More than half of UK firms would consider hiring a hacker or someone with a criminal record to ensure they can deal with cyber security threats in the face of a cyber-skills crisis, a survey from ‘Big Four’ professional services firm KPMG has found.
KPMG surveyed 300 senior IT and HR professionals in organisations employing 500-plus staff in an attempt to find out how enterprises are acquiring cyber skills. It found that many firms are becoming “increasingly desperate” as they struggle to get the right people on board.
Nearly three-quarters (74 per cent) say they are facing new cyber security challenges that demand skills that they don’t already have in-house. For example, 70 per cent admit that their organisation lacks data protection and privacy expertise. Meanwhile, seventy per cent of the firms surveyed said that they were wary about their organisation’s ability to assess incoming threats.
A key concern for 60 per cent of respondents was a shortage of cyber experts who can communicate effectively with the business.
But while there may be a skill shortage at a large number of companies, many firms (60 per cent) state that they have a strategy to deal with any skills gaps. Over half (57 per cent) say that it has become more difficult to retain staff in specialised cyber skills in the past two years. The same percentage of respondents said that the churn rate is higher in cyber security than it is for other IT skills, while 52 per cent said that there is aggressive head-hunting in this field.
To combat many of the challenges companies are facing with cyber security, 53 per cent of respondents say they would consider using a hacker to bring inside information to their security teams. Just over half (52 per cent) would also consider recruiting an expert even if they had a previous criminal record.
Serena Gonsalves-Fersch, head of KPMG’s Cyber Security Academy, said the fact that companies are turning to hackers or people with a criminal record shows how bad the skills crisis must be.
“They wouldn’t hire pickpockets to be security guards, so the fact that companies are considering former hackers as recruits clearly shows how desperate they are to stay ahead of the game. With such an unwise choice on the menu, it’s encouraging to see other options on the table,” she stated.
She urged companies to not only focus on technical expertise when recruiting but also on hiring people who can communicate technical issues to senior business leaders.
“Rather than relying on hackers to share their secrets, or throwing money at off-the-shelf programmes that quickly become out of date, UK companies need to take stock of their cyber defence capabilities and act on the gaps that are specific to their own security needs. It is important to have the technical expertise, but it is just as important to translate that into the business environment in a language the senior management can understand and respond to,” she said.
In January, KPMG’s UK head of cyber security Martin Jordan told Computing that he avoids job candidates who want to be hackers, as he believes the required skillset can be found elsewhere.