"significant shortage of people in the UK to fill all the roles"
Well, we'll just have to bring them in from Ukraine and Russia...
Former state monopoly BT is on the hunt for 900 security bods to help it meet the "surge" in customer demand for those skills, following a number of high-profile security and data breaches. The biz currently employs more than 2,500 security folk and reckons its security operations' annual revenues are growing at a double-digit …
This post has been deleted by its author
Particularly since BT seem to be responsible for their own share of blunders. Take this for example:
https://www.theguardian.com/technology/2011/feb/01/ico-bt-acslaw
(link found here)
Funny how the ICO dare to attack BT so rarely...
Train them in-house! Just like big companies used to do.
In fact, if the concept of forward planning still exists, they should have begun training them a years ago to be ready for today's demand. Plenty of people were predicting growing demand for such skills a few years ago.
Train them in-house! Just like big companies used to do.
Umm, TFA says:
"To meet the growing global demand for cybersecurity services and address the skills shortage in the sector, BT expects to take-on and train 170 graduates and apprentices, as part of its 900 recruitment intake in the next 12 months," said the company.
But they won't. BT used to have quite a good in-house M.Sc. in telecommunications, provided and checked by UCL. It ran for at least 15 years to my knowledge. They binned it about six years ago because it wasn’t 'cost effective'. I doubt that they would suddenly find the merits of in house training. A few training 'courses' on security to look good on paper, no more I guess.
I personally also get the impression sometimes that there is a fear of saying anything unpopular within BT.
Just look at Bruce Schneier: widely respected by his peers, but oddly silent on the subject of Phorm and the ethical situation during the time he spent with BT.
That would have been a great idea except for that's not the way corporates work.
Back then it would have been a cost-center which means cutting manglement bonuses and not returning shareholder value. (I have no idea if BT is publically traded and I'm too arsed to find out but this is general corporate talk.)
Now that customers are screaming and willing to pay, it will be a profit-center so they go trolling for the lowest cost employees to fill that desk.
It's probably the cynic in me talking again, but my experience with "infosec experts" has been pretty mixed. I assume they're looking for actual talent. My experiences have been that some security people are simply there for security theatre -- PowerPoint jockeys from consulting firms, PCI auditor box-tickers, and so on. I don't blame them, security is a very lucrative IT subspecialty that's very easy to ride along on without doing too much.
If they (and GCHQ and the CIA/NSA) are looking for real experts, that's going to be the tricky part. The real experts aren't cheap, and most of them don't want to work for a telecom company or government agency. Especially the CIA/NSA -- someone would really have to love their country to accept the low pay and invasive background checks required. Then again, government positions may be the only stable jobs left 10 years from now, who knows?
Why would literally anybody want to work for these idiots.
BT couldn't build a telco network if the government paid them (oh, wait) - couldn't internet their way out of a paper bag one might say (no really why doesn't every house in the country have FTTH for the money the taxpayer has thrown at them).
GCHQ - the clowns more interested in looking at your cat pictures than finding terrorists.
Yeah no kidding they are having an issue recruiting. Everybody who knows about this stuff; GCHQ makes their skin crawl. We had this gem like 2 weeks ago which demonstrates exactly what is happening here:
The people who lobbied me hardest for independent authorisation, something that really passes muster internationally, is the intelligence agencies. It’s partly a question of recruitment for them
Problem is they don't do as they say and go do comint properly and that's the real issue here.
The trouble with infosec jobs is that, on the whole, they're deadly dull most of the time - procedures, policy and procurement; audit, archive and architecture. They need people who would be as happy in accountancy as IT. However you dress it up, however much you pay, the number of candidates is always going to be limited.
And while you obviously need staff to deal with the human aspects of information security, it's not clear to me why users should be paying security people to put sticking plasters on the broken IT equipment they're buying. If the manufacturers put more emphasis on the more exciting work of demonstrating how hackable their systems are - and then fixing them - then perhaps there would be enough people around to deal with security admin.
This post has been deleted by its author
Having dealt with lots of Infosec peeps, the deadly dull ones are preferable. The other sort treat everyone as idiots, bang on about the most unlikeliest of attacks and generally p*ss everyone off. You might as well pull all your comms out, burn the cables and not turn on the computers according to their genius.
One InfoSec 'professional' wanted all IT deliveries (This for a £90 million project for a defence prime) sent to his 2 room office so he could check the seals weren't broken on delivery, otherwise he'd refuse to sign off the infrastructure as someone could've re-written the flash on the switches etc etc. Oh and we were banned from printers because, well I can't remember, the exploit was like something from Dungeons and Dragons...
"ou might as well pull all your comms out, burn the cables and not turn on the computers according to their genius."
Well - a reasonable security starting point is to consider that the only secure computer is one with no network connection, placed in a room that you have the only key to.
That's clearly impractical but it's useful to keep in mind. It's not unreasonable to consider how well your proposed security measures measure up against the ideal.
>>That's clearly impractical but it's useful to keep in mind. It's not unreasonable to consider how well your proposed security measures measure up against the ideal.
Nope a reasonable security starting point is one which keeps the lights on and the business running. An Infosec bod will tell you how any security can be got around, usually with a highly trained (eastern European / China) gerbil.
So its not just unreasonable but unrealistic. That's why ALARP was invented for H&S to bring common sense to risk.
Given the nature of some of the systems currently connected through the Internet, 'cybersecurity' is unfixable and it's going to get much much worse in the future. Especially considering the role of such organizations as GCHQ is to dilute security not to enhance it.
Really? And how many of the high profile leaks from the likes of Talk Talk, Panamanian Law firms, Snowden and so on have been down to security problems in Windows? Most of these are down to lax application designs, security procedures or the perennial problem of exposure to staff with privileged access to data.
To limit this to high profile leaks is disingenuous and you know it.
MS security issues are responsible for the daily intrusions of privacy / identity theft / DOS botnets that allow hackers, as well as the security services, to make careers out of them.