UK Companies Facing Cyber Security Staff Shortage

Bruce66423 writes: According to a recent survey of recruitment agencies, 81% expect a rise in demand for digital security staff, but only 16% saw that the demand would be met."

Resorting to 'neuro-diversity' [...] "We were originally plucking people from IT and bolting skills on but we changed our entire recruitment policy including targeting different kinds of people," said Rob Partridgeat BT Security. "One area we've looked at is neuro diversity. We know, for example, that some people with Asperger's are highly suited to cyber but don't always have good communication skills so we changed our approach to the way we source and interview candidates.

Brexit

Let me guess: the only solution is to throw the doors open to immigration?

Re:Brexit

No, the 'solution' is to close yourself off and pretend you're a self-sufficient island in the middle of the fucking ocean, you dipshite. Enjoy being bought by China!

Re:Brexit

[AHuxley]

Its in the "different kinds of people" news.

Why cant the UK and Ireland educate their own students to some "different kinds of people" standards and fill the few advanced Cyber Security jobs and many technical support jobs?
For the very average Cyber Security work just use vocational education so people can swap out server hardware, use the GUI and enter the command lines they are told.
Cover both the top end and ow end of computer education rather than early computer education. Support the people who want to use computers don't just fill every class room with new computers every year.
The very average students don't learn and the a low budget for university education takes away from the good students who can be educated.
No migrants with issues needed if a nation can educate it own in a good university setting and offer technical training.

Re: Brexit

Leaving the EU wasn't about stopping all immigration. It was about the UK regaining full control over its immigration policies, rather than letting distant, unaccountable EU bureacrats control such matters. The citizens of the UK are fine with letting certain people into the nation, if these people can contribute positively. What isn't wanted are third-worlders who want to leech off of the UK's social programs without contributing anything of value, for example. I know your kind on the political left want to make this matter all about 'racism' and your other buzzwords, but the reality is that there are far more practical reasons for the UK to control ots own immigration policies without interference from distant, foreign bureaucrats.

Re: Brexit

Iâ(TM)m ready to do the needful I will work for grains of rice

Re: Brexit

[AHuxley]

A good guest worker system that only brings in people from nations with functioning governments would be a good start.
Some type of points system before the guest worker is allowed into the UK to work on cyber security?
Speak english? Get some points.
Educated? Get some more points.
Healthy and can pass a medical examination? Get more points for not been a burden to the UK medical system on the first day. No transmitting infections.
Can do the job they get offered? Get more points for having an education that is accepted in the UK.
Understand they go back to their own country after that job ends.
No criminals.
Once a person can show they are educated, have needed skills and are not sick, then consider them for short term work to cover cyber jobs that cant be filled.
When the work is over, they return to their own nations again.
Will fit into UK culture and is of good character. No past issue with a faith that demands the UK submit to their faith.
A win for the UK. A win for a good person who is not sick, not a criminal, has an education that is ready for work in the UK.

Re: Brexit

[Opportunist]

No later than

Understand they go back to their own country after that job ends.

you'd get a "LOL, no". From pretty much anyone capable of doing an IT security job.

Unlike most other jobs, we're talking about something where you have about a tenth of the people capable, willing and able to do the job that would be required. And I mean worldwide.

In other words: You don't get to set the conditions.

Re: Brexit

It wasnt about any of that. It was about people that felt and/or were convinced that being part of the EU had ruined their way of life. Same deal in the US with Trump getting elected, a lot of people think immigration and jobs going to China ruined their simple white picket fence lifestyles, and yes the working class has been screwed up the butt over the last 50 years, as the jobs left, they also got left behind, the government did nothing for them in exchange for sending their jobs away. this was their chance to "stick it to the man", the irony is they'll end up worse off than before.

Re: Brexit

If they don't leave voluntarily then they should be immediately deported, permanently blacklisted, and prevented from ever entering the UK again. Of course, they could avoid that by leaving voluntarily and applying for some other UK-based job they might be useful for.

Re: Brexit

" unaccountable EU bureacrats " As opposed to mental midgets like Nigel Farage or Boris? You would do WELL to have the EU in control. Parliament is covering up ACTUAL PEDOS.

You're the Republicans across the pond.

Re: Brexit

Do you really expected highly skilled people to come in UK with zero incentives?

With all due respect, you are damn stupid, sir!

PS: Do you really expect any cyber security guy to have never experimented? Good one are criminals (in the sense of the law, but most of the time, for the good guys, it is just intrusion not exploitation). BUT they never got caught. Remembering me a job interview after I just described in details how to get control of existing computer system. Examiner: have you tried? Me: no, never.

Re: Brexit

There is a market called EU where you find this kind of profiles:

- democracies
- high average education
- same cultural background
- don't waste medical test, they are as much sane than in UK
- they don't even want nationality
- ...

Re: Brexit

[AHuxley]

AC is not been a criminal, speaking english, not been sick, proving they have a suitable education really a challenge for well educated person?
For that they get to enjoy everything the UK has to offer a for a few years as a guest worker.
London, the Lake District , castles, Exeter, shopping, Victoria and Albert museum.
A wage and savings they can put towards something of real value back in their own country when they return.

Re:Brexit

Some jobs are at risk of being offshored and outsourced - like IT and Windows administrators. Nobody will go near them.
Other jobs just don't pay well - they max out at 25K because the technology is changing so fast companies only want whizz-kids. So that doesn't offer a future.
Defence and security industry related jobs may require that someone is a British national, has no foreign connections and doesn't go abroad.

Re: Brexit

exponentially increasing grains of rice?
1
2
4
8
16
32
64 ...

Re:Brexit

[mnemotronic]

Obviously not an unlimited immigration policy. That would be too generous and compassionate. Not at all proper. Only let in the people you can use for their skills and abuse for being born to their parents. That's how to make lifelong friends.

Re: Brexit

Have fun with a declining population, like Japan.

Re: Brexit

... the government did nothing for them in exchange for sending their jobs away.

These are the same people that don't want the government doing things for them.

These are the same people that think everyone else should be responsible for the consequences of their actions.

But the government isn't the one that sent the jobs away. The jobs went away because these same people talk the talk, but they don't walk the walk. They talk about "Made in the USA" and then they go to Walmart and buy Made in China because it's less expensive than the similar product that's made in the USA.

