Mind The Gap
As the cyber threat continues to grow so does the gap between the number of security experts the world needs and those it has. Some want to hire hackers, but in maritime we aren’t hiring anyone.
If you’ve been to London and taken the underground you might be familiar with the jolly yellow writing at the platform edge and pulchritudinous, disembodied female voice exhorting passengers to ‘mind the gap’. It does depend which part of the tube you’re using; you won’t find it at more modern tube stations because it’s a hangover from those which were designed and built in the nineteenth or early twentieth century. Before health and safety or disabled access were even a glint in a bureaucrat’s eye.
Responding to changing consumer requirements and regulation is fundamental to any successful business, but many struggle to identify where things like accessibility can be improved. That’s where the insight of the disabled who have to use these facilities day to day, can be unbeatable. In short, it’s difficult to appreciate how accessible something is, if you’ve never been anything but able bodied.
Many believe—particularly in the maritime industry—that there’s no substitute for experience. But how far does that extend? Would you, for example, be prepared to employ a hacker?
That’s precisely the question KPMG asked 300 senior UK IT and HR professionals late last year, and their response may surprise you. At 53 per cent, more than half of respondents said they would consider using a hacker to bring inside information to their security teams. A similar proportion said they would also consider recruiting an expert even if that person had a previous criminal record.
If you’re astonished by that then you aren’t alone, but if you’re in IT or HR you shouldn’t be. There are good reasons why companies are prepared to resort to pretty desperate measures, and the IT industry has been warning about them for some time.
Would you employ a hacker? KPMG asked 300 IT & HR professionals late last year, and 53 per cent said they would.
There has been a steadily increasing gap opening up between the need for skilled computer security experts, and the supply. By 2017 that shortfall is going to have reached around two million. The majority of companies interviewed by KPMG claim the shortfall exists because the skills needed to combat the cyber threat are different to those required for conventional IT security. Nearly three-quarters of respondents said they were facing new cyber security challenges which demanded new cyber skills. For example, 70 per cent admitted their organisation “lacks data protection and privacy expertise” and were doubtful about their organisation’s ability to assess incoming threats.
While 60 per cent claim to have a strategy to deal with any skills gaps, KPMG said the research makes it clear that there is a short supply of people with all the relevant skills. And even if you can find these people, according to the survey, 57 per cent of respondents said it has become more difficult to retain staff with specialised cyber skills in the past two years. The churn rate is noticeably higher in cyber security than for IT skills and companies complain that there is aggressive headhunting.
Following close on the KPMG survey came the global view of IT association ISACA (formerly known as the Information Systems Audit and Control Association) whose January 2015 survey of its more than 3400 members in 129 countries found that 86 per cent believed there was a cyber security skills shortage. ISACA’s 2015 Global Cyber security Status Report also found 92 per cent of companies looking at hiring a cyber security professional this year say it will be difficult to find skilled candidates.
“As the world grapples simultaneously with escalating cyber attacks and a growing skills shortage, ISACA believes that it is absolutely essential to develop and train a robust cyber security workforce,” said Robert E Stroud, of ISACA.
Governments around the world agree, with the UK actively seeking solutions as part of its drive to improve industry cyber security, and the US Senate recently passing the cyber security skills shortages bill. Maritime hub Singapore believe that its ability to combat the cyber threat is being hampered by a skills shortage and a lack of awareness amongst companies about the skills they need to be recruiting.
“Organisations increasingly recognize that the approach toward cyber security must be organization-wide,” said Lyon Poh, head of IT Assurance and Security at KPMG LLP in Singapore. “However, they lack people with the experience to set up a comprehensive cyber security defence system to promptly detect and respond to cyber threats.”
According to a Bloomberg report the number of cyber security professionals in Singapore fell to 1,200 last year from 1,500 in 2012, representing just 0.8 percent of the city’s total information technology workforce. Singapore’s response has been a centre of excellence created in collaboration with cyber security firm FireEye, and Singapore’s Infocomm Development Authority, which trains cyber security professionals and develops malware detection and prevention.
“Many times we try to explain to customers in terms of what is happening in the real world,” said Stephanie Boo, FireEye’s regional director for Southeast Asia. Customers sometimes say “this sounds really very much like a Hollywood movie plot.”
If you’re planning on hiring hackers then perhaps the movie in question should be ‘To Catch a Thief’, although most black-hat hackers are no Grace Kelly. But in maritime we aren’t hiring hackers. We don’t appear to be hiring anyone at all.
A search of all the multitude of maritime job sites, recruiters and publications online doesn’t turn up even one vacancy for computer or IT security professionals or consultants in the shipping or maritime industry in the entire world. The only IT related job we could find was for a Master Data specialist on a temporary contract. In fact the vast majority of online searches don’t even include ‘IT’ as a search category, let alone the more specialised cyber security. Similarly our enquiries to maritime recruitment organisations came up empty, as did enquiries to the largest ship owners and operators in the industry who blanket refused to discuss cyber security at all.
There is an interesting blog article on a website called JobSecurity which is geared towards job seekers who have previously worked in the military or physical security. According to the site maritime cyber security is becoming a ‘new, niche job market’. ‘Specialised knowledge is key,” it asserts, “and as maritime cyber security is increasingly acknowledged, the career opportunities are sure to follow.”
Clicking on the link to search for maritime cyber security jobs however pulls up zero results. Gathering any more information about where these jobs might be from JobSecurity is a dead-end unfortunately. A message on the website informs visitors that ‘JobSecurity is currently in a state of indefinite hibernation.’
Which is pretty much the state shipping and maritime recruitment and HR appears to be in too. The industry is going to need these people sooner rather than later, but at the moment we aren’t only not recruiting them, we aren’t even engaging with them. At the very least recruiters and HR need to be using their social media footprints to reach out to these communities, because the industry is going to have a very tough time competing for their attention as their scarcity and value increase.
As one large maritime insurer recently told a shipping audience, in cyber security terms relying on luck and a lack of motivation could well constitute gross negligence. It’s hard to find any evidence that shipping and maritime isn’t doing just that.
So when it comes to criminal behaviour, the hackers may have nothing on us.
Images credit © Getty Images; Paramount Pictures
This article appeared in the January 2015 issue of Futurenauticsread online and subscribe