back to article Brit tech forges alliance to improve cyber security as MPs moan over 'acute scarcity' of experts

A cross-sector alliance incorporating leading UK organisations has been created in response to government plans to develop a national professional body for cybersecurity. The imaginatively titled Collaborative Alliance aims to shape national cybersecurity standards, drive advances in education and advise the government on …

  1. Anonymous Coward
    Anonymous Coward

    If... (oh why bother)

    HMRC hadn't put the kybosh on contractors working for the Gubbermint with their IR35 rules then who knows eh, some experts might appear out of the ether and solve their problems.

    But no. For the sake of a pidding small amount of dosh when looked at in the scale of Gubbermint spending they are screwing other departments and who knows eh, even putting the country at risk.

    I'd better post AC just in case HMRC decide to give my tax records an anal exam. Not that I have anything to hide but I could do without the PITA it will give me.

    1. Sir Runcible Spoon

      Re: If... (oh why bother)

      Some CNI is managed by private companies. One in particular pays a pittance for salaried staff, so it has a hard time recruiting specialists/competent people.

      Assumng HMRC continues on its path to ram ir35 changes down the throats of contactors in the private sector, I expect this will have a huge impact on the ability to recruit even contractors. Plenty will work abroad once the pay differential becomes meaningful.

      1. Tom Paine

        Re: If... (oh why bother)

        Some?

        In the UK, there are 13 national infrastructure sectors: Chemicals, Civil Nuclear, Communications, Defence, Emergency Services, Energy, Finance, Food, Government, Health, Space, Transport and Water.

        I count four largely or entirely public sector, er, sectors on that list - and even in defence and health there are multiple private suppliers or outsourced operators in critical positions.

    2. Tom Paine

      Re: If... (oh why bother)

      HMRC hadn't put the kybosh on contractors working for the Gubbermint with their IR35 rules then who knows eh, some experts might appear out of the ether and solve their problems

      Why would they, when they didn't appear out of the are and solve them before the IR35 changes?

  2. Teiwaz

    Maybe it's not a comfortable area to be in.

    Considering the number of people inclined to that area of It are often hounded to the grave by U.S. authorities, is it really an area ...

    a) to look for stable, reliable people

    b) the reliable kind of person who tends toward loyalty, doing what they are told and not making waves (which is what I gather governments like).

    It's not very nice to have the security forces crash your home at 6 a.m just because you found a hole and told the responsible company something they didn't want to hear enough to decide to play ostrich and deny everything.

    1. This post has been deleted by its author

    2. Tom Paine

      Re: Maybe it's not a comfortable area to be in.

      Considering the number of people inclined to that area of It are often hounded to the grave by U.S. authorities,..

      What on earth are you talking about?

  3. Avatar of They
    Coat

    Phew!!!

    Well its a really good job we are not putting up walls and barriers to allow all those people that want a job in a suitable industry to come here. Or building in steps to really slow down their applications.

    That would be a really stupid idea for any government to do right now.

    Mines the one with the "currently" red passport in it.

    1. Anonymous Coward
      Anonymous Coward

      Re: Phew!!!

      Well its a really good job we are not putting up walls and barriers to allow all those people that want a job in a suitable industry to come here.

      Well, since they aren't coming here now, but we've never had an excess of infosec people, I'm not sure that much will change. The fundamental problem isn't Brexit, or visas-for-Indians, it is that this country doesn't train enough infosec staff, companies and government won't pay enough to make the career attractive, and the practitioners are treated with the same disrespect as financial services risk managers in the years leading to the great financial crash.

      I should point out that I'm not moaning on my own behalf, I don't work in infosec. In fact, I'm part of my company's senior management, and I've got an MBA, so by the regular moaning of commentards I know precisely jack shit. Maybe those moaning genii could explain the problem to me, and how my assessment above is all wrong?

      1. DavCrav

        Re: Phew!!!

        "companies and government won't pay enough to make the career attractive"

        It's always and only ever this. We don't need more STEM graduates; we need to make sure the ones that we have end up in STEM by not paying a graduate chemist £18k but a graduate management consultant £40k.

        Companies say there aren't the skills, but what they mean is "There aren't the skilled people at the shit wages we are offering". Supply and demand seems to be the favoured viewpoint except in employment.

      2. LucreLout
        Pint

        Re: Phew!!!

        In fact, I'm part of my company's senior management, and I've got an MBA, so by the regular moaning of commentards I know precisely jack shit.

        Well done Sir! You've taken the first step to not being part of the problem.