Remember that Carrier air conditioner plant in Indiana that was going to move to Mexico? The one that Twitler promised wouldn't move if he were elected. Well, it moved. Fat lot of good Twitler's promise was. Like all his other promises. Tax cut for the middle class? Ha ha. Now pull the other one. Stupid fucks. You voted for him Now you get to live with what you voted for.

Re: Brexit

[sound+vision]

If they are so productive, well-adjusted, already raised and educated (on someone else's dime), why send them back to their home country afterwards? Surely the UK economy benefits more from retaining these best-of-the-best workers that are attracted from abroad.

Re: Brexit

[Type44Q]

Plastic rice okay with you?

Re: Brexit

[AmiMoJo]

Most of those requirements already exist for guest workers from outside the EU. From inside we get reciprocal benefits from freedom of movement.

Thing is, most immigration is not skilled workers. About 100k a year is family reunions. That's even with the Home Office doing its best to rip families apart and create more misery. Then you have students, the financial life line keeping our education system just barely affordable for British students.

And this idea that people have to go home as soon as their job ends is a non-starter. If your want skilled workers you have to accept that they will bring their families and settle down. Kids will be born here and have no other citizenship, maybe only speak English.

Immigrating is a net benefit to the UK. It keeps our NHS going. Stop blaming it for all our self inflicted problems and do a few simple things to make it easier for people to accept.

Re: Brexit

[Opportunist]

You don't get it, do you? Blacklisting an itsec worker actually willing to work for you hurts you, not them.

There is a BIG shortage of experienced IT security personnel. The very last thing you need is that word gets around that your country treats them like shit, as some countries in the middle east had to learn the hard way recently.

Re: Brexit

[Hognoxious]

Leaving the EU wasn't about stopping all immigration. It was about the UK regaining full control over its immigration policies

And having regained control, increase it?

Don't think that's what the dipshits in Barnsley were intending, judging by what I saw on Question Time a few weeks back.

Re: Brexit

Looks like angel'o'sphere or Joe_Dragon has forgot his password.

Re: Brexit

"There is a BIG shortage of experienced IT security personnel."

No there's not, it's just that they can get paid better working someplace that doesn't test them for smoking pot.

Re:Brexit

Nice how you only focus on generosity and compassion for the immigrant, and don't seem to give any thought or care to the existing population of the host country. How is it generous and compassionate to flood the country with dependents on the social systems? Have you not been paying attention? Automation has been reducing the need for low-skilled workers. Flooding a country with more low-skilled workers will inherently strain the social systems as most won't find a job. Taxes go up, unemployment goes up, services suffer. This fucks everyone over. Oh, but you get to boast about how "compassionate" you are, while ignoring that you're ruining an entire country.

A good system will be a target for abuse. It must be protected.

Re: Brexit

Immigration policies are largely set by the Council of Ministers and the European Parliament, not bureaucrats.

Re: Brexit

The effect of such a policy would be people not applying in the first place, and a shortage of staff, followed by outsourcing and the diminution of the UK economy.

Re: Brexit

[Barsteward]

"unaccountable EU bureacrats control such matters. " "third-worlders who want to leech off of the UK's social programs without contributing anything of value" - those 2 statements alone prove you don't know what you are talking about. It is all about racism for leavers who play the immigration card.

Re: Brexit

[Barsteward]

You never hear the blinkered brexiters complain about immigrants from outside the EU which is a larger number than any EU immigration and the non-EU migrants are even less likely to speak english

Re:Brexit

[Barsteward]

LOL - ignorance is bliss in your case.

Re: Brexit

[AmiMoJo]

Speaking English is generally a requirement for non-EU migrants, although most EU ones do speak it. It's a big problem for families.

Re: Brexit

Understand they go back to their own country after that job ends. ...
A win for the UK. A win for a good person who is not sick, not a criminal, has an education that is ready for work in the UK.

No, and the hell no!
So I work in UK, pay taxes there, pay for medical and retirement fund ...mandatory deductions ...
and when I get older and would like to benefit from those deductions
You generously say you are free to go back to your country ... your money will stay here ...

I will give you counter offer - hey, move your company (at least data center) to the place,
where are people capable of keeping it secure and willing to work.

In my city (EU but eastern part) we can see new western companies moving every year.
Perhaps you will end coming here for short time to transfer your duties to new staff.

Two reasons why I am not willing to work to UK located companies:
- too much of social networking related to correct school tie (aka Not one of us)
- barbarian gun laws. I will not sell my gun collection.

Re: Brexit

[Opportunist]

Where would this magical land be? I don't know a single country or company for that matter that isn't looking for IT-security and can't find any experienced security people.

Re: Brexit

I'd take you more seriously if the question: "Can do the job they get offered?" first with that highest weight.
Putting it down the list makes it seem you rank any immigrants as more important than skilled immigrants fulfilling a need.

Re: Brexit

In the times they dream of, it didn't cost a six figure sum to go to university and become a doctor. But somehow the whole medical system has become corporate with HMO's, insurance companies and private hospitals. Then there were the various international trade agreements that were signed; the Lima Declaration of 1975, NAFTA.

Re: Brexit

[K.Bu]

On another note, please compete with other countries that offer much the same, plus quality of life (not in the sprawl of london with overpriced property, for starters. And the weather....). Added points : Nicely educated and efficient workers tend to come with wife and kids too. One does not relocate his family based on a "work contract" at risk of termination at the slightest whim of an employer. Slavery is long gone. You will have to provide a far better deal for highly educated specialists. Also, please remember that your language (well globish really) is the only langage needed to work as a security specialist in most of the world. (But of course a second and a third langage is even better). I can understand that you want to guard against the unwashed masses (poor uneducated). We can even agree that ethnicity is definitly a factor that should be taken under consideration. But with your conditions... Well, good luck to attract highly skilled workers in the global competition. It would be easier to emigrate to the U.S. !

Re: Brexit

A good guest worker system that only brings in people from nations with functioning governments would be a good start.

Some type of points system before the guest worker is allowed into the UK to work on cyber security?

Speak english? Get some points.

Educated? Get some more points.

Healthy and can pass a medical examination? Get more points for not been a burden to the UK medical system on the first day. No transmitting infections.

Can do the job they get offered? Get more points for having an education that is accepted in the UK.

Understand they go back to their own country after that job ends.

No criminals.

Once a person can show they are educated, have needed skills and are not sick, then consider them for short term work to cover cyber jobs that cant be filled.

When the work is over, they return to their own nations again.

