperwork is done to some needed lev
Re: (Score:2)
You want to know why people don't want to work in cyber security and why you can only get autists with zero interpersonal skills? Because anyone with interpersonal skills wouldn't stomach working in that field for long.
If you come into a packed cafeteria and on a table there are two people sitting by themselves and they, too, don't even look at each other, you found internal audit and itsec. You're about as well liked as athlete's foot. And if your coworkers could shoot their boss who drives them from crunc
Re: (Score:2)
The GCHQ had to study staff problems from the 1950-70's. It took the GCHQ two decades of intensive study to finally work out how to get and keep the best experts.
A really good wage, nice location for living in UK and the best working conditions.
The rate of sale of UK secrets to the Soviet Union and Russia also decreased with better wages and conditions. Troublesome activist union membership was reduced for the better too.
Security and cyber sec
Re: (Score:2)
Another reason you want to hire autists. They don't subscribe to strange, deranged ideas like national pride, religious ideas or other bull like this. I work for whoever pays me. I'm not loyal to my home country, there is no logic in such behaviour. I'm loyal to my employer. My employer exchanges money for the work I provide. It is sensible to be loyal to someone like this, as long as this arrangement continues.
It's also pretty hard to bribe me. It's been tried before, usually with money. I have enough mone
Re: (Score:2)
Re: (Score:2)
Another reason you want to hire autists. They don't subscribe to strange, deranged ideas like national pride
That's an interesting assertion. I can provide a contradictory example, but have no idea whether it's you or me that's going against type here.
I do though agree that bribery and blackmail just aren't going to work. Not a hope in hell.
Re: (Score:2)
Some nations have tested that.
i.e. who has a weak personality, who only gets a low security clearance, who could be unrealiable.
https://www.wired.com/2006/12/... [wired.com]
Re: (Score:2)
Not sure where you live but in the UK good information security people are highly valued and greatly appreciated.
Maybe it's the industries I work in though - financial services and related sectors don't fuck about with information security because the information is actual money.
Someone that can articulate in simple terms the security challenges that require resolution and also propose affordable effective approaches can pretty much name their price, and will immediately be treated as an equal by senior man
Re: (Score:2)
Re: (Score:2)
If the programmers becomes personally responsible, you shift the problem one step over because all you accomplish that way is that nobody would want to be a programmer anymore.
The programmers are tossed into a project with insane milestones and without any training concerning security whatsoever. What kind of code do you expect to get out of them?
Re: (Score:2)
Want real security? Pass regulations that actually put some serious pain on a company, like the GDPR. Assuming the GDPR will be enforced and companies start being fined percentages of their revenue, not made into a toothless law like SOX, HIPAA, or other items which at best, might be used against a fall-guy worker.
Actually, hold corporate officers and the management chain PERSONALLY liable for lapses in security. Suddenly, an ROI will erupt from the ether. . .
Re: (Score:2)
"After years in DevOps, I will happily have my code run as root or require admin rights on Windows, if it gets the job done. Security isn't something I will give a care about, ever.
I'm a nightmare for developers like this - I have the ability to spot the lack of security and the ability to halt a project until it's there.
That's not my job, and technically I don't have the authority to put the brakes on a $100m project. In practice I'm often in a position to spot this stuff, people come to me because they know I'll act, and I've yet to meet a CIO that'll say, "Nah, fuck it. Go live and damn the consequences."
After all the 1980's education (Score:2)
With so much money put into the early use of computers, generations should be computer ready by 2018?
Did the education system discover that very average students stay very average even after using a computer for many years?
That money could have been put into university math and CS. The very best coul
Re: (Score:2)
The below average people tested to the same level after years of "using" new computers.
More new computer, robot kits, GUI robots, different OS, laptops and more computers a decade later resulted in no more experts and a staff shortage.
Think of what that extra money could have done for a few top university campuses.
All that engineering, physics, math and engineering at a university level that could have
Re: (Score:2)
The results would have had a large pool of work ready computer ready workers.
The below average and uneducable students stayed at their same level of education even after years of computer related education.
All that educational budget was wasted on students who could not be educated.
The same computer spending could have been given to a few top UK univers
Re: (Score:2)
You haven't heard of the company called ARM? The money invested by Acorn into the BBC Micro and the associated training programs, helped to develop ARM CPU architecture that went into mobile CPU's, GPU's and the entire ecosystem.
https://en.wikipedia.org/wiki/... [wikipedia.org]
"The Tube interface allowed Acorn to use BBC Micros with ARM CPUs as software development machines when creating the Acorn Archimedes. This resulted in the ARM development kit for the BBC Micro in 1986, priced at around £4000."
Re: (Score:2)
Re: (Score:2)
Because they wasted it...
They bought computers, but didn't train the teachers how to use them properly.
They used them to run mundane programs designed for teaching other subjects (poorly), no attempts were made to teach anything about the computers themselves. Attempting to program them yourself was forbidden, as was running any of your own software on them or trying to modify anything.
