Interview As the UK infosec industry prepares for government initiatives intended to expand the sector, how should existing companies keep skilled professionals from jumping ship? Amanda Finch, CEO of the Chartered Institute of Information Security, tells us a thing or two about what she thinks works.
The institute (CIISec) bills itself as "raising the standard of professionalism in information and cyber security". Previously known as the Institute of Information Security Professionals, the organisation is one of those slightly nebulous bodies whose purpose is to improve certification and training across the industry.
"People tend to stay in roles if they are being developed," Finch tells The Register just after the institute's annual conference. "The main thing is about getting the right qualifications for the right role."
Qualifications are a minefield, and as information security digs ever more rabbit holes for professionals to fall into, there's an age-old problem: how do skilled people communicate those skills to others, especially potential new employers?
The usual answer is certifications, though there's a bewildering array of those on the market today: some are more instantly recognised than others. While Finch says CIISec doesn't endorse any one specific certification or competency framework, she speaks passionately about companies recognising their employees' talents as a tool for staff retention.
"The main thing is, is really to get a job with an organisation that actually cares about career development," she says. "If you're with an organisation that is concerned about developing staff, they'll get you on right courses for you at that particular stage in your [career] development."
As the industry expands, it's natural enough that skilled practitioners are going to be looking for new jobs and potentially starting their own businesses, or growing existing ventures. This is likely to give management teams a headache as their brightest and best start looking elsewhere – so CIISec's position is that investing in people might help companies retain experienced talent.
On top of that, the institute's work on certifications and recognising skills spreads the public-private sector divide. Digital investigation is one area where the institute thinks there'll be a need for standardisation and mutual recognition of skills through qualifications, and it's hoping to roll that out more broadly over the coming months.
"One of the good things about extending the cyber digital investigator qualifications to the private sector is that it will help law enforcement," says Finch, highlighting how evidence collection "by people that have been accredited" brings benefits to those carrying out initial investigations into breaches which could lead to criminal prosecution.
For example, National Lottery operator Camelot's initial response to the deployment of black hat tool Sentry MBA against Lottery players' accounts rapidly morphed into a multi-pronged prosecution – and guilty pleas.
"Very often," continues Finch, "law enforcement have to go back to basics and do the investigation from from the start themselves, because they can't trust that the evidence has been put together in a way that will stand up in court. So [the accreditation] is really important in terms of bringing [infosec and the law enforcement] communities together".
- Burn baby burn, infosec inferno: Just 21% of security pros haven't considered quitting their current job
- Global pandemic was good for business, say UK infosec pros – but we're still burning out
- Emails, chat logs, more leaked online from far-right militia linked to US Capitol riot
- Two Northern Irish cops face Computer Misuse Act charges over Twitter trolling campaign
Status is important to CIISec too; people who feel the work they're doing is not only valuable but is recognised across society are people who'll stick it out for the long haul. Chartered status may help with that goal. Many reading El Reg will be familiar with the frustration of trying to convey what working in any aspect of IT means to mere end-users and consumers.
"That's really where we need to go as a profession," enthuses Finch, "is that there are routes that take you to this chartered level, so that you are measuring competency as well as education."
It all sounds like a good set of initiatives, anyway. With the infosec sector expanding and new bodies such as the UK Cyber Security Council lurching to their feet in the wake of government announcements about skills and training, there's bound to be more of this sort of thing on the horizon.
Whether all employers will care for staff upskilling and recognition is another question, however. ®