The public sector faces twice the challenge of finding and retaining a cybersecurity workforce – it is impacted by the worldwide skills shortage, but cannot compete with the competitive salaries that the private sector can provide.
To overcome this and to continue finding the necessary skills to protect vital public assets from cyber attack, the public sector will have to be creative and flexible in the ways it sources security talent.
2. Widening the cyber talent pool
to address the skills gap
Martin Sivorn @_meem_
3. GDSMartin Sivorn @_meem_
My last 5 years spent building cyber teams
20192012
Established dedicated
cybersecurity team
Security
transformation
Phase of near-continuous cybersecurity recruitment commences (UK/Asia)
FT targeted by Syrian
Electronic Army
HACKd:LDN
conference
HACKd:APAC
conference
Cybersecurity becomes a
board priority
6. GDS
Expanding attack surface
Creative and sophisticated attacks
Well established
cyber-criminal economy
Motivated & well-funded threat actors
GDS
The worsening threat
Martin Sivorn @_meem_
7. GDS
Incidents Breaches
Large Small Unknown Total Large Small Unknown Total
Accommodation (72) 40 296 32 368 31 292 15 338
Administrative (56) 7 15 11 33 5 12 1 18
Agriculture (11) 1 0 4 5 0 0 0 0
Construction (23) 2 11 10 23 0 5 5 10
Education (61) 42 26 224 292 30 15 56 101
Entertainment (71) 6 19 7,163 7,188 5 17 11 33
Financial (52) 74 74 450 598 39 52 55 146
Healthcare (62) 165 152 433 750 99 112 325 536
Information (51) 54 76 910 1,040 29 50 30 109
Public (92) 22,429 51 308 22,788 111 31 162 304
Public sector firmly in the firing line
Verizon Data Breach Investigations Report (2018)
Martin Sivorn @_meem_
8. GDS
69%
say their cybersecurity
teams are understaffed
58%
have unfilled (open)
cybersecurity positions
32%
say it takes 6 months or
more to fill cybersecurity
jobs at their organisation
29%
say fewer than one-quarter of job
candidates are qualified for the
cybersecurity position they applied
Wanted: qualified candidates
Nearly 40%
Say university graduates in
cybersecurity are not prepared for
the job challenges they’ll face
Skills gap not shrinking
Martin Sivorn @_meem_
9. GDS
The reasons are many
Women in cybersecurity
is a dismal 7% in the UK
Martin Sivorn @_meem_
Under investment in
training and education
Technology is evolving
faster than training
Cyber threats
escalating at an
unprecedented rate
10. But it’s not all
doom and gloom
Martin Sivorn @_meem_
11. GDS
Celebrating our progress in the past year
Grown by 25
Increase from
6% to 35%
Increase from
26% to 35%
Team Gender Diversity
Industry
GDS
3-6 months per hire 7% female 12%
*
* 3 open roles had been unfilled for one year just prior to me joining
Martin Sivorn @_meem_
21. GDS
Outsource... appropriately
Martin Sivorn @_meem_
Activities that align to your core business; one-time
operations versus ongoing commitments
Cost to manage versus business inflexibility of
relinquishing control
Use a systematic approach to vendor selection not just
based on “cheapest wins”
24. GDS
Increase the candidate pool
Martin Sivorn @_meem_
attract people from a wider and
more diverse background
set realistic expectations -
some things are core, others
can be learnt on the job
create pathways across
government and beyond
engage with the community at
conferences, events, and during
recruitment
26. GDS
The importance of a good job description
Martin Sivorn @_meem_
A bad job description discourages large groups of
people. Avoid masculine-coded language, long lists
of desirable skills, and specific formal education or
training (in a field with no clear standard)
27. GDS
Corporate culture
and our values
Flexible working
Importance and
purpose of work
Sell your benefits to the candidate
£
Martin Sivorn @_meem_
30. GDS
Training and development
● Have a plan to get people up to speed - 4 in 5
organisations say they can’t recruit suitably qualified
staff
● The skills you need tomorrow aren’t necessarily the
same as you need today
● Suitable people may already be in your organisation
Martin Sivorn @_meem_
31. GDS
Things that work for us
● firebreak projects every quarter to encourage new
innovation
● Internal CTFs, pairing and knowledge sharing
● Everybody rotates into our SOC and incident response
team to stay sharp
Martin Sivorn @_meem_
33. GDS
Other government initiatives
● Cyber apprenticeships scheme
● Independent UK Cyber Security Council
● NCSC’s Cyber Schools Hubs programme in England
● CyberFirst Bursary Scheme
● Cyber Security Body of Knowledge (CyBOK)
● Centres for Doctoral Training in Cyber Security
● Cyber Discovery programme
● Cyber Girls First
Martin Sivorn @_meem_
35. GDS
Summary
● Technology won’t solve all your problems but it can
vastly improve the situation
● Outsource appropriately using a systematic approach
not solely based on cost
● Reach out to the other half of society in your recruitment
campaigns
● Tap into security expertise across government
#xgov-security
Martin Sivorn @_meem_