Will fit into UK culture and is of good character. No past issue with a faith that demands the UK submit to their faith.

A win for the UK. A win for a good person who is not sick, not a criminal, has an education that is ready for work in the UK.

As a EU citizen with 30+ successful years in the industry, let me just say that my reaction to the above is "Go f**k yourselves"***. No way I'm going to jump thru hoops to work in your country just because of Brexit. Since I'm posting as an AC I don't believe it's bragging when I say I've stronger skills than 90% (or more) of the others I've encountered in my career (including many from the UK) ... so it's the UK's loss, not mine.

*** BTW, that's just in response to this post. Overall, I wish the British people well.

Re: Brexit

[cyber-vandal]

Which third worlders will be prevented from coming by leaving the EU?

Re: Brexit

[AHuxley]

Guest workers would be for a short term lack of professionals in a nation.
Once the education system has caught up with that lack of graduates, the number of guest workers can be reduced.
Count every guest worker in, count every guest worker out after the set time for their job has ended.
If a person wants to stay in there UK, let them apply for that in a more formal way.
Staying on after been granted entry as guest worker and just expecting special consideration to stay?
Other people who applied to stay in the UK legally and not not used the guest worker system to sneak in would have first consideration.

A guest worker system is for people who expect to return to their own nation after they got one job over a short term.
Not to them change jobs while in another nation and demand the right to stay on.
Not to then demand decades of work and an old age pension after staying on.

Re: Brexit

[sound+vision]

I've asked you "Why?" and your answer isn't much more than a circular re-statement of what you want to happen. The most reasoning I can pull out of it is that you're worried about their pensions creating a drag on the economy, as if the pensions of health-inspected foreign workers will cost any more than the pensions of uninspected domestic workers.

You do raise the idea of a separate, "more formal" path to permanent residence, but again I must ask why. What difference will there be in the vetting and other requirements? Is the UK going to have this separate path out of the kindness of their heart, or is it strictly to benefit the economy, like the guest worker program?

Re: Brexit

[Hognoxious]

Oh, it won't reduce it - it'll increase it. St. Theresa's city chums are desperate to get into India, but there's a ton of protectionist regulation in place at the moment. The Rupee pro quo will be something like H1-Bs, just you wait and see.

Business needs its cheap and compliant labour. It'll get it from Pakistan if it can't get it from Poland.

Re: Brexit

[cyber-vandal]

I wouldn't describe any of the Eastern Europeans I know as "compliant".

Re: Brexit

[Hognoxious]

They put up with working hours and conditions that nobody else would. When you hear on the news about ten fruit pickers living in a caravan they aren't usually from Newcastle or Leeds.

Re: Brexit

[AHuxley]

So their own people get good jobs first?
The people from the UK who stayed in university and graduated well? Why should they have their jobs taken by a person just wondering into the UK and demanding the right to work?
A more restricted guest worker placement system stops people entering the UK, taking a job and then demanding the "right" to stay in the UK and keep the job. Then demand an old age pension and to bring other people into the UK?
Government funded health care into old age?
Just for getting one job many years ago?
While a more restrictive guest worker system is in place UK education can produce the same needed gradates. A vocational training system can produce the more skilled workers too. Everything can be done to fill most jobs can be supported within the UK.
The UK can catch up with what is lacking in its own education system while using guest workers in the short term and then return the guest workers to their own nation when the work is done.
Count every guest worker in. Count every guest worker out. If they really want to stay they can apply when back in their own nation again. Just like anyone wishing to live in the UK they can formally with with others wanting that privilege. A guest worker system is not a free pathway to the right to just overstay in a nation.
The vetting keeps out criminals, people with no english skills, people with no actual education that can be used in the UK, people who are sick and need a lot of health care.
Vetting also shows if the person with the needed skills is actually the person who is taking the job. Not a person who stole or created a set of documents to get into the UK with the cover of a set of documents.
Vetting can allow a disruptive persons character to be sorted from people who want to change UK laws to that of their own.
People who have caused problems in their own nation or while been in other nations.

Re: Brexit

[cyber-vandal]

You may be amazed to learn that people from the former Communist countries can also do things like accountancy and software development. They don't put up with any more shit than the locals in jobs like that from what I've seen.

Re: Brexit

[Hognoxious]

I wonder if any of them are good at statistics? If you know any, ask what percentage are in those kind of jobs.

Re: Brexit

[cyber-vandal]

Most of the Eastern Europeans I know are in those kind of jobs. I'm wondering what point you're trying to make about them being inferior or something.

Easy solution:

[Gravis+Zero]

Pay people what they are worth! If you only offer people peanuts then you aren't going to get a warm reception.

Re:Easy solution:

[Cederic]

Most cyber security 'specialists' wouldn't work for what they're actually worth.

It's an industry filled with bureaucratic idiots and pretty much everybody competent that I've met in it has a broader skillset that could get them a number of roles.

In that regard this company is doing the right thing. Find people with aptitude and get them up and running on it.

On the flipside, 90% of cyber security is people skills. Oops.

So the solution is autists?

AI = autistic introverts? Blimey

Re:So the solution is autists?

Great idea! Let's send them our Santa Clara California USA miracle worker, creimer. He told me that he was willing to go for as little as 60K US a years. UK will be well covered with him since he covers a lot of space.

He is such a genius, his new video is already ranked first despite having only 5 views!

See proof here:
https://www.youtube.com/result...

Security has no ROI...

Posting AC. I worked with a developer who told me the following:

"There is a reason why you don't find people interested in cyber security. Companies don't want them, because security has zero ROI."

"After years in DevOps, I will happily have my code run as root or require admin rights on Windows, if it gets the job done. Security isn't something I will give a care about, ever. Mainly because if a company gets sued for my insecure code, their lawyers handle it. If I don't make my deliverables, I get fired, and a Deloitte guy gets my job. So, with the current market, hell with security. If it allows me to make my stuff, I'll happily leave a S3 bucket as public."

Needless to say, I left that company, but that is the norm, not the exception.

Want real security? Pass regulations that actually put some serious pain on a company, like the GDPR. Assuming the GDPR will be enforced and companies start being fined percentages of their revenue, not made into a toothless law like SOX, HIPAA, or other items which at best, might be used against a fall-guy worker.

Re:Security has no ROI...

