‘Big Four’ professional services firm KPMG’s UK head of cyber security Martin Jordan says that he avoids job candidates who want to be hackers, as he believes the required skillset can be found elsewhere.
“I tend to avoid people who want to be a hacker, the ones that come to me and wear a big black coat and say ‘I’ve seen The Matrix and I want to be a hacker’ – the people we deal with don’t want to hear that, they want to hear about how this technical risk can impact on the Ministry of Defence, and on central government,” Jordan told Computing.
He believes that some of the best people the company has employed in the cyber security division are history graduates, architects and actuary professionals.
“Hacking is like solving a rubix cube blindfolded because you can’t see what the problem is when you’re breaking through a network. You won’t know the full extent of the network so that is just a problem solving technique. We can teach people how to ethically hack, but we can’t teach them everything [else they need] that is outside of the box, but good universities can help us along the way,” Jordan said.
In November, the head of business continuity and information security at The Economist, Vicki Gavin, said that she believed there was no cyber security skills gap, stating that there is a problem with organisations’ recruitment processes.
But partner at the information protection side of KPMG, Stephen Bonner, believes that it may be easier for an organisation of The Economist’s size to hire good professionals, but that this isn’t the case for every business.
“[KPMG] manage to find people, but our standards are high, so there are people out there we don’t take that are good, but just not good enough to do what we’re doing. But also if you’re a brand like The Economist, that’s quite different than if you’re a small industrial business located in Slough – it wouldn’t be as easy to attract the right talent,” he said.
However, he agreed with Gavin that there could be an issue with the people who manage recruitment – particularly for senior jobs like the CISO role.
“I think the real challenge is when you don’t have someone like Vicki, a CISO-type figure, and you’re a head of IT or head of finance who wants one, how do you find someone who is credible at a senior level, who understands the topic and you know safely that they know what they’re talking about?
“How do you evaluate the possible candidates? I think there is a shortage to evaluate the skills – some of the people who get these jobs aren’t very good, so it is maybe difficult for hiring managers to manage them, but my feeling is that there aren’t enough good ones out there in the first place,” he said.
Computing’s Securing Talent campaign aims to raise awareness of the growing need for people with cyber security skills in industry and government, and for clearer pathways into the cyber security profession.