Will a cyber security ambassador help the security industry after Brexit?
The appointment of Henry Pearson to the Department for International Trade provoked a lot of debate among security friends and colleagues, namely do we need a cybersecurity ambassador?
If you take the conversation we had in the office, it wasn’t a quick answer. Far from it. We discussed skills, innovation, competition. But there was an agreement that it doesn’t matter which way you look at it, Britain needs to create new export channels, and hit the well-publicised 40 trade deals ahead of Brexit. We can see why cybersecurity is a prime candidate for the strategy – the Government certainly has high hopes anticipating we will be exporting £2.6bn of UK cyber security by 2021.
Studying the UK’s Cyber Security Export Strategy, the DIT is planning on acting as “trusted advisor to support UK companies bidding for major opportunities, primarily selling to overseas governments and Critical National Infrastructure (CNI) providers.”
It makes sense to help companies get a foot in the door with the appointment of a cybersecurity ambassador. It’s acknowledgement that it won’t be easy and that the appointment is necessary to provide more confidence to UK organisations bidding on large overseas government contacts. Government liaison would be highly advantageous in these scenarios.
That said, the overall strategy is ambitious, and I think it could be quite a challenge when you look at how the market is made up. The vast majority of UK headquartered cybersecurity companies are service providers, rather than vendors and a UK headquartered service company is always going to focus on its domestic market first or even solely.
Priority markets pinpointed by the plan are the Gulf, Singapore and India. It makes perfect sense. As a global firm we too see the opportunities in these burgeoning markets.
But, dare I say it, competing for services in far-away countries is invariably going to result in more expensive sales, lower win rates and incur the challenges of operating competitive service models versus local providers. It could put companies off trying so perhaps an ambassador to open doors is a good thing.
But I also suspect that somewhere in this plan there’s the Government’s intention to keep home grown unicorns in Britain, and ensure we still compete against the Silicon Valley darlings post Brexit.
However, we can’t run away from the fact that while we have some security vendors headquartered and founded in the UK, for the most part these are organisations that have relatively small market capitalisations and when they do become successful they tend to be acquired by major US based vendors.
Israel and Silicon Valley on the other hand are renowned technology innovators and developers. They are traditionally not focused on services, although the shift to cyber security services based in the cloud is changing this notion.
It’s therefore difficult to see how the majority of companies could benefit from the ambassador in the short-term. Certainly, it will be hard to be recognised as world leading in the target territories, especially if you have well-established local competitors to deal with.
Leadership is needed
And of course, defining what we mean by being a leader is also up for debate. In terms of the work GCHQ does, then absolutely it can’t be beaten. But no-one knows whether that position will remain when Brexit happens, in fact I place real doubt on it being maintained. That could put this strategy under strain.
Currently GCHQ and European counterparts have a superlative approach to sharing intel. My European colleagues categorically tell me it’s an essential process and they are extremely concerned about what will happen when the UK leaves the EU. Our ability to keep up with the latest attack vectors will significantly diminish. If this scenario plays out, then it will of course have a knock-on effect to the way UK companies can operate.
It leaves me cold, and so too does the way precious skill will be undermined. Applications from European citizens to the UK industry are down, and they are also down from non-EU as the uncertainty on our immigration stance rages on. Currently 13 per cent of the world’s security expertise resides in UK and that still leaves us with a deficit.
What concerns me the most is that we don’t have enough new blood coming into the industry. In fact, a poll we ran at Radware showed that millennials aren’t interested in security as a career despite recognising data security is a blight on their generation. Perhaps its seen as a daily fight and a dirty job, rather than the innovative and exciting one it really is.
Much has been said about neurodiversity and it’s heartening to see the shift towards a more open-minded approach to recruitment and a broader recruitment model. We know that neurodiverse hackers remove cognitive blind spots from a team and allow atypical thinkers the ability to see and identity what others have overlooked.
Adversaries like cybercriminals often recruit hackers that hyper-focus on specific skills in a bid to improve their overall operation. The same should apply to corporations. The scale and complexity of today’s cyber threat requires a highly specialised and skilled employee, regardless of their personality type. Lots of companies are using personality testing to find cyber security specialists but they aren’t relevant for every position and could screen out excellent candidates.
Not only do we need diverse candidates but we also need skills diversity. In addition to standard software coding we now need skills in machine learning and neural networks, data scientists with skills in AI, data mining and data lakes. Since security is no longer a puzzle with the right answer, we need skills in sorting through millions of clues to see patterns of bad actors otherwise invisible.
We also need leadership – people who have the skill to develop strategy, deliver real innovation in service models not just technology, and those who can spot trends and capitalise on them.
You can now see how far reaching the debate in the office was. And that the way to fix the future for our industry after Brexit isn’t about any one thing or person. It’s also about having the skills to support it, the innovation behind it, the encouragement and right economic conditions to invest, and, if we are to look overseas, the confidence that it’s worth it. Henry Pearson has his work cut out.