[AHuxley]

The only ROI is for the GCHQ, MI6/5. They take generations of skills and now offer good pay, advancement and housing. People like that have the backgrounds and paperwork to prove they are loyal to the UK.
The private sector can use a lawyer like person to cover for many random workers globally with no loyalty to the UK.
Why hire 50 people from the UK to work on a project who can pass UK security when 1 UK person can sign for the work of 49 low cost foreign workers?
The paperwork is done to some needed level of mil/gov/private sector standard by one trusted person.
The work is done by random contractors all over the world for low pay.
The need for cyber security exists because the work is global and just in time. Other nations are using their workers as spies to enter UK networks after been given access by UK brands.
Should have hired loyal local staff and the need for ever more cyber security experts is reduced. The foreign nations with their cheap workers come with hidden costs. The UK's commercial secrets are just walking out with foreign staff every generation. Their spies are winning, the UK just cant so no to more people who want to spy on the UK.

Re:Security has no ROI...

[Opportunist]

You want to know why people don't want to work in cyber security and why you can only get autists with zero interpersonal skills? Because anyone with interpersonal skills wouldn't stomach working in that field for long.

If you come into a packed cafeteria and on a table there are two people sitting by themselves and they, too, don't even look at each other, you found internal audit and itsec. You're about as well liked as athlete's foot. And if your coworkers could shoot their boss who drives them from crunch to crunch or you, they'd shoot you. Twice. Just to be sure.

You're the person who comes in when everyone thinks they're done and tells them that they have to redo this, redo that, or rework it altogether. You are the one who makes their milestones fall, you're the one that delays releases, you're the one that keeps them from going to the release party because you're telling them that they have to pull an all nighter to get their shit secured.

Anyone but people who are absolutely used to being a social outcast won't willingly stay for long.

Re:Security has no ROI...

[AHuxley]

Re 'wouldn't stomach working in that field for long."
The GCHQ had to study staff problems from the 1950-70's. It took the GCHQ two decades of intensive study to finally work out how to get and keep the best experts.

A really good wage, nice location for living in UK and the best working conditions.

The rate of sale of UK secrets to the Soviet Union and Russia also decreased with better wages and conditions. Troublesome activist union membership was reduced for the better too.
Security and cyber security improves with only hiring loyal people, having good working conditions and paying workers well.
Foreigners are loyal to their own nation and their own spy agencies.
Foreigners in the UK stay loyal to their own nation. When asked they will support their country and faith over the UK.
People of faith over generations in the UK stay loyal to their faith and will be happy to spy on a company/the security services for their faith and any other nation that shares their faith.

Security is about finding loyal people who can have their backgrounds looked into and can prove they won't give away or sell company secrets.

The "social outcast" is a risk. They are led astray by lifestyles, faiths, games, hobbies, new friends. Open to offers of cash, blackmail or friendship. Anything that offers them a feeling of been part of a group. Other nations are always ready to offer that friendship and personalised long term support in return for company secrets.

Re:Security has no ROI...

[Opportunist]

Another reason you want to hire autists. They don't subscribe to strange, deranged ideas like national pride, religious ideas or other bull like this. I work for whoever pays me. I'm not loyal to my home country, there is no logic in such behaviour. I'm loyal to my employer. My employer exchanges money for the work I provide. It is sensible to be loyal to someone like this, as long as this arrangement continues.

It's also pretty hard to bribe me. It's been tried before, usually with money. I have enough money. More than I need, actually. I get it as wage. Legally. No need to break a law (and very likely end my career) for something as trivial as this. Blackmail? How? There is nothing you could threaten me with. Friendship? What's that again? Being part of a group? I am part of a group. I have 6 coworkers. That's about 5 more people than I want to be in a group with. Sometimes 6 more than I do.

Some people cannot be bought, bullied, reasoned or negotiated with. Some people just want to get their work done.

Re:Security has no ROI...

[AHuxley]

+1 for "Some people just want to get their work done." With some work and a lot of resumes and CV detail really good people can be found.

Re:Security has no ROI...

Again, posting AC, just because. Bribing won't work, because I am in a stable situation right now. My country may suck, but I'm not going to sell it out, because I have too much invested in it, and where would I go (No country wants a traitor on their soil.) Similar with blackmail. Any skeletons in my closet are likely known to others anyway. Nefarious activity? I troll Slashdot, because some of the stuff written as replies is brutal, but very factual, and is worth passing on. Threatening my family? Everyone is already dead, and I can't reproduce.

In today's society, where money is king, people that can't be bribed will throw a wrench in the system. Autists just don't abide by the "everyone has a price" norm. This, by itself can scare the living shit out of some people, those who thrive by bribery and treachery.

Autists have one other thing: The sensitivity to something being out of place. This is how security breaches are found. From the tiny accounting error in "The Cookoo's Nest", to a flipped chattr bit allowing editing of /var/log/messages, a simple detail can mean the difference between a breach being mitigated versus a Sony/Home Depot/Equifax like disaster.

Re:Security has no ROI...

Really good people are everywhere. The jobs have been lowball offers for the most part since 2008.

Why should someone work in high-expectation IT security when they can get paid more driving a truck or having a tiny farm? You see people right here on slashdot who made the switch.

Re:Security has no ROI...

It doesn't have to be that way. If the programmers who wrote those lines of code were directly/legally responsible for the security bugs caused by their own code, maybe they wouldn't wait until the last minute to get a security audit.

Ignorance is not an excuse. And it is up to the company to set policies that reward proactivity in security.

In a similar vein, nobody should want to be a product manager because who likes people breathing down their neck, and how much time have you wasted talking about deliverables and deadlines when you could have been programming some beautiful algorithm code.

Re:Security has no ROI...

In Australia. Also true. Security is reduced to check boxes and overarching exceptions so execs can play with their gizmos and get corporate email on their Apples. There is a lot of busywork as reports for portscans and slightly more advanced stuff packed off to police reports. Oh, and piles of XP applications because the vendors want more money for a fresh compile of the same buggy product - or the outsourcers will charge a pile of new money for refreshment.

Hardcore assenbler/protocol heads with 10 years of expert script experience - get paid the same as 'Jens' from IT Crowd fame. Thus you have admin types trained to follow procedures, I have seen overpaid security people knowing nothing -except being able to drive ONE security application, and not allowed to see, say Israeli packages that cost a mint.

Meanwhile security takes 'admin'; and scripting privileges off everyone to assist productivity to new gutter levels. There would not be a shortage if each security person has to successfully train 2+ others else loose their job. Amazing how top talent never transfers ANY of what they do.

