The rise of the Cyber Security Specialist

Mary Worthington

When I started working in Information and Cyber Security three years ago, I didn’t know what cyber security was – or the effect it had on me as an individual.

That’s long in the past. Like a convert, my eyes were opened to something that affects all of us, in every aspect of our lives, in a linked-up world where the risks grow greater with every day. The reason is all around us – perhaps on the device you’re using to read this. Even compared to five years ago, we’re more connected. Many of us have a work smartphone, laptop or tablet hooked to a company network and/or cloud service.

And that’s great, if you need to access your firm’s share register on a train at 1.15am. But it can be the ultimate threat for your company’s Cyber Security team.

Why? Because the risk of a data leak has just moved from limited, controllable areas within certain highly regulated departments, to literally anyone who has access to the business’ information. That’s usually a substantial number of your workforce. Half of the worst data breaches are caused by inadvertent human error and the estimated average financial loss from a single cyber security incident is £2m. In effect, most businesses need protecting from themselves.

And the need for protection is becoming greater. In October this year, mobile network TalkTalk were handed a record £400,000 fine for a hack from 2015 which left 157,000 customers exposed. The Information Commissioner’s Office said TalkTalk had failed “when it came to the basic principles of cyber security”. TalkTalk’s reputation will take time to recover but, amazingly, they can count themselves lucky. Under soon-to-be-enforced EU regulation, fines of up to €20m (£17.6m) or 4% of global annual turnover face the worst offenders.

So… risks spread across the business; mistakes costing millions; staff blunders one of the biggest culprit for the worst offences; huge fines. Just being technically good isn’t enough anymore.

Cyber Security Specialists

In the last three years, I’ve seen a fourfold increase in recruitment for tech roles requiring cyber security, and I think we’re at the point where we can identify an entirely new class of IT employee: the ‘Cyber Security Specialist’ (CSS). 

What a CSS can do is put managing cyber risk at the top of the boardroom agenda, and change the way business is done. They can interact with and influence multiple stakeholders. They are communicators and persuaders, and ultimately educate us to all think differently about security. They might, for example, demonstrate risk by sending hoax phishing emails to staff to show how clicking on a link can open your company to huge vulnerabilities. They’ll prove technological solutions only go so far. Without a company-wide awareness of security issues – without human error reduced – the threat will always be much greater. Education and awareness among colleagues, led by a CSS, enables staff using technology to fulfil their roles successfully and safely.

Cyber security affects businesses internationally, and the shortage is not just in the UK, but worldwide. In my view, Brexit will affect this specialism less than others, since we’re dealing with something which affects every industry in a multitude of ways – whether we are in the single market or not. The shortage of candidates will also remain the same. Each country is responsible for its own training and development of new talent coming into the cyber security sector. Many roles in this space demand government security clearance. In practice, that means roles are only open to UK subjects or those who’ve lived here for five years plus.

I’m often asked: “What makes for a good CSS?” One thing clients repeatedly request is someone “passionate” about what they do. It isn’t just a career for them, but a vocation. The CSS who gets the best results will take an active interest in the area outside of work. They’ve pushed themselves to gain extra qualifications and skills; they’re active on forums and attend networking events and expositions. And luckily for them, they’re at the top of a lot of businesses’ ‘must have’ lists.

Industry leaders

Leading the way, are the financial services organisations which place data breaches at the top of their risk list. American firms are, for the moment, at the forefront. They’re frequently looking to emulate best practice developed in the US, whereas UK companies are swiftly growing their own expertise.

One UK high street financial services client is right now aiming to recruit no fewer than 50 CSS staff – putting them and their expertise at the heart of their risk management strategy.

Next are service providers like mobile networks or energy; those who hold and operate customer data as a by-product of their core service.

Then there are retailers, who historically would not have routinely collected customer data but with the advent of online shopping are moving to a hybrid shopping experience.

Each has their own requirements and priorities. The opportunities for the right candidate are obvious. As a recruitment specialist, it’s an exciting time to be in the cyber space.

Mary Worthington is Senior Information and Cyber Security Specialist at Sanderson Recruitment