While the country at large continues to struggle through the aftermath of the 2008 banking crisis, the world of InfoSec continues to live in a bubble of its own making.
As millions of people continue to live from paycheck to paycheck, struggling with negligible annual pay rises (and they are the lucky ones), security professionals continue to attract great salaries and, based upon confidential conversations I’ve had at conferences, great pay rises that have often drifted into double digit territory.
Now don’t get me wrong – I’m not jealous in the slightest – and I say good luck to everyone who finds themselves in that position. They have, by and large, worked damn hard to get where they are so fair play to them.
But why are pay scales so high (yeah, yeah, I hear you, but check out non-IT wage rates before you dismiss that comment) at a time when the economy is still in a very precarious position?
Supply and demand
It’s simple economics at play.
Though my main job is still retail I did once have another life in which I went to university to read business studies but, even before that when I was at secondary school, I learned the basics of economics which says that wages are dictated by the market forces of supply and demand.
So, with a shortage of security professionals and an ever-increasing demand for their services, there can only be one possible outcome: wages will continue to head north.
The economic solution
In simple terms the solution to that problem is obvious: increase the pool of available talent.
Some may see that as a threat to their current financial earning power but I don’t. The security industry is at a unique point in its history – the threats facing companies are increasingly rapidly. Data breaches are becoming a new norm and governments have their keyboard fingers in far more pots than they should, and most of them are not filled with honey.
Meanwhile, educational establishments are not producing enough candidates with the skills that businesses say they require.
So, even if a massive recruitment drive sends the youth of today onto the courses and into the certifications (my economics history yells “barrier to employment” right about now) that so many businesses are hung up on, the lag between now and them entering the marketplace will still be significant and I cannot see the supply catching up with demand for many, many years, if at all.
The problem for UK business
Having said there is a dearth of security talent I guess it is time to back up that assertion with some numbers and, luckily, KPMG put some out there just two days ago.
A study by the company which encompassed 300 IT and HR c-suite executives in organisations with between 500 and 10,000 employees discovered that the majority are experiencing difficulties in recruiting and retaining the security personnel they need.
Almost three quarters of the businesses KPMG spoke to said they are facing new challenges which require new skill sets to address – but 57% confessed that they struggled to retain specialised staff. Furthermore, fifty-two of the companies covered by the study said they were aware of aggressive headhunting in the security field.
A far bigger problem, in my opinion, was the finding that 60% of firms reported a lack of security experts in possession of good communication skills – an essential trait within a business environment where security is still seen by many as a cost rather than an enabler – and the ability to influence key members of the board is therefore essential if budget hopes are to be fulfilled.
The ‘sensible’ business solution
So what can UK businesses do to address the lack of suitable security candidates?
A few obvious answers spring to mind here.
The first would be to retain the existing talent within the company but, as already alluded to here, that comes with a financial cost. Therefore, would it not be a better solution to take existing personnel within the organisation and train them to fulfill the required job roles?
During my years as an outsider looking into the security industry I have learned that this isn’t a particularly common or popular idea but I see no logical reason why that should be so.
Sure, there are cases where it wouldn’t work – security is a specialised craft that requires a certain level of intelligence and a certain personality type perhaps, but that doesn’t mean that everyone outside of the industry is incapable of transitioning into it.
Indeed, many people who work outside of security have the exact skills that the industry is so desperately looking for.
Take communication, for example.
Within security there are a great many knowledgeable people but the number who can pair that with an ability to get their concepts and points of view across in a way that non-technical folk can understand is quite low (remember that conference speakers are a rare breed and not indicative of the industry as a whole, hence why you see the same people on stage over and over again). So why can’t businesses take a great communicator and teach them security skills? Would that be easier or harder than taking a great technician and teaching them how to put their points over effectively? I don’t know for sure but my gut feeling is that it could be done.
The other sensible option, again in my opinion, is to look at why the industry is failing to attract the required talent.
Going by salary levels, I don’t think it has much to do with money. So what else could be preventing the brightest minds from entering the industry?
Could it be the educational system?
Last month at IP EXPO Jitender Arora gave an excellent talk, part of which touched upon this issue. He said that our universities are failing to deliver the right types of candidate which I agree with. My question there though would be why? If businesses are not seeing the right set of skills in recent graduates then why don’t they do something about that? Call me naive if you will, but surely the role of higher education is to equip students with the skills they will need to be successful in their chosen careers – so why aren’t they doing a better job of talking to the industry and coming up with syllabuses that reflect the real world needs of the potential employers of their students?
Another great point made by Jitender during the same talk was the fact that the career path through the security industry may be at fault. He pointed out how some people could be great technical experts but, if they wished to progress their careers (as most of us do) then they would often have to forego their passion in order to enter the field of management.
That’s crazy isn’t it – taking an expert, making them a manager, and creating a deficit in their preferred position. Maybe something can be done with the structural organisation of the security function?
The radical business solution
Of course such solutions aren’t for every business, if any at all, and their needs are pressing, so other solutions need to be looked at.
And, according to the KPMG study, some organisations really are considering the most radical out of the box thinking – the employment of the so-called bad guys.
Well, ok, maybe not so-called.
The fact is, 53% of the survey’s respondents said they would consider filling gaps in their security teams through the employment of hackers and 52% would engage someone with a criminal record if they offered the right skills.
Crazy or what?
Security personnel are a key part of an organisation, retained to protect its assets from all manner of murky individuals and shady set-ups.
To do that a wide range of technical skills are required, along with soft skills such as the previously mentioned ability to communicate effectively.
But, above all that, surely a high level of personal ethics are required. Traits such as honesty must be a prerequisite to working in the industry mustn’t they? If not InfoSec will evolve into a profession with a reputation for employing those on the wrong side of the law, or those who lack personal morals and, if that ever happens, it is doomed.
As a consumer, if I found out that a large organisation was staffing up with shady staff because it had not had the foresight to find another way to fulfill its recruitment needs then my opinion of it would be on a par with hearing of a company that had been breached due to its lack of effective security measures, i.e. my money would never flow in their direction ever again. But, hey, that’s just me.
Now this is really out there
Now that we have that silliness out of the way the end of this article is in sight and I’ll finish off by mentioning something which the security industry seems to think is even more out there than the notion of hiring ex hackers and other miscreants – the employment and promotion of women.
If the members of the board haven’t realised that women make up near as dammit 50% of the population then they really need to disconnect from their PCs and go visit the real world for a while.
Some of the most knowledgeable people I know in this industry are female. While they are few in number (I’ve read reports that suggest women make up somewhere between 9% and 11% of the workforce), many that I’ve come to know are proving themselves to be more than capable (apologies to the men who find such a notion shocking) and some have shown themselves to be exceptional across a range of disciplines.
Not only that, but women sometimes, but not always, offer a different outlook and set of skills. A generalisation I know, but I tend to find that women possess communication skills in abundance, for example – one of the key skills that organisations say they so badly require.
So why aren’t more women entering the security field?
The answer to that is somewhat outside the scope of this post and very much a matter of opinion too, but I think we need to look toward an educational system that, in my experience as a father, still seems to not encourage girls to think of a career in IT, and employers who still remain in a male-centric bubble in which jobs for the boys are the norm, even if some of those boys have been very, very naughty in the past.