Cyber? We can't get the staff say UK IT leaders

'Just having some more bodies in the team would be useful'

Cyber? We can't get the staff say UK IT leaders

Image:
Cyber? We can't get the staff say UK IT leaders

Notable by its absence in the incoming government's manifesto was any meaningful mention of cybersecurity. In fact, cyber was conspicuously absent from the published plans of any major party.

Perhaps the topic was considered too niche for general consumption, but its side-lining, along with an almost complete lack of political comment following the attack that devastated and continues to affect hospital services in London last month, seemed almost wilful.

Needless to say, security remains top-of-mind for IT professionals, who understand better than anyone the scale of the threat, the potential damage, and the difficulty of defending against well-resourced attackers.

In a Computing survey of 100 senior UK IT professionals in April, respondents said they were most concerned about the big picture issues, such as the potential for a devastating attack on the UK's critical infrastructure (see above). They were also worried about reports, including by the government, that UK businesses are falling short on cybersecurity.

"[This] is most concerning because it highlights the gulf between what the criminals are able to do and what companies are able to do to protect themselves," said the director of a technology company.

The third most widely held anxiety was about security failings at big tech companies, such as Microsoft, on which many businesses and public services heavily depend.

"Microsoft tools are used at all levels and across the private and public sectors," noted a strategist in a government department.

While several respondents were uneasy about the security implication of over-reliance on quasi-monopolistic tech companies, a more pressing concern was around recruiting and retaining the cybersecurity professionals on which their defence depends, or being able to afford managed services on stretched budgets.

"It's difficult retaining good staff, skilling staff to ensure updates and patches are done in a timely manner to ensure the changing threat landscape is covered," summed up a head of technology at a software firm.

The public sector faces even greater challenges in this regard.

"We cannot get good staff, and who can blame them when industry pay twice our salary and work people only half as many hours per week?," said an IT head in higher education.

+----------------------------------------+ | Embed | +========================================+ | https://datawrapper.dwcdn.net/5oXLz/1/ | +----------------------------------------+The most sought after security personnel are generalists, people who understand networking, applications and cloud. These will likely be seasoned professionals with commensurate salary demands that may put them out of reach. "We don't have budget for dedicated security staff," commented an IT manager in a school."

After that came security analysts, those able to interpret threat intelligence and incident data, closely followed by those with skills in incident response, compliance and risk management.

"Just having some more bodies in the team would be useful," said an IT head in transport, adding that the existing team are pressured and burned out.

Unlike the US, which has issued several edicts and presidential executive orders around cybersecurity in recognition of the rising threat, the UK has seemed content, by and large, to leave companies to their own devices in their defence, which is hard when you can't get the staff. There are no easy answers, but let's hope a little more more proactive attention is paid to cyber with the change of hands.