Re:Security has no ROI...

[Salgak1]

Want real security? Pass regulations that actually put some serious pain on a company, like the GDPR. Assuming the GDPR will be enforced and companies start being fined percentages of their revenue, not made into a toothless law like SOX, HIPAA, or other items which at best, might be used against a fall-guy worker.

Actually, hold corporate officers and the management chain PERSONALLY liable for lapses in security. Suddenly, an ROI will erupt from the ether. . .

Re:Security has no ROI...

[Opportunist]

If the programmers becomes personally responsible, you shift the problem one step over because all you accomplish that way is that nobody would want to be a programmer anymore.

The programmers are tossed into a project with insane milestones and without any training concerning security whatsoever. What kind of code do you expect to get out of them?

Re:Security has no ROI...

[Cederic]

Not sure where you live but in the UK good information security people are highly valued and greatly appreciated.

Maybe it's the industries I work in though - financial services and related sectors don't fuck about with information security because the information is actual money.

Someone that can articulate in simple terms the security challenges that require resolution and also propose affordable effective approaches can pretty much name their price, and will immediately be treated as an equal by senior management.

Information security is easy and impossible. That combination requires intelligent people with great soft skills, and trust me, those are not treated as outcasts anywhere.

Re:Security has no ROI...

[Cederic]

Another reason you want to hire autists. They don't subscribe to strange, deranged ideas like national pride

That's an interesting assertion. I can provide a contradictory example, but have no idea whether it's you or me that's going against type here.

I do though agree that bribery and blackmail just aren't going to work. Not a hope in hell.

Re:Security has no ROI...

[Cederic]

"After years in DevOps, I will happily have my code run as root or require admin rights on Windows, if it gets the job done. Security isn't something I will give a care about, ever.

I'm a nightmare for developers like this - I have the ability to spot the lack of security and the ability to halt a project until it's there.

That's not my job, and technically I don't have the authority to put the brakes on a $100m project. In practice I'm often in a position to spot this stuff, people come to me because they know I'll act, and I've yet to meet a CIO that'll say, "Nah, fuck it. Go live and damn the consequences."

Re:Security has no ROI...

[ageoffri]

At least where I'm at, we are working on changing that image. The risk team I'm part of is embedded fairly early into the SDLC and we are a hard gate at several points so that projects hopefully don't move too far forward without our input into security. I have one particular manager of a developer team that I have a really good relationship with. Part of it is that I pretty much drop everything to help his projects meet our security requirements. I know he has talked to others about how security isn't slowing down his projects.

My boss constantly tells us that while we aren't architects, think like an architect. If we are going to rate some part of a project as an unacceptable level of risk, provide options on how to reduce or mitigate that risk. I personally tell my teammates to "know before you no".

Now with that said, on of my fellow risk analysts and a couple of our security analysts have the classic attitude of "NO" To the point that the manager of the operational security team is known as "Angry Bob".

Re:Security has no ROI...

no troublesome union activity did not fall - they banned trade union membership.

Re:Security has no ROI...

As someone who has been in the DevOps field, I will wish you luck holding Naresh in Bangalore responsible for his code that caused issues in the US. At worst, he gets tossed, and another person (there are tons) brought in. Think the contracting agency would be responsible? Good luck at that, because a judge in India would laugh you out of their court system.

In reality, the people who get hit for security breaches? It will always be the IT people, because it happened on their watch. It will be the customers whose data is compromised.

Everyone else just laughs their way to the bank. Even the "CISO" who pretends to read a STIG, but has zero ideas on real security, and really doesn't care even if a S3 bucket is public, because he will throw up his hands and day, "OMG, nobody can stop the haxxors!" He definitely will keep his job, no matter how egregious the breach.

Re:Security has no ROI...

[AHuxley]

Re "That's an interesting assertion."
Some nations have tested that.
i.e. who has a weak personality, who only gets a low security clearance, who could be unrealiable.
https://www.wired.com/2006/12/...

Same Bullshit

Different day, lemme guess more low to no wage immigrants is your solution?

After all the 1980's education

[AHuxley]

How much did the UK waste on computer education for all with its BBC Micro https://en.wikipedia.org/wiki/..., Dragon https://en.wikipedia.org/wiki/... and other attempts at generational computer education?
With so much money put into the early use of computers, generations should be computer ready by 2018?

Did the education system discover that very average students stay very average even after using a computer for many years?

That money could have been put into university math and CS. The very best could have been supported at top universities for generations, ready for challenging Cyber Security jobs in 2018.

Re:After all the 1980's education

Fuck you. A government actually does something worthwhile with public funds (briefly), and you make some smartarse comment about how the money should have gone to universities. Who are currently pissing record sums of money up the wall to fund their ever-growing legions of administrators.

Merry Christmas.

Re:After all the 1980's education

Fuck *you*. Government shouldn't have its paws on *my* funds.

Re:After all the 1980's education

[AHuxley]

AC.. If the very average students could have been educated then the UK would not be facing a shortage of cyber security staff a few generations later.
The results would have had a large pool of work ready computer ready workers.
The below average and uneducable students stayed at their same level of education even after years of computer related education.

All that educational budget was wasted on students who could not be educated.

The same computer spending could have been given to a few top UK universities to accept the best students and help them keep up with advances in US cyber security advances. Teach the best and brightest once they can pass a university entrance exam.

Try academic merit AC and exams.

Don't waste years of education spending on lots of new computers for people who cant learn and expect social advancement to get different result.

Re:After all the 1980's education

YOU don't have ANYTHING unless the government makes conditions possible for your IDIOTIC BOOTSTRAP-ECONOMICS ATTITUDE.

Re:After all the 1980's education

[mikael]

You haven't heard of the company called ARM? The money invested by Acorn into the BBC Micro and the associated training programs, helped to develop ARM CPU architecture that went into mobile CPU's, GPU's and the entire ecosystem.

https://en.wikipedia.org/wiki/...

"The Tube interface allowed Acorn to use BBC Micros with ARM CPUs as software development machines when creating the Acorn Archimedes. This resulted in the ARM development kit for the BBC Micro in 1986, priced at around £4000."

Re:After all the 1980's education

BBC Micro was the first computer I used in school in the 80s. I probably learned more from that one system the whole class room shared than I did from a year at college doing a computer course staffed by useless tutors from 2nd world countries that could barely speak english, and one from the US that just talked and talked and talked some more about stuff in the text book that didnt seem to relate to anything, so braindead boring a group of us started skipping that session and went to the movies instead.

