Cyber security skills gap: 'Pay more and the problem will go away,' says Reuters IT security chief

Get a bigger chequebook to show you're taking it seriously, suggests Boura

The IT security "skills gap" could quickly be narrowed by simply paying security staff more, according to Thomson Reuters' senior information security architect, Andy Boura, speaking on a panel at Computing's Enterprise Security and Risk Management 2015 summit yesterday.

Furthermore, he argued, organisations could - indeed, should - help ordinary IT staff to upskill so that they can shift into IT security, removing the need for organisations to get the security skills they need by recruiting so-called black hats.

When asked whether he would be prepared to hire black hats from the security industry, Boura was firm.

"How can you ever really be sure they've reformed? My reaction would be 'no'," he replied.

"The real issue," he said, "is there's a shortage of budget to pay people what you need to pay them to attract them, and to attract people in other industries.

"People want information-security architects, but they're offering salaries you get as software architects. To get top information-security architects you need to tempt software architects to transition into an unknown field and gain additional skills, and yet you're not necessarily prepared to pay them. So it's no surprise we don't have enough people in that field.

"I think people need to get a bigger chequebook, and the problem will go away."

Boura said he accepted this argument may be "difficult to swallow" when many hiring bosses are already "shocked" at the price of security professionals.

As regards to hiring black hats, Boura said he could imagine taking a "case by case" approach depending on the candidate's suitability for certain tasks, with an emphasis on keeping them hands-off from the business.

"There are times when people with the right skills could work out. For example, in threat intelligence, a black hat could offer knowledge and advice," he said.

"You don't have to trust them. If they give insight into how things work and can share it, that doesn't expose you to risk, and we'd be foolish not to accept their words."

But as for hiring black hats for more hands-on tasks, such as penetration tests:

"This is someone who will be sat on your network, probing your systems and at the end of it they can see lots of vulnerabilities in those systems - that's a very different proposition," said Boura. "So I think we need to use judgement."

Tarun Samtani, IS architect at Ebuyer, also speaking on the panel, added: "I think I'd be surprised if a black hat wanted to join us - there are so many things they can do on the wrong side of the fence that we can't - I can't see them being interested in joining 'the good side'."

He concluded that he personally doesn't "see many positives" in taking on black hats.