An anonymous blogger from the Ministry of Justice (MoJ) has admitted the government is struggling to find and keep the country’