        My company has no problems finding and retaining staff - you just have to pay market rate and treat them in the same manner you yourself would prefer people treat you. Companies that are struggling for staff are getting one of those things wrong, and flooding the market with cheap low skilled offshore staff isn't going to help them correct their behaviour.

        The thing most businesses get wrong is that they expect to pay someone with a lot of sought after skills, education, and experience less than their MBA type manager, because, well, (s)he's the boss. Unfortunately, that doesn't mean they have skills the market values just because they're further up some notional hierachy.

  4. Anonymous Coward
    Anonymous Coward

    Just wouldn't do it

    Have you seen how dysfunctional government is lately? Why subject yourself to the risk of it deciding to go dysfunctional on you?

    1. This post has been deleted by its author

  5. GnuTzu
    Trollface

    Job Security and Increasing Market Rates -- For All That Weak Technology

    Yummy, yummy -- but, the work load might do us in.

    Now how do we feel about companies that sold us weak operating systems and such?

    There it is; they bought cheap technology and can't even find the people to secure it--let alone be able to afford them.

    1. Destroy All Monsters Silver badge

      Re: Job Security and Increasing Market Rates -- For All That Weak Technology

      I think you are a LITTLE be too rational, root-cause-focusey and sensible here.

      Let's just keep the eyes on the ball, eh? Find some incentivization scheme, create a new govnmt consulting group to solve the problem, have long speeches - that kind of thing.

  6. el kabong
    Trollface

    Experts... we've had enough of those.

    Experts and their facts, they are out to fool you. I don't trust them and you shouldn't trust them either.

    I'm entitled to my own facts, no expert will ever know my facts better than myself.

  7. Anonymous Coward
    Anonymous Coward

    They don't even know what does exist

    A report from a recent body only mentioned non-UK companies when they were discussing static analysis tools that could help with security. They completely missed that two of the world market leaders in this field are UK based - one has been running since the 1970s.

    There is also no government funding made available to support the activities of MISRA (and others), who produce world-leading, globally-used coding standards for C and C++ that aim to eliminate security vulnerabilities from code (along with making it 'safe'). A tiny, tiny share of what is proposed would allow MISRA to produce something of value within reasonable time-frames.

    But then, part of the issue is the expectation that tools will find all the issues without software authors accepting they they do need to formalise requirements, development, testing, ...

  8. monty75

    Money?

    Who’s going to pay for this? I’ve looked at moving into cyber security but all the jobs expect me to have qualifications that cost five grand a pop (usually multiple qualifications). Plus the usual IT recruiting crap of having ten years experience for an entry level job.

    1. 0laf

      Re: Money?

      Mate I've got the certs and the experience but now they expect you as one guy to run security for massive organisation on your own. right down to reading event logs and reporting to board.

      Security is interested and on the agenda but not funded

      1. Anonymous Coward
        Anonymous Coward

        Re: Money?

        And who's going to want to do a gummit security job where you are banned from mentioning or using any experience you gain in any future employment? A gap on your CV listed as "not allowed to tell you" may as well say "in prison".

        1. LucreLout
          Joke

          Re: Money?

          A gap on your CV listed as "not allowed to tell you" may as well say "in prison".

          I thought "Travelling" was the correct euphamism?

  9. smudge
    WTF?

    Why?

    The imaginatively titled Collaborative Alliance aims to shape national cybersecurity standards, drive advances in education and advise the government on policy.

    Aren't CESG/NCSC supposed to be doing that? Are they involved? Do we need another super-talking-shop?

    1. RobinCM

      Re: Why?

      Exactly. And the certs are there too.

      Tigerscheme's Qualified Security Team Member/Leader, Check Team Member/Leader, etc. Plus there are plenty of industry vendor certs from generic ones like CompTIA Security+ to more vendor specific stuff from e.g. Microsoft.

      As has also already been mentioned, the problem is companies not actually coughing up to train people, then not employing enough of them, and not listening to them when they have employed them.

      Schemes like Cyber Essentials Plus are helping make some companies comply with a basic security baseline, but it's not enforced across all companies yet, and it's scary how many applicants fail various bits of the testing. And those are the ones who are at least trying to be secure!

      1. tfewster

        Re: Why?

        As mentioned, the certifications are there - (ISC)2, GIAC - and the guidance is too - NIST, CIS, PCI-DSS. I'd not heard of Cyber Essentials Plus, but it has regular patching as one of their top-5 which puts it ahead of the rest in one respect.

