Cyber security talent goes to the highest bidder

The UK is widely seen as a world leader in cyber security expertise. But as Sooraj Shah reports, it is mainly those firms with the deepest pockets that are benefiting

When former White House cyber security co-ordinator Howard Schmidt congratulated the UK government for the launch of its Cyber Security Information Partnership scheme in March 2013, he said: "What you've been able to do in two years has taken us about 17 years to do."

But while the UK has caught up with the US in some areas, is it really the world leader in cyber security that Foreign Secretary William Hague likes to claim it is?

According to the head of UK cyber security at business consultancy Deloitte, James Nunn-Price, the UK is indeed leading the way because it has more professionals with the right skills than any other country.

"The UK is seen as a leader. It is now an exporter of cyber security skills, particularly to the Middle East and some parts of Europe," he said.

Nunn-Price said demand for the UK's expertise in this area will only increase.

"World leading cyber specialists will be exported to the Middle East, Australia and Canada.

Sporting events like the Olympics will need [cyber specialists exported from the UK], and Deloitte is talking to Qatar about its World Cup project, as well as Brazil [for 2014]," he said.

However, while Deloitte sees the UK as being awash with cyber security talent, this is not the experience of all organisations, as Ovum analyst Andrew Kellett explained to Computing.

He believes that much depends on the amount a company is willing to pay to recruit the right personnel; the likes of Deloitte and PricewaterhouseCoopers (PwC) are able to pay higher salaries than many organisations, and therefore the talent pool for them - unlike other firms - is vast.

"The reality is, if an organisation is willing to pay the right amount, they will be able to get the right people," agreed McAfee CTO EMEA Raj Samani. "The bigger problem is for those that can't afford to pay that amount, which is why cyber criminals are going after SMEs."

A recent study by defence contractor Raytheon asked 1,000 US citizens aged 18 to 26 what employment incentives they looked for. Competitive pay was the third most important, after interesting work and promotion opportunities, suggesting that bigger firms may well be able to attract sought-after cyber skills by offering more money and better career opportunities.

Simon Hockridge, associate director at recruitment firm InterQuest, head hunts cyber fraud specialists for financial institutions, and he believes that financial firms are poaching talent from online gambling companies and telephony organisations with ease because of the pay packets they can offer.

Hockridge said that at the moment, the UK is just behind the US in terms of the cyber security talent available, but warned that in the long term there would be a shortage of talent in the online gambling and telephony industries as a result of financial firms swooping in to poach the brightest sparks.

Deloitte CIO Matt Peers admitted that the firm had to pay a "premium price" for cyber security specialists, and agreed with his colleague, Nunn-Price, that the UK is the place to find the best talent.

"I think people look to [the UK] to help to define best practice. ‘What does the UK do?' is one of the first questions I'm asked because people view us as wanting to take this seriously. I think [cyber security] is a new area; the skills exist but you pay a premium for them today - I think the talent pool and the UK's ability to train people is as strong as anywhere else I've seen," he said.

Meanwhile Ovum's Kellett believes the revelations by NSA whistleblower Edward Snowden may edge the UK above the US in terms of its ability to export personnel with cyber security skills.

"I suppose we're slightly less toxic than the US in terms of security expertise at the moment," he said.

However, it may not be as simple as a two-horse race between the UK and US, with China, Russia and Israel also developing their own formidable cyber security industries.

But the question remains: will all organisations - both public and private - be able to tap into these growing pools of cyber security talent, or will it only be the financial institutions that can afford to pay the big bucks that benefit?

Computing and QA Training's Securing Talent campaign aims to raise awareness of the growing need for people with cyber security skills in industry and government, and for clearer pathways into the cyber security profession.