When a cyber criminal launches an attack against an organisation, the level of disruption and damage it causes is dependent upon two things: the strength of defences and the quality and speed of the response.
Complacency, ignorance and delay can be incredibly costly, which is why it’s crucial that staff with specialist knowledge are in place at every college, university and research centre in the UK. That’s easier said than done, though – the UK has a significant cyber skills gap and education providers find it hard to compete for experienced staff with usually richer private businesses.
Now, post-pandemic, there’s also a danger that education providers that don’t adopt flexible working policies will be less attractive as employers.
Security landscape
Jisc’s cyber security posture survey over the past four years has indicated an increase in the recruitment of specialist security staff. However, the spate of ransomware attacks hitting the sector highlights that having skilled and experienced IT and security staff in place is more important than ever. While we know the security picture across tertiary education is improving it is not yet uniformly strong. Having experienced IT and security staff in place is crucial to build that strength.
For example, one institution invested heavily in an expensive, top-spec firewall, but staff did not know how to configure it correctly, which meant the firewall was useless in stopping attacks. This story reflects the government’s cyber skills gap report 2021, which notes that the areas where skill gaps are most prevalent are in setting up configured firewalls, storing or transferring personal data and detecting and removing malware.
Conversely, a college with staff alert to the risks and who were properly monitoring their network noticed a potential problem and quickly contacted Jisc CSIRT for advice. The attacker was already in their system but slow to act. Working with CSIRT, the college team was afforded a critical time window to successfully shut down the attack before it could spread.
I’m confident that most senior leaders in the sector understand the threat level and agree that cyber security should be a strategic priority. However, at a minority of organisations there is a mismatch between the expectation of senior managers and the technical ability of IT/security staff. This puts the sector at risk. Lack of skills seems to be more of a problem among smaller providers, where security is less likely to be a specific, specialist role.
The cyber skills deficit is almost certainly more pronounced in the public sector than in commercial businesses, as our own recruiting experience demonstrates. As we’ve developed new services in response to sector demand, we’ve needed to expand our security team, but it’s been difficult to attract and retain staff, when salaries in the private sector are so much higher. Our operational security roles are remote, however, so we have been able to recruit skilled staff from across the UK.
Recruiting for cyber skills in the new normal
Colleges and universities face similar issues. Home Counties and London education institutions are at a particular disadvantage. For example, Stuart Brown, director of digital technology services at the University of Reading, describes recruitment as a “nightmare” because of the high demand for skills coupled with the limited ability to compete with packages offered by the private sector.
Some providers have found a way around the problem. Jim Nottingham, chief Information officer at the University of the Arts, London, reports that the IT department has adopted technology to allow continued remote working, which is helping to retain staff since some of them are saving thousands in season tickets. “The move is also enabling me to recruit more aggressively” Jim adds.
The University of Hertfordshire is taking a hybrid approach. Chief information officer David Ford says it isn’t ideal: “Anyone who doesn’t need to be on campus for specific tasks can work at home, but nobody will have a home-working contract, so we can’t recruit someone from Scotland who has no intention of moving down to us.”
David worries the university is potentially missing out on the chance to recruit good people. “I lost a couple of people this year to London universities that said they could work from home, which was ideal for them because they got the London salary without the cost of commuting, “ he says. “Other sectors that are more agile are going to start taking people and we are all going to miss out.”
A King’s College London move was successful in terms of recruitment pre-pandemic, but is not working so well now it has switched to a hybrid model. Six years ago the university set up an office in Cornwall for a number of roles, including the IT service desk. This meant that the university was able to recruit better, more experienced staff, making the service desk better and offering valuable employment in the region.
Now, post-pandemic, King’s has taken a hybrid route, and everyone is expected to be in the office at least some of the time. This is different to the post-pandemic fully remote expectations of the IT industry, where many more jobs are advertised as home based, with only occasional visits to the office.
“We’ve already lost a few staff from our Cornwall office who’ve gone to remote roles for more money,” director of IT innovation Trevor Baxter reports. The shift to remote contracts in the industry in general means the pool of workers available to flexible employers has widened and universities may be in competition with education providers and private companies everywhere.
“The concern now is that we may struggle to recruit and retain, and if we do find staff we may struggle with the level of experience of those staff, “ says Trevor “How do we convince our universities that some staff working remotely could benefit them and is not adding unfairness on those whose roles must be on site?”
Emma Woodcock, chief information officer at York St John University, may have an answer. The university has identified a range of professional services that are not required to be 100 per cent face-to-face and supported them with technology to continue to work remotely.
“This group of people, including IT staff, are part of a formal pilot to develop new ways of working,” Emma explains. Existing contracts remain unchanged, but new policies and workplace etiquette are being trialed with staff feeding back at regular intervals on how well the pilot is going.
“Since the pilot began, I have employed people from Scotland and Reading and it is proving to be very successful. The pilot will finish in December, when we’ll collate the impact against a range of measurables, such as any difference in the number of tickets we’re able to get through before and after the pilot began. Ultimately, the trial will review how successful the offer of ‘agile’ working is to recruitment.”
As the sector adapts to a changed working environment, information sharing will be key. Emma says, “I’d like to hear from other universities that are doing similar things, so we can add to the business case for agile/remote working in IT, and other areas, across the sector.”