        A few years ago I couldn't even spell InferSec Enginneeer - Now I are one! (uncertified, but common sense goes a long way).

        The training courses are expensive, but the books are sufficient, and if a company will give you the time for self-study & pay for the exams, that builds a lot of loyalty. I'd be prepared to accept a nominal "bill" for that, e.g. a weeks wages + cost of the exam, to be worked off by staying with the company for 2 years OR the remainder repaid if I left without good cause.

  10. nematoad

    Sigh.

    " ...no real sense of the scale of the problem or how to address it effectively".

    No change there then.

    See also: Brexit.

    1. Sir Runcible Spoon

      Re: Sigh.

      From what I’ve seen they are having enough trouble defining what cyber security actually is, probably because they don’t realise that it’s a vague term that covers a lot of different roles.

      Over the years I’ve attempted to explain what I do in more condensed form so non techies can grasp what I do for a living, but in the in end I have given up and now just say ‘I work in computers’. That seems to satisfy 99% of people as they ‘understand’ that, but obviously is completely meaningless - it’s just a way for them to express their tiny minds :)

    2. DavCrav

      Re: Sigh.

      " " ...no real sense of the scale of the problem or how to address it effectively".

      No change there then.

      See also: Brexit."

      See also: climate change, the antibiotic catastrophe, the AI revolution, the water scarcity crisis, the gig economy crisis, the pension crisis, health expenditure exponential growth (Cont. p.94)

  11. 0laf

    Coz you fixated on the technical so all your schools leavers are good for is being pen testers, no one knows about risk or even how to come up with business focussed solution to the issues they identify.

    Quite a few public sector guys are about to walk because they are so under paid relative to the contractors.

    1. Warm Braw

      Coz you fixated on the technical

      My anecdotal experience is that most of the "information security" people I encounter are actually doing PCI compliance work. and a proportion of them were formerly working on ISO 9000, so not exactly deeply technical.

      It is the job of managers to understand risk and come up with business-focussed solutions, not IT security people. There does seem to be an attitude that cyber security is a problem that can be compartmentalised - along with the responsibility. It can't. It's pervasive across the business and managers need to get some education themselves - as they ought to do to understand at least the basics of the legal and financial risks to which they're exposed.

  12. amanfromMars 1 Silver badge

    New Brooms Needed ....

    I think one needs to realise and accept that any excellent cybersecurity body will quite naturally be opposed to, and in competition with, status quo supporting governments.

    The Joint Committee on the National Security Strategy criticised government for having "no real sense of the scale of the problem or how to address it effectively".

    And aint that the gospel truth!

    One does very well to consider, whenever one is competent and made of the right stuff, the fast track cybersecurity career path, which has one destroying or irreparably degrading systems with the exploitation of systemic vulnerabilities resulting in zeroday opportunities which release secret genies out of magic bottles.

    1. amanfromMars 1 Silver badge

      Wild Wacky West or Exotic Erotic East is Best for Private Pirate Cybersecurity Enterprise

      And whenever home teams are not reliable agents, does especial force talent migrate to foreign jurisdictions/ go phishing in alien territories.

      1. My-Handle

        Re: Wild Wacky West or Exotic Erotic East is Best for Private Pirate Cybersecurity Enterprise

        Hmm... One example of "ai" not being capitalised, fifteen of "it" not being capitalised, a distinct lack of a baffling number of abstract proper-noun phrases and a concise, cogent argument...

        Are you feeling OK? It's like seeing a post from Bob without any random capitalisation. One comes to expect some things around here.

      2. This post has been deleted by its author

      3. Anonymous Coward
        Anonymous Coward

        Re: Wild... ...Enterprise

        but seriously, just loved the song/video:

        Depeche Mode / rmx Naweed Wahla, PEACE - https://youtu.be/z2ttkI5lEYM

        sounded good those latest times, didn't IT?

        (-;

  13. steelpillow Silver badge
    Facepalm

    Qualifications

    OMG we are short on cyber specialists who meet the essential minimum qualifications:

    * Have a documented track record of approved buzzwords

    * Are nevertheless prepared to work for peanuts

    * Are happy to do IR 35

    * Are happy to work for Crapita

    * Are sufficiently experienced despite:

    * Not being OLD!!! >horror<

    I am afraid that I retired early on failing to meet five of those qualifications after a mere ten years of roaring success, and I have absolutely no intention of going back. I am confident that I am not alone.

    1. jMcPhee

      Re: Qualifications

      What? Not use code monkeys to do experienced IT professionals' jobs?

