Why the private sector is poaching cyber security experts from the public sector

Simon Kouttis, head of cyber security practice at executive search firm Stott & May, explains why businesses are recruiting infosec talent from government

Recent high profile data breaches including Sony Pictures, Ashley Madison, and JP Morgan, which led to huge financial loss, claimed the heads of senior executives, damaged the public standing of these companies, and has ultimately elevated cyber security to the top of the boardroom agenda.

The result is an increased demand for cyber security expertise, which is in short supply. Part of this can be attributed to a lack of STEM skills nationwide: while these courses are well-funded (and more students are enrolling every year), universities are still not producing enough business-ready graduates to satisfy the rapidly expanding demand for cyber security skills. Longer term, governments and schools should do more to approach this problem from Key Stage through to college and A-Level. To treat STEM - and computer science in particular - as a priority subject from an early stage is imperative.

In the interim, however, companies are looking at industry to find the skills they need, but this takes time. And with so many companies competing for the same candidates, this can be difficult and expensive. In the immediate future, and until it is built into the curriculum, companies must look elsewhere to find the candidates they need.

Public sector poaching

Over the last year, we have seen a large number of candidates making the move from public sector to private. High-profile "defections" include Andy Archibald of the National Cyber Crime Unit, who previously spent 31 years in law enforcement.
What makes these candidates so suitable? Why are cyber analysts from the public sector being hired for private sector cyber security roles?

Unique skillsets

Hackers are becoming more sophisticated, which means companies are having to respond to stay one step ahead. They are now looking to build a more robust, mult-layered security capability, which consists of an incident response function complete with analytics and threat intelligence.

The public sector is a hotbed for developing cyber security skills. It has always invested heavily in training and development; there is a structured career progression so in a very short period of time it produces very highly skilled cyber security professionals. Such skills are nurtured through experience and military personnel are trained on the tools and techniques, which are universally transferable in industry.

So while military personnel may lack corporate experience, they have a very solid foundation and an education that is unparalleled in conventional routes. This makes them very attractive targets for private companies looking for the latest cyber security talent. Not to mention the fact it is much more costly for a bank to poach from their competition.

How to attract public sector personnel

Salaries in the public sector are not comparable to what's on offer in the private sector, which is naturally a big draw for those looking to make the move. An analyst in the public sector, for example, will typically earn £35,000, but in the private sector the same position will command twice that. But it is not just money that motivates public service personnel. The private sector is investing heavily in the most cutting-edge technology and techniques; they offer a diverse, interesting office environment; and a much-improved work-life balance.

The cyber threat is more prominent than ever and a major consideration for most boardrooms across the globe. The fact is the skills gap is widening as there are just not enough people to do the job in hand. While there are, of course, downsides to "public sector poaching": these hires will typically have a 12-18 month notice period, on the whole, investing in ex-government and former military workers is a very smart - and cost-effective - way to bridge the widening cyber security skills gap. You just need to access them.

Simon Kouttis is head of cyber security practice an executive search firm Stott & May

Attend Computing's Security & Risk Summit on 26 November in London for free by registering here