Re:After all the 1980's education

[AHuxley]

The government took your money and put a lot of very stupid people in front of a lot of new computers.
The below average people tested to the same level after years of "using" new computers.
More new computer, robot kits, GUI robots, different OS, laptops and more computers a decade later resulted in no more experts and a staff shortage.
Think of what that extra money could have done for a few top university campuses.
All that engineering, physics, math and engineering at a university level that could have been funded instead of computers for below average students who cant or won't learn.

Test the students for years. See if they show up to class on time. More exams to sort the very best students from the above average.
The results will show who can study long term to get the new computers at university after an entrance exam.
No entrance exam, no university. Stop all social advancement.
The people who can study for hours at home, have a computer at home, have internet at home, got extra academic support beyond what was offered should be found and supported.
The best students who had the good learning environments get to pass exams and enter the best universities. A good number of real experts with a proven and tested work ethic graduate. People who can study and actually keep up with changing technology over decades in the private sector.
Let the other students try for languages, sport, art, music, biology, medicine, law. Make vocational education and consumer science a real pathway for people.

Re:After all the 1980's education

[AHuxley]

Berkeley RISC https://en.wikipedia.org/wiki/...

Re:After all the 1980's education

You presuppose that the "very best students" have any interest in pursuing a career in IT/software/technology. Low prestige, long hours, employer instability, offshoring, ...

Re:After all the 1980's education

[Bert64]

Because they wasted it...
They bought computers, but didn't train the teachers how to use them properly.
They used them to run mundane programs designed for teaching other subjects (poorly), no attempts were made to teach anything about the computers themselves. Attempting to program them yourself was forbidden, as was running any of your own software on them or trying to modify anything.

Re:After all the 1980's education

[Cederic]

The generation raised on the BBC Micro are all senior management now.

It's the generation after that which has been let down and outsourced to India.

Re:After all the 1980's education

[mikael]

That's very true. Before this project, our school computer lab consisted of a couple of Apple 2 computers. Due to some politics, one of those was moved into the library under instructions of the principal to make computing more "accessible" to students. By the time I left, they were just installing their network of BBC model B's into the computer lab room. The course syllabus would still involve teaching flowcharts and the fundamentals of BASIC programming. One week it would be INPUT keyword, another week IF-THEN-ELSE and the week after PRINT.

Everyone had their home computers, and were playing around with assembly language, interrupts, player-missile graphics or sprites and graph drawing programs.

Re:After all the 1980's education

[Bert64]

You were lucky that you were even allowed to use BASIC...
We were shown how to load a few educational programs from floppies, and how to use those programs etc... We had a simple ecosystem simulator, a simple word processor, a simple drawing program, a glorified calculator etc...

Re:After all the 1980's education

Dipshit. All the goverment is good for is burning cash and blowing shit up. It does NOTHING and it doesn't make any conditions. You're fucking clueless and lacking in imagination your fucking parasite.

Re:After all the 1980's education

[mikael]

That's what happens when local business gets involved with the specification of course syllabuses - they want office IT training, not Computer Science 101

Re:After all the 1980's education

[mikael]

I see what you mean - in order to "make education relevant to the 21st century", the Conservatives gave local business the right to dictate what the school computer studies course syllabuses would be about - local companies didn't want programmers or software engineers, they just wanted IT training.

Re:After all the 1980's education

[AHuxley]

That was the problem. All the education went to just putting random people in front of a new computer. Any new computer.
The students got to copy type in a slow computer language only used for education.
All that funding was moved from supporting university math, CS to paying for new school desktop computers all around the UK.
Government support for production lines jobs to put computer parts together for "education" took university funds. A massive move of financial support from the university setting to just building computers for education from fully imported parts.

The university system never recovered. The school education produced average students with no more useful skills in math, science than any other generation.
Decades later the lack of university graduates with actual math, CS skills showed.
The goverment knew it needed math, science, computer graduates. Instead of looking after the best students at university it took the funding and spent in on desktop computers and the needed educational computer languages.

Students who would have never needed, used or understood a computer got to sit in front of a new computer and copy in code.
Good students never got the support needed to get into university. The university system that could have educated the needed experts for generations got its funding reduced to pay for new computers in schools.

[Picture of autist]

[Hal_Porter]

You must be at least this autistic to work here.

What they are worth

Pay people what they are worth! If you only offer people peanuts then you aren't going to get a warm reception.

Figuring out what they are worth is the hard part. Everybody wants good employees at a price point that works for their business. Some places have other requirements. For example, have you EVER seen anyone in sales at Goldman Sachs who didn't have amazing hair? It's clearly a hiring requirement. Humans aren't always very good about who they hire, even when they have all the choices in the world.

Re:What they are worth

People value opinions from good looking people more than they do ugly people. Sales people are more effective if they're attractive. Sorry.

Re:What they are worth

You think these people are amazing in the hair department? Meh... http://www.goldmansachs.com/s/2013annualreport/assets/images/ways/risk-management/section-8-1_wide.jpg

Re:What they are worth

The U.K. Is shit for jobs. Same job in the US is 2 to 3 times higher. Combine this with the cost of living is the same as much of the US's big cities (London -> SF, Edinburgh -> Seattle) and the fact the U.K. Taxes people at 40-45% for basically any professional (US is 32?) and you get a huge "why the fuck would I work there?"

when market actualyl works...

[dimko]

So what we have, cyber security experts missing. May be its a lot more profitable being illegal, work for yourself, not being judged for color of skin or sex to have some one else blame you for mistakes of others. On other side of scale: incompetent people trying to catch you, just one out of hundreds? IMHO risk might be very calculated here...

No shortage except one they created

With all due respect, Robs full of shit.
BT pays well below market rates and even then, their hr refuse to authorize new hires and drown the existing ones under petty restrictions. With zero training budget or travelling?
Ever hear the one about the specialist app test team in BT who were dragged in for police interrogation when they needed a specific version of iPhone and could only source a gold version, so instead of costing hundreds of thousands of lost reputation they spent 300 pounds on 5 of them? And someone clueless saw gold iPhone on a expense entry?

Tl,DR; clueless shit company can't hire UK staff for same money as Indians and Romanians. First hand experience here.

If you aren't willing to pay the going rate...

[Ichijo]

...then you aren't really demanding anything. This is Econ 101.