      That's crazy talk.

  14. sitta_europea Silver badge

    For months I've been trying to tell a couple of PLCs about a couple of fairly obvious security problems.

    I might as well talk to my dog.

    They'll only do something when somebody puts them on the front pages.

    1. Wellyboot Silver badge

      >>They'll only do something when somebody puts them on the front pages.<<

      As these are the PLC types I and many others like to avoid, may I suggest finding someway to put them on the front pages (legally) or better yet here in the Reg.

  15. Nick Kew

    Easy target

    Just a thought ...

    Security professionals trained to a formula for a qualification could help present an easy target. Just look at the rules they have to follow to cover their professional arses, and work your attack around them.

    After all, security nonsense like the CIS benchmark already presents a sitting duck as it becomes a defending sysop's checklist.

  16. Daggerchild Silver badge
    Childcatcher

    Half-life calculated yet?

    Been there, wore the suit, analysed the packets, wrote the reports. Toddlers with knives, as far as the eye can see..

    Everything is cheap, lethal, toxic or 'boring!'. Everything found on the ground goes straight in the mouth. They *have* to have what their friends have, or they tantrum, and mother over-rules you.

    It is as critically important a job as it is soul-crushingly pointless. Good luck!

    1. Sir Runcible Spoon
      Joke

      Re: Half-life calculated yet?

      “It is as critically important a job as it is soul-crushingly pointless. Good luck!”

      Damn you, I was perfectly unhappy with my head in the sand until you reminded me.

  17. Valeyard

    the government doesn't even lead by example

    pick a gov.uk website, if you can find a way of reporting security issues I'll buy you a pint

    NCSC doesn't count, i've tried that, they're too busy pretending to be a legit company while spying on their own citizens to even bother replying, like a mafia-owned chinese laundry

  18. Anonymous Coward
    Anonymous Coward

    The biggest part of the problem is outsourcing to "under developed economies". I was talking to a guy who works with "unixy", my word, servers and he was saying how the outsourced work is largely done in India. One of that crew has made it here and is now working with him at "developed economies" wages. In India, he was paid 8.10 per hour and that as mid-level support. We cannot compete on cost or knowledge level. So, do it if you enjoy but you cannot expect to be paid any amount for that work any more. Time to go back to school and start an apprenticeship.

  19. Anonymous Coward
    Anonymous Coward

    We're even short 'moderately specialist' types ...

    I'm baffled [] the word "even" when describing the team of sub-headline AI crafteurs, you're tall as ships! (said Alice)

  20. 0laf

    the other problem right now which isn't helping is that "Cyber Security" or "Information Security" as we unfashionable older bods still call it in private company has become fashionable for managers to be involved in and so we get all manner of random department butting in and trying to take over (project management, civil contingencies (feckin procurement).

    They have the ear of senior management and politicians through previous dealings and also for being a subject that those high up fell they can understand. Guys who have worked up form IT just don't have the ear of those on high.

    Then the usurpers get into projects make an arse of it, blame IT then run away while the original Is guys step in to try to fix the mess whilst taking the blame for everything being difficult.

    There are also many 'security guys' that just say 'no' and run away. I've been at meetings where managers have been stunned to find a lowly junior me actually giving some suggested solutions and work arounds to keep their businesses running whilst dealing with the risks.There are a lot of poor guys out there too.

    I just need to turn one of these meetings into a job that doesn't involve me being an entire IT department from Firewall tech to head of service.

  21. Joe Harrison

    What shortage?

    Shortage of cyber-security skills really? Who's filling up my firewall logs then?

    They mean shortage of White Hat cyber-security skills. Or more precisely a shortage of multi-certified box-tickers report-writers and pen test script runners without tattoos or piercings who wear suits to work.

  22. Boris the Cockroach Silver badge

    How about

    we are short of <buzzword> techie experts, but we dont want to pay them the going rate, nor do we want the costs of training them, and we want them now.

    Cue a call to immigration and get them on the fast track visa system along with all the other techie/skilled trades we are short of for exactly the same reasons as listed above.

    But who wants to go into security when a lucky break for you (and your employer) means that you cracked a malware, disabled it completely, and you get invited to speak at a cyber-security conference in the US and get fingered by the feds for posting some code up on the internet that got put into some other mal-ware......

  23. FlamingDeath Silver badge

    Those that govern / advise

    Quite honestly, the technological singularity hasn’t even started yet, if these people can’t get a grip on the pace of things now, what chances are there when it exponentially starts speeding up.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon