Tackling the challenge of attracting cyber security talent to the public sector

Danny Palmer examines what the public sector can do to attract top cyber security talent when competing against the higher salaries offered by private firms

Speaking at a recent event in London, Andy Archibald, deputy director of the National Crime Agency National Cyber Crime Unit, addressed the challenge of attracting cyber security professionals into the public sector.

While hackers potentially make large sums of money through nefarious deeds including data theft, deploying ransomware and computer viruses, those in law enforcement tasked with tracking them down are less well off. But while it's unlikely a police cyber security expert will run off to become a criminal, the private sector can offer much higher wages than the public sector.

"That's a challenge in law enforcement, to attract, retain and reward these individuals," said Archibald, addressing the e-Crime and Information Security Congress. "Not only does the public sector and law enforcement need the skills, but so does the private sector. And of course within the private sector the salary packages are more attractive," he added.

So how do public sector organisations - especially the police and other law enforcement agencies - ensure that they can attract the talent they need to take on the cyber criminals?

Dr Siraj Ahmed Shaikh, reader in cyber security and leader of the Digital Security and Forensics research group at Coventry University, believes an answer lies in authorities engaging with universities to identify top talent early and tailor their skills for a career in the public sector.

"Any talent has to be nurtured. The public sector needs to work with universities to put in place focused training and education to grow that talent," Dr Shaikh told Computing.

"While there are initiatives to address basic skills, more specialised skillsets - such intelligence gathering, network security monitoring, forensics - need to be prioritised as well."

Dr Shaikh suggested government should concentrate on ensuring young cyber security enthusiasts get the specialist education they need, while avoiding "publicity stunts" like the Cyber Security Challenge, which he said had "clearly failed", with fewer than a third of the contest's finalists finding work in cyber security.

When it comes to retaining talent, however, Dr Shaikh echoed Archibald in saying it is a "challenge across various spheres of cyber security". But he told Computing there are ways the public sector can ensure it retains talent by offering "incentives and bonus structures", along with opportunities for "specialist training and development".

"As with some other civil service professions, the public sector needs to create prestige and allure to this profession. How about a cyber 007 to the rescue?" he suggested.

[Please turn to page 2]

Tackling the challenge of attracting cyber security talent to the public sector

Danny Palmer examines what the public sector can do to attract top cyber security talent when competing against the higher salaries offered by private firms

According to Andy Crocker, a former officer for the UK National Hi-Tech Crime Unit and SOCA, the government law enforcement agency, the authorities should be pursuing that "glamour" angle to attract new recruits.

"There is more excitement if you're working for the security services and it's your chance to do something for your country. Although that sounds like an old-fashioned ideology, people still think it's good to do things for the greater good," Crocker, now CEO of cyber security firm Protect 2020, told Computing, adding chasing down cyber criminals is "exciting" work.

"Whilst in the police I spent five years in Russia tracking down bad guys and it's got to be one of the most exciting things anybody can do; dangerous, wonderful, seeing a different country while tracking down organised crime gangs in Russia who were using computers to attack the UK," he said.

Like Dr Shaikh, Crocker believes the authorities should be scouring universities for cyber security talent and offering what seems to be a rare thing for today's university leavers - stable employment and a career offering unique experience and training.

"They have to strike while the iron's hot, looking for good quality people at university and showing them the type of career they could have," he said.

"The money is there to give them a decent wage but that's not the clincher nine times out of 10 - it is more about giving them stability, the skills to go and be experienced and that's what they should be pushing - the experience"

That experience, Crocker argued, can be drawn upon as a unique selling point should the cyber security professional want to sacrifice excitement for a higher private sector salary further down the line. Because in bringing experience from working for the authorities, he told Computing, cyber security personnel make themselves more attractive for employment in top private sector roles.

"If you say we've just employed X from Scotland Yard or MI5, people like that. They have a history of good work, training and experience. Why wouldn't you employ someone like that? It gives you good grounding for when you go out to Civvy Street," Crocker concluded.

Computing's Enterprise Security and Risk Management Summit will be held on 1st July 2014 in London.