If demand isn't being met, it's not because you aren't willing to pay exorbitant rates, it's because you are legally prohibited from paying those rates to get what you want.

What is legally preventing companies from hiring security professionals? The article doesn't say.

Move on, folks. This is just propaganda to try to get the government to solve the private sector's problems at taxpayer expense!

Re:If you aren't willing to pay the going rate...

[AmiMoJo]

This. Wages in the UK are a joke at the moment. 50k for a "senior" developer in London. I can get a lot more than that in Europe, at least until Brexit hits.

That's one of the main "benefits" of Brexit. UK companies don't have to compete on wages.

Re: If you aren't willing to pay the going rate...

Moving to Europe is looking attractive. I'd better get organised.

Re:If you aren't willing to pay the going rate...

It's simple: what is preventing companies from hiring security professionals is that the expected cost of a security compromise (or equivalently, the rate of security breach insurance) is less than the going rate of a security engineer.

It appears that being secure is still simply not cost effective, despite tons of hacks and ransomware in this year alone. The way the public sector could solve this is to pass laws to raise the expected cost of a security compromise--though if profit margins of UK companies are so low it might just turn out to harm the economy even more.

Re:If you aren't willing to pay the going rate...

[serviscope_minor]

The comedy had increased. A number of the large American software companies, Google, Facebook, Twitter, Amazon, Snapchat, and some of the equally large Chinese ones like Huawei have set up shop in London and are paying competitive (by Californian standards) wages.

British companies have responded by whinging.

We've always undervalued engineers in the UK and it's a mindset that seems very deeply embedded in the government, too.

Re:If you aren't willing to pay the going rate...

... legally prohibited from paying those rates ...

Cyber-anything isn't piece-meal work: What law prevents employees from charging higher salaries, and what law prevents employers from paying them?

Re:If you aren't willing to pay the going rate...

London is over saturated with developers. Reading area salaries are higher (60k for seniors) and living costs are less than half (ie you can buy a nice house on that salary)

Re:If you aren't willing to pay the going rate...

+1

Re:If you aren't willing to pay the going rate...

Amen.
As a former IT worker, part of the reason I didn't go back to it after a long period of illness was the shitty salary, while another part was the absolute lack of respect from all levels of pretty much any establishment you work in (and I've heard that from multiple friends/colleagues who work at all levels of IT provision, from first line support to "designing national networks for telecoms companies").

I work at a hospital now doing a fairly intellectually non-challenging job and while people who do our job also get little respect, it isn't mentally taxing - something I'm glad for ATM - and I don't get paid much less than I would were I working in IT at the same organisation (25-38k for a DBA with 5+ years experience? Try harder). Funniest part of it all? Our Information Governance lead is a former nurse with 0 in the way of IT/security knowledge. At least the people under him are reasonably competent! Nepotism is also a big issue, certainly at this place; hiring some muppet solely because they're related to/friendly with some other muppet further up the food chain means we get quite a few eejits.

Re:If you aren't willing to pay the going rate...

[Paul+Fernhout]

"It's simple: what is preventing companies from hiring security professionals is that the expected cost of a security compromise (or equivalently, the rate of security breach insurance) is less than the going rate of a security engineer."

Yet another fine example of a company privatizing gains but socializing risk and costs...

For another example: Equifax. What was the cost to the company of creating a huge negative externality regarding the privacy and secure identity of over 100 million people? And how much profits did they rake in while creating the risk that lead to the externality?

Re:If you aren't willing to pay the going rate...

[squiggleslash]

Yeah but you have to live in Reading. The best thing you can say about Reading is that at least the train service to London is pretty decent.

I was one BUT

I was one BUT I was not able to find a single company which whished making the necessary steps: just faking compliance with some damn stupid standards. Companies are looking for brainless clones with some damn stupid certifications GIAC, CISSP and so. Did like 3 of those none where valuable, crazy stupid, boring, and expensive succeeded without even trying. The ones really useful won't land you a job. No surprise that whatever guy fit the job.

I went for a radical change. No more IT/ICT, no more security, went for real science. Happy with my choice.

Really so where are the jobs?

I don't see a ton of jobs in it other than sysadmins who monitor shit. Maybe that's what they mean: they want to hire homer simpson.

Re:Really so where are the jobs?

relevant news: https://www.rt.com/business/414182-china-central-bank-needs-bankruptcy/

That's the problem, not the solution

[raymorris]

> vocational education so people can ... use the GUI and enter the command lines they are told.

The PROBLEM is that admins and programmers follow a set of instructions that might have been okay for one situation, without understanding and carefully considering the ramifications for *their* situation, on *their* network, considering *current* threat trends. Often they get the commands to enter or the GUI buttons to click from sites like Stackoverflow or Serverfault. The answers on Stackoverflow might more or less answer the question and might more or less work, they do turn on the requested function.

  If you don't fully understand what you're doing though, and what "enabling RPC" actually means, that's when you create a giant security hole.

What makes hacking "hacking" is precisely that's it's outside-the-box thinking, coming up with how to leverage things in ways nobody intended. Information security thinking is precisely the opposite of following a standard checklist. It's all about finding the "cheat", not following the rules.

There certainly IS a role for people with basic IT knowledge. Mostly working under someone with advanced IT knowledge with their work reviewed by a security professional. The security person should be a devious, clever type who comes up with ways to get around the rules.

Re: That's the problem, not the solution

Ya, where I work the security jackasses require us to whitelist the IPs of their scanning hosts in our firewalls, ACLs, etc.

I'm waiting for someone to compromise one of their scan hosts.

Indeed

https://www.youtube.com/watch?v=LgHEClMxnpg

They want business people...

Sorry nerds, but "hackers" and coders are dime a dozen. No one cares about leet firewall skillz , or being able to code in C++. You buy in geeks to do that.

What they want are CISO's. People who have a grasp of the business and can hold their own in the C suite.

In the security world there is no shortage of hacky gimps. Ever wondered why hardly any of them crack $150k/year ??

They're just like sys admins.

Re: They want business people...

Few will get paid $150k in the UK, as it's not the currency used. In any case a CISO is unlikely to get paid so much in the UK.

Re: They want business people...

[Cederic]

Although.. I wouldn't take a CISO job for much less than $150k (or its GBP equivalent).

All the accountability but never the required resources and a guarantee that you will at some point fail.

