It’s fair to say that 2018 will be remembered by many as the year that the public sector grappled with a smorgasbord of cyber security and data-related challenges. From the introduction of the GDPR to warnings that the UK is ‘wholly’ unprepared to stop devastating cyber-attack the need for our public services to close the cyber security skills gap is more vital than ever.
In many respects, the public sector has an even greater mandate to improve its cyber security than private organisations do. The government is partway through its five-year National Cyber Security Strategy and must also account for the steadily increasing threats presented by nation-state actors. Indeed, GCHQ recently announced plans to assemble a 2,000-strong force of cyber professionals to bolster its cyber warfare capabilities against Russia and other threats.
Despite this, the public sector is considered to be lagging behind private organisations in this area. Most notably, public sector organisations must work under much tighter budgets and can rarely match the market rate for most cyber roles – a divide which will only deepen as salaries continue to increase. It should be noted that in many cases, it’s not a case of there not being enough funding, but rather that capital has been allocated in a different area, and not for headcount.
While there are certainly challenges facing the public sector’s hiring strategy in 2019, there are areas in which they can compete for the best, making use of the development opportunities that exist for candidates, and championing diversity and flexibility.
Ensure national priorities are reflected at every level
To recruit talented cyber security staff in a candidate-driven market, the public sector must demonstrate that it considers cyber security a priority, not just at a policy level but throughout the sector. Talented cyber professionals want to know they have the attention and support of seniors in these fast-paced and, often mentally taxing, roles. The National Cyber Security Strategy at the highest level sets out the government’s strong commitment to this issue. However, for department and service leaders this must translate to communication of this commitment ‘on the ground’ if candidates are to be assured of the importance and standing of their role.
While demonstrating commitment to cyber is essential in attracting talent, it’s worth bearing in mind that the average security salary has increased by 6.3 percent compared to 2017, double the average UK growth of 2.9 percent. Financial reward is undoubtedly important in a competitive market, but for the public sector competing to offer top salaries is nearly impossible. However, where the public sector may not be able to offer the highest salaries, they do have an opportunity to provide extremely competitive opportunities to train and develop.
Offer a portfolio experience to build skills
Cyber security candidates are increasingly attracted by access to industry mentoring programmes, the opportunity to upskill, to diversify their roles and move between roles as new technologies develop. Portions of the public sector, more so than in the private have been quicker to provide such opportunities for employees to upskill, retrain and transfer roles to answer cyber security needs. For candidates, the opportunity to work across diverse departments that face differing issues can be attractive in helping them build a portfolio of skills.
This is a constantly evolving sector and as a developing specialism, public sector leaders must also keep pace with the technological change that will give rise to a demand for new skills. For example, through 2019 we will see new roles emerge as technologies such as autonomous cars, connected medical devices and artificial intelligence boom. These will demand very specific skillsets to ensure implementation is secure and safe.
However, with the public sector already struggling to fill operational roles, future-proofing for new technologies may seem a challenge too far. The first challenge is to fill these essential, operational roles. As such it may be time for the UK to take on board formalised upskilling programmes such as the US’ Federal Cyber Reskilling Academy which seeks to retrain existing non-IT employees to fill essential cyber roles. Clearly, the need to fill these existing gaps will be the first step towards a future-proofed public sector cyber workforce and looking within could be a smart way to start.
Diversity and flexibility is key to smart strategy
As the National Cyber Security Centre says, diversity is the key to effective cybersecurity and the public sector has the opportunity to lead in the creation and championing of roles that support candidates who may have differing needs, or may face bias or discrimination (whether overtly or covertly) elsewhere. Whether supporting part-time single parents, those with neurodiverse skills or building a culture welcoming of different races, genders and sexualities, the public sector must lead the way in providing roles that offer more than just pay.
Therefore, cyber security leaders must work with hiring teams to ensure that assets such as adverts, job descriptions and candidate communication encourage those with diverse backgrounds or needs. There must also be proactivity in to making any workplace adjustments necessary to enable accessibility and safeguard employees. In many ways the public sector is already ahead of the game in this respect, with options such as job-shares and flexible working seemingly more acceptable in the public vs. private sectors. Such flexibility should be encouraged and communicated to ensure that candidates whose needs cannot be met in the private sector are not put off cyber altogether but see opportunity to flourish in the public sphere.
Similarly, with this sector in such constant flux, it is essential that flexibility is encouraged when it comes to CV and job role definitions. For example, when it comes to cyber security job titles there are few firmly agreed descriptors in use, and this will be compounded as the tech develops. Without the standard industry terms enjoyed by more established disciplines, cyber related CV’s may not clearly specify skills that align with the job description, but that doesn’t mean the candidate doesn’t possess what’s required. In a climate of cyber skills shortages, it will be increasingly important that cyber security heads encourage and demonstrate flexibility in hiring for cyber and look beyond the checklist.
Are we nearing the end of cyber talent shortages?
Unfortunately, not. The cyber security skills gap will likely take many more years to close and demand will continue to far outstrip supply. We are likely to see further difficulties during 2019 due to Brexit as it becomes harder to hire international talent. The industry relies heavily on practitioners from around Europe and beyond, particularly in frontline work such as security analysis.
Stemming from this, outsourcing will become an even more prominent factor in security as public sector organisations turn to external contractors to fill vacancies, a trend which is already the norm for many public organisations.
Nevertheless, it is possible to stop security costs spiraling by putting into place the strategies discussed here – focusing more on internal development and upskilling for graduates and junior practitioners, offering flexibility and communicating the development potential in public cyber roles. Rather than offering increasingly high wages for senior professionals, the public sector should look at innovative ways to help grow their own in-house capabilities without expending their budget on inflated salaries and contract rates.
The task in 2019 is to make sure the will, support and strategy is in place to build this culture of upskilling, and to create and champion diversity.