There is a well-documented shortage of skilled, qualified and experienced cyber security personnel in the UK. Just look at the Department for Digital, Culture, Media & Sport’s paper “Cyber security skills in the UK labour market 2022”; it’s packed with statistics and findings from far-reaching qualitative and quantitative research. Here at the coalface of delivering cyber security solutions, we concur that demand is outstripping supply, irrespective of geography or sector.
In this blog, we unpack the problem and explore options that can make a real difference to increasing public sector cyber resilience.
- Why is this problem compounded in the public sector?
- Tackling the problem in-house
- Tackling the problem through outsourcing
Why is this problem compounded in the public sector?
Although we see a cyber security skills problem across the board, there are several factors that conspire to make it a bigger issue for the public sector:
- Permanent public sector salary bands are typically below market average and inflexible. This makes it tricky to attract quality permanent staff and retain them when salary increases come up for negotiation at review time or, worse, on threat of resignation.
- The public sector recruitment process can be glacial. In a fiercely competitive market, available talent is snapped up quickly, sometimes before the public sector application deadline even closes.
- The regular demand for security clearance makes the small of pool of candidates even smaller and even tiny if a DV clearance is a pre-requisite. And the delays involved in getting security clearances in advance of a formal offer being made can result in more candidates dropping out of the recruitment process.
- When turning to the contract market, the day rates on offer are average and are often “Inside IR35”, which limits interest from the cream of the crop of candidates.
Based on our experience, we have a series of tips that are real options for public sector organisations to attract, retain and augment their cyber security capability.
Tackling the problem in-house
There are no silver bullets to address the cyber security skills problem but remember, only a small percentage of people are purely driven by money. By focusing on other factors, public sector organisations can create a strong pull for candidates. During recruitment campaigns, onboarding and retention activity, consider the following:
- Focus on purpose: public sector organisations exist to provide citizen services on the frontline and back office. Services that need protection from the threat and impact of cyber events to keep people safe, healthy, educated and so on. A public service culture appeals to many people in a way that private sector firms often can’t.
- Focus on personal development: public sector organisations tend to spend more on training in both technical and soft skills than private sector companies. By helping people “be their best” and gain associated badges, accreditations and certifications will boost their confidence and open up new opportunities for promotion.
- Focus on challenge: the size and scale of many public sector organisations offer a cyber security challenge that dwarfs even the largest private sector companies. This will pique many peoples’ interests.
For public sector organisations who can extend their scope and budgets, there is a longer game to encourage more folk to join the profession. Consider investing in an “academy”. Hire graduates and apprentices to train in cyber security skills. Embed them into high-quality teams to build their experience, develop them through continuous training and mentoring, and promote them fast. Although there will always be a risk you will create experts that are attractive to others, working in a culture of purpose, self-development and challenge will generate loyalty in many and help to future-proof your permanent team.
Tackling the problem through outsourcing
If an in-house capability remains stubbornly elusive, outsourcing is another option. This can take three main profiles:
- The top-tier public sector suppliers are multi-disciplined and can usually offer cyber security skills. This can be attractive because they are a known quantity and easy to contract. However, they are also big companies with high overheads and eye-watering day rates. So, not only can this be an expensive route, but it may also involve a delivery model with one senior supported by junior or graduate level resources rather than the much-needed skilled, qualified and experienced cyber security personnel.
- Assembling a crack team of individual contractors is another viable option that many pursue. It has the advantage of hand-picking a team but comes with a high administration and management burden – agency liaison, interview time, contract negotiation, day-to-day oversight and multiple payments. Worse, there is no recourse for bad work – just more payment to fix any problems.
- Outsourcing to a team of cyber security experts from a small-medium enterprise (SME) is another option. SMEs are specialists in their chosen field - typically well-qualified and experienced, they can bring deep and wide knowledge, innovation and creative ways of working. A bonus is that they are self-managing and prepared to work on an outcome basis with invoices based on completed milestones and deliverables – a formula that is often financially and operationally more efficient and holds less risk. SMEs are also often prepared to upskill civil servants at all levels as part and parcel of their daily work through knowledge transfer and mentoring.
On balance, a well-chosen cyber security SME is a wise choice especially if they are public sector specialists too. They will have security-cleared resources readily available and deep knowledge of public sector project management, finance, procurement and governance – all of which means they will hit the ground running and make an immediate contribution. When embarking on this route, be sure to check the credentials of the company, the people and their clients – look for financial stability, capacity and capability, and case studies that support the scope and complexity of planned work.
Pionen
Pionen offer specialist services aligned to helping public sector achieve their goals set out in HM Gov’s Cyber Security Strategy. We offer a range of proven “Cyber Resilience Services” aligned with the 5 key objectives of the NCSC Cyber Assessment Framework: • Managing security risk: governance, risk management, asset management and supply chain • Detecting cyber security events: monitoring and event/attack discovery • Minimising the impact of cyber security incidents: response and recovery planning, lessons learnt • Protecting against cyber attack - policy and identity: service protection policies, identity and access control. • Protecting against cyber attack – data, system security and resilience: system security, network resilience, awareness and training.