UK companies admit they are considering turning to ex-hackers in a bid to stay one step ahead of cyber criminals, according to the latest research from KPMG.
KPMG surveyed 300 senior IT and HR professionals in organisations employing 500-plus staff to assess how the corporate world is ‘skilling-up’ to protect itself against cyber security breaches. The survey revealed that many companies are becoming increasingly desperate as they struggle to get the right people on board.
Nearly three quarters (74 percent) say they are facing new cyber security challenges which demand new cyber skills. For example, 70 percent admit their organisation ‘lacks data protection and privacy expertise’. The same proportions are also wary about their organisation’s ability to assess incoming threats.
The majority are candid enough to admit that the shortfall exists because the skills needed to combat the cyber threat are different to those required for conventional IT security. In particular 60 percent are worried about finding cyber experts who can effectively communicate with the business – vital to ensuring that cyber threat is well understood by corporate leaders outside the IT department.
While 60 percent claim to have a strategy to deal with any skills gaps, it is clear that there is a short supply of people with all the relevant skills. 57 percent agree it has become more difficult to retain staff in specialised cyber skills in the past two years. The same number say the churn rate is higher in cyber than for IT skills and 52 percent agree there is aggressive headhunting in this field.
According to KPMG’s research, the skills gap is forcing many companies to consider turning to ‘poachers turned game-keepers’ to keep up to speed. 53 percent of respondents say they would consider using a hacker to bring inside information to their security teams. Just over half ( 52 percent) would also consider recruiting an expert even if they had a previous criminal record.
Commenting on the findings Serena Gonsalves-Fersch, head of KPMG’s Cyber Security Academy, says: “The increasing awareness of the cyber threat means the majority of UK companies are clear on their strategy for dealing with any skills gaps. However, they wouldn’t hire pickpockets to be security guards, so the fact that companies are considering former hackers as recruits clearly shows how desperate they are to stay ahead of the game. With such an unwise choice on the menu, it’s encouraging to see other options on the table.
“Rather than relying on hackers to share their secrets, or throwing money at off the shelf programmes that quickly become out of date, UK companies need to take stock of their cyber defence capabilities and act on the gaps that are specific to their own security needs. It is important to have the technical expertise, but it is just as important to translate that into the business environment in a language the senior management can understand and respond to.”
The research comes as KPMG launches a new cyber awareness programme, offering cyber Learning content across the organisation, from C-suites to graduates. It also includes a ‘bridging course’ designed to help IT and business departments understand the language and risks presented by cyber threats.
- ENDS -
KPMG Press Office
Mike Petrook, KPMG Press Office
T: +44 (0)20 7311 5271
M: +44 (0)7917 384576
KPMG Press Office: +44 (0) 207 694 8773
Notes to editors:
KPMG LLP, a UK limited liability partnership, is a subsidiary of KPMG Europe LLP and operates from 22 offices across the UK with over 12,000 partners and staff. The UK firm recorded a turnover of £1.8 billion in the year ended September 2012. KPMG is a global network of professional firms providing Audit, Tax, and Advisory services. We operate in 156 countries and have 152,000 professionals working in member firms around the world. The independent member firms of the KPMG network are affiliated with KPMG International Cooperative ("KPMG International"), a Swiss entity. KPMG International provides no client services.
About the research
The research was conducted in October 2014 amongst 300 IT and HR c-suite executives. Participants were from organisations ranging in size from 500 to 10,000 employees.