Good CISOs are worth every penny.

imho

the world shouldnt have got so online, so soon... it's a horrendous mistake.
the idea that entire populations are buying in into very unsecure and unreliable pieces of software (and hardware )
I can only foresee that the growing amount of disasters awaiting for us ahead is enormous.
sure, poorly written software can create many jobs for security guys for tens of years if not hundreds but why even bother ?
  if you want wicked guys to work for you then join the criminals side beforehand. but people like to stir everything up as they usually do.
overall, a spiritual market shift is needed first if we want to create the properly secured infrastructure and products to let millions of people depend on.

Summary

[whoever57]

People with IT skills don't interview well. Film at 11.

Re:Summary

People who interview people with it skills are inappropriately trained to do their jobs. If the people able to apply a skills set to your problem domain are in front of your and you can't tell, maybe neurotypical isn't the correct interviewer and maybe the much vaunted social skills are fake as they only apply to other neurotypicals.

NB non-neurotypicals communicate with each other just fine, maybe it's just you.

"We just can't find them" PAY THEM MORE.

"We just can't find them" PAY THEM MORE.

Re:"We just can't find them" PAY THEM MORE.

[DivineKnight]

It's hard for them to see them over the 'Outsource to {country} today!' pamphlet they have stuck in front of their faces.

Interesting Meetings

Socially very talented non-techies discussing with socially non-talented techies about social engineering, influence, education and policies, all the while the "normal" techies try to moderate and prevent the meeting from straying into a social ice berg.

You need more than high pay

[rsilvergun]

you need a stable, well funded working class to have children and an education system to train them. Those things are really, really pricey. On the other hand in a dog eat dog economy some folks are bound to make it through sheer force of will, good genetics and dumb luck. Hence the relentless push to bring in labor from overseas. Let somebody else pay the costs to train the next generation of employees, both the economic (food, shelter, schools, etc) and social (e.g. that dog eat dog capitalism again).

Soon to be obsolete profession

[ka9dgx]

As soon as people wake up and realize that capability based security can fix all of this, "computer security professional" will be about in demand as much as "computer operator" or "system administrator". I wish these folks so employed a nice 10ish year ride until it's over.

So the prophecy is written, again.

Re:Soon to be obsolete profession

How exactly does "capability based security" obsolete anything?

Go read "man setcap" and tell me how that can prevent some guy from making a request to my webapp using someone else's session ID due to some post form in an iframe.

Sure, you tell me, the web will also be obsolete soon and with it XSS and XSRF attacks. Now go look at your mobile app and tell me if your Android sdk's oauth intent validates the signature of the calling app before returning a token.

Ok sure someday maybe we will be able to rebuild everything from the bottom up and take the concepts to heart, but it only takes one place where lazy coding caused some missing access check, or one developer accidentally giving away his own capbilities/credentials to an attacker (phishing) before you realize that there is more to security than a simple buzzword.

Econ 101 stuff, again

...rise in demand for digital security staff, but only 16% saw that the demand would be met."

This seems to come up every year. Poor HR says "we can't hire anyone."

Translation: "we can't hire at the price we're willing to pay."

This is Freshman/First year Econ 101 stuff. The market (the Free Market) is telling you you're not paying enough.

Offer enough and you'll have plenty of people applying for the job. Don't like the price you have to pay? Boo hoo. That's called Capitalism. Honestly, it just isn't that hard.

There is no shortage of computer security pros

[Grand+Facade]

There is however a shortage of security pros who are willing to work with sticks and rocks or not allowed to do their job.
There is also a shortage of pros who are willing to work for 2 tacos a day.

No one wants to be the fall guy for upper management that is not willing to go all in on security.
Upper management will always blame the security guy after they get hacked even though upper management circumvented or was not willing to follow or back recommended security protocol.

Re:There is no shortage of computer security pros

The answer is No. Next day the head of IT security resigns or replaced/relocated for someone who understands business.Their job is to blunt any audit report and obstruct discovery of negatives.

I blame hiring practices

I have significant experience in this arena, but whenever I have looked for a job they have all these exhaustive requirements which I don't have.

Another way of putting it- Whoever is writing the job descriptions evidently is more concerned about certifications and legal requirements as opposed to being genuinely concerned about security.

Only LUDDITES fail to Cyber!

Only elite Cybers can Cyber Cybers! Don' t let your Cyber business goals get Cybered without the right Cybering Cybers!

That must be a very shitty job

[Casandro]

I mean there are some simple and easy ways to increase security at any company. It boils down to not doing stupid things.

However many people have been trained to do stupid things like using Office Software, which is one of the main dangers at any company.

Lets not forget to send retarded APK to them

Why not send them that retard APK too.
Then he can foist his hosts file garbage on even more people while pretending to be a security person.
He would be exactly the kind of person management would love, lots of low cost shitty ideas

the shortage is in place to hire guest workers tie

[Joe_Dragon]

the shortage is in place to hire guest workers that are tied to the job and if the quit / are fired are forced to go home.

One important change could fix all of this

[Geekbot]

Require businesses and media that reports this issue to follow every "Not Enough Qualified ______" with the obvious qualifier "For the Salary Offered."
Then all of these stories make a lot more sense.
America is currently throwing a fortune into "STEM". Because of the false claim of a shortage of workers when the real answer is a shortage of pay.
All they are going to do is crash the tech economy when they flood the market with all the new tech workers that realize they can't make enough money to pay back debt and have to drop out of science and tech altogether. I've seen it in another field here and it's not pretty. Flood of workers means unemployment, low wages, and no bargaining power. It won't take long for them to all refuse to work in tech and just throw their degree in the garbage.
2020: More CS majors behind the counter at Starbucks than at the tables.

"a spiritual market shift "

[Paul+Fernhout]

AC wrote: "overall, a spiritual market shift is needed first if we want to create the properly secured infrastructure and products to let millions of people depend on."

Sad, but true -- and in more areas of life than that. Thus my sig - - and the Albert Einstein quote that helped inspire it: "The release of atom power has changed everything except our way of thinking... the solution to this problem lies in the heart of mankind. If only I had known, I should have become a watchmaker."

Although, 70 years later, now that every smart watch has more computing power than was needed to design the first nuclear weapons, the choice of career is not so easy...

Sue microsoft

It is their product not fit for purpose. And Darwin will eventually weed out firms that cannot get a handle on security. And, no, not for any amount of money do I need the endless thankless pain of being a security expert, whatever exactly that is.