Re: (Score:2)
That's very true. Before this project, our school computer lab consisted of a couple of Apple 2 computers. Due to some politics, one of those was moved into the library under instructions of the principal to make computing more "accessible" to students. By the time I left, they were just installing their network of BBC model B's into the computer lab room. The course syllabus would still involve teaching flowcharts and the fundamentals of BASIC programming. One week it would be INPUT keyword, another week I
Re: (Score:2)
You were lucky that you were even allowed to use BASIC...
We were shown how to load a few educational programs from floppies, and how to use those programs etc... We had a simple ecosystem simulator, a simple word processor, a simple drawing program, a glorified calculator etc...
Re: (Score:2)
That's what happens when local business gets involved with the specification of course syllabuses - they want office IT training, not Computer Science 101
Re: (Score:2)
The generation raised on the BBC Micro are all senior management now.
It's the generation after that which has been let down and outsourced to India.
Re: (Score:2)
I see what you mean - in order to "make education relevant to the 21st century", the Conservatives gave local business the right to dictate what the school computer studies course syllabuses would be about - local companies didn't want programmers or software engineers, they just wanted IT training.
Re: (Score:2)
The students got to copy type in a slow computer language only used for education.
All that funding was moved from supporting university math, CS to paying for new school desktop computers all around the UK.
Government support for production lines jobs to put computer parts together for "education" took university funds. A massive move of financial support from the university sett
[Picture of autist] (Score:2)
You must be at least this autistic to work here.
when market actualyl works... (Score:1)
If you aren't willing to pay the going rate... (Score:3)
...then you aren't really demanding anything. This is Econ 101.
If demand isn't being met, it's not because you aren't willing to pay exorbitant rates, it's because you are legally prohibited from paying those rates to get what you want.
What is legally preventing companies from hiring security professionals? The article doesn't say.
Move on, folks. This is just propaganda to try to get the government to solve the private sector's problems at taxpayer expense!
Re: (Score:3)
This. Wages in the UK are a joke at the moment. 50k for a "senior" developer in London. I can get a lot more than that in Europe, at least until Brexit hits.
That's one of the main "benefits" of Brexit. UK companies don't have to compete on wages.
Re: (Score:2)
The comedy had increased. A number of the large American software companies, Google, Facebook, Twitter, Amazon, Snapchat, and some of the equally large Chinese ones like Huawei have set up shop in London and are paying competitive (by Californian standards) wages.
British companies have responded by whinging.
We've always undervalued engineers in the UK and it's a mindset that seems very deeply embedded in the government, too.
Re: (Score:2)
Re: (Score:2)
"It's simple: what is preventing companies from hiring security professionals is that the expected cost of a security compromise (or equivalently, the rate of security breach insurance) is less than the going rate of a security engineer."
Yet another fine example of a company privatizing gains but socializing risk and costs...
For another example: Equifax. What was the cost to the company of creating a huge negative externality regarding the privacy and secure identity of over 100 million people? And how much
Re: (Score:2)
Although.. I wouldn't take a CISO job for much less than $150k (or its GBP equivalent).
All the accountability but never the required resources and a guarantee that you will at some point fail.
Good CISOs are worth every penny.
"a spiritual market shift " (Score:2)
AC wrote: "overall, a spiritual market shift is needed first if we want to create the properly secured infrastructure and products to let millions of people depend on."
Sad, but true -- and in more areas of life than that. Thus my sig - - and the Albert Einstein quote that helped inspire it: "The release of atom power has changed everything except our way of thinking... the solution to this problem lies in the heart of mankind. If only I had known, I should have become a watchmaker."
Although, 70 years later,
Summary (Score:2)
People with IT skills don't interview well. Film at 11.
Re: (Score:2)
It's hard for them to see them over the 'Outsource to {country} today!' pamphlet they have stuck in front of their faces.
Soon to be obsolete profession (Score:2)
As soon as people wake up and realize that capability based security can fix all of this, "computer security professional" will be about in demand as much as "computer operator" or "system administrator". I wish these folks so employed a nice 10ish year ride until it's over.
So the prophecy is written, again.
There is no shortage of computer security pros (Score:2)
There is however a shortage of security pros who are willing to work with sticks and rocks or not allowed to do their job.
There is also a shortage of pros who are willing to work for 2 tacos a day.
No one wants to be the fall guy for upper management that is not willing to go all in on security.
Upper management will always blame the security guy after they get hacked even though upper management circumvented or was not willing to follow or back recommended security protocol.
the shortage is in place to hire guest workers tie (Score:2)
the shortage is in place to hire guest workers that are tied to the job and if the quit / are fired are forced to go home.
That must be a very shitty job (Score:2)
I mean there are some simple and easy ways to increase security at any company. It boils down to not doing stupid things.
However many people have been trained to do stupid things like using Office Software, which is one of the main dangers at any company.
One important change could fix all of this (Score:2)
Require businesses and media that reports this issue to follow every "Not Enough Qualified ______" with the obvious qualifier "For the Salary Offered."
Then all of these stories make a lot more sense.
America is currently throwing a fortune into "STEM". Because of the false claim of a shortage of workers when the real answer is a shortage of pay.
All they are going to do is crash the tech economy when they flood the market with all the new tech workers that realize they can't make enough money to pay back debt