Skills shortage tears holes in government security

Government IT departments are struggling to find enough cyber-security experts to work in Whitehall.

The government has higher security standards than most private companies because of the sensitive data it handles, especially when it comes to defence and health. Government websites are also constantly under attack from malware and other internet threats – which are increasingly waved through because they look so innocuous.

Rashmi Knowles, chief security architect at RSA, a company whose password identification software is used by Britain, says governments should assume they are under attack all the time. “The government is always facing incidents on the network but it doesn’t have the resources to investigate them properly,” he says.

Surprisingly, Knowles’s answer is not to outsource cyber-security to the private sector. Rather, too much analysis is done by hand, and government needs to do more data analysis automatically. Increased automisation would free up employees to look at the top 10 per cent of networks “incidents” – traffic spikes or data pulses out of the norm. Monitoring is key, she says, to recognising things out of the ordinary.

Knowles says: “Security is about three things – people, process and technology. By technology I mean educating citizens about their own security behaviour, while process is about having the right security procedures in place – not taking data out of the building on a lose-able USB stick, for example.”

Knowles suggests not throwing more money at cyber-security, but spending budgets differently. Most government cyber-security budgets are spent on prevention, with just 10 per cent each on monitoring and response such as installing a preventative patch or notifying citizens of data theft. Knowles suggests the money be split equally.

Sarah Lawson, head of IT and information security at the National Perinatal Epidemiology Unit, says cyber-security as a profession may appeal more to women because it plays to their strengths. Only 20 per cent of her time is spent on tech issues, she says – the rest on communicating security issues and training people. “The role plays to a woman’s strength of being able to think and communicate strategically,” says Lawson.

Private companies face a similar shortage. Symantec’s Ilias Chantzos says: “The skills problem runs across the board – it’s not limited to government. These are sought-after skills. Everybody knows we need more cyber-security experts.”

GDS admits it faces skills shortages alongside everybody else. “All companies are facing skills shortages in this area. What government can do is make this an attractive career with different routes down a digital career path,” says GDS boss Mike Bracken.