Give put-upon infosec bods professional recognition to keep them working for you, says chartered institute

Nice ideas, if anyone adopts them

Interview As the UK infosec industry prepares for government initiatives intended to expand the sector, how should existing companies keep skilled professionals from jumping ship? Amanda Finch, CEO of the Chartered Institute of Information Security, tells us a thing or two about what she thinks works.

The institute (CIISec) bills itself as "raising the standard of professionalism in information and cyber security". Previously known as the Institute of Information Security Professionals, the organisation is one of those slightly nebulous bodies whose purpose is to improve certification and training across the industry.

"People tend to stay in roles if they are being developed," Finch tells The Register just after the institute's annual conference. "The main thing is about getting the right qualifications for the right role."

Qualifications are a minefield, and as information security digs ever more rabbit holes for professionals to fall into, there's an age-old problem: how do skilled people communicate those skills to others, especially potential new employers?

The usual answer is certifications, though there's a bewildering array of those on the market today: some are more instantly recognised than others. While Finch says CIISec doesn't endorse any one specific certification or competency framework, she speaks passionately about companies recognising their employees' talents as a tool for staff retention.

"The main thing is, is really to get a job with an organisation that actually cares about career development," she says. "If you're with an organisation that is concerned about developing staff, they'll get you on right courses for you at that particular stage in your [career] development."

As the industry expands, it's natural enough that skilled practitioners are going to be looking for new jobs and potentially starting their own businesses, or growing existing ventures. This is likely to give management teams a headache as their brightest and best start looking elsewhere – so CIISec's position is that investing in people might help companies retain experienced talent.

On top of that, the institute's work on certifications and recognising skills spreads the public-private sector divide. Digital investigation is one area where the institute thinks there'll be a need for standardisation and mutual recognition of skills through qualifications, and it's hoping to roll that out more broadly over the coming months.

"One of the good things about extending the cyber digital investigator qualifications to the private sector is that it will help law enforcement," says Finch, highlighting how evidence collection "by people that have been accredited" brings benefits to those carrying out initial investigations into breaches which could lead to criminal prosecution.

For example, National Lottery operator Camelot's initial response to the deployment of black hat tool Sentry MBA against Lottery players' accounts rapidly morphed into a multi-pronged prosecution – and guilty pleas.

"Very often," continues Finch, "law enforcement have to go back to basics and do the investigation from from the start themselves, because they can't trust that the evidence has been put together in a way that will stand up in court. So [the accreditation] is really important in terms of bringing [infosec and the law enforcement] communities together".

Status is important to CIISec too; people who feel the work they're doing is not only valuable but is recognised across society are people who'll stick it out for the long haul. Chartered status may help with that goal. Many reading El Reg will be familiar with the frustration of trying to convey what working in any aspect of IT means to mere end-users and consumers.

"That's really where we need to go as a profession," enthuses Finch, "is that there are routes that take you to this chartered level, so that you are measuring competency as well as education."

It all sounds like a good set of initiatives, anyway. With the infosec sector expanding and new bodies such as the UK Cyber Security Council lurching to their feet in the wake of government announcements about skills and training, there's bound to be more of this sort of thing on the horizon.

Whether all employers will care for staff upskilling and recognition is another question, however. ®

Other stories you might like

  • Despite global uncertainty, $500m hit doesn't rattle Nvidia execs
    CEO acknowledges impact of war, pandemic but says fundamentals ‘are really good’

    Nvidia is expecting a $500 million hit to its global datacenter and consumer business in the second quarter due to COVID lockdowns in China and Russia's invasion of Ukraine. Despite those and other macroeconomic concerns, executives are still optimistic about future prospects.

    "The full impact and duration of the war in Ukraine and COVID lockdowns in China is difficult to predict. However, the impact of our technology and our market opportunities remain unchanged," said Jensen Huang, Nvidia's CEO and co-founder, during the company's first-quarter earnings call.

    Those two statements might sound a little contradictory, including to some investors, particularly following the stock selloff yesterday after concerns over Russia and China prompted Nvidia to issue lower-than-expected guidance for second-quarter revenue.

    Continue reading
  • Another AI supercomputer from HPE: Champollion lands in France
    That's the second in a week following similar system in Munich also aimed at researchers

    HPE is lifting the lid on a new AI supercomputer – the second this week – aimed at building and training larger machine learning models to underpin research.

    Based at HPE's Center of Excellence in Grenoble, France, the new supercomputer is to be named Champollion after the French scholar who made advances in deciphering Egyptian hieroglyphs in the 19th century. It was built in partnership with Nvidia using AMD-based Apollo computer nodes fitted with Nvidia's A100 GPUs.

    Champollion brings together HPC and purpose-built AI technologies to train machine learning models at scale and unlock results faster, HPE said. HPE already provides HPC and AI resources from its Grenoble facilities for customers, and the broader research community to access, and said it plans to provide access to Champollion for scientists and engineers globally to accelerate testing of their AI models and research.

    Continue reading
  • Workday nearly doubles losses as waves of deals pushed back
    Figures disappoint analysts as SaaSy HR and finance application vendor navigates economic uncertainty

    HR and finance application vendor Workday's CEO, Aneel Bhusri, confirmed deal wins expected for the three-month period ending April 30 were being pushed back until later in 2022.

    The SaaS company boss was speaking as Workday recorded an operating loss of $72.8 million in its first quarter [PDF] of fiscal '23, nearly double the $38.3 million loss recorded for the same period a year earlier. Workday also saw revenue increase to $1.43 billion in the period, up 22 percent year-on-year.

    However, the company increased its revenue guidance for the full financial year. It said revenues would be between $5.537 billion and $5.557 billion, an increase of 22 percent on earlier estimates.

    Continue reading

Biting the hand that feeds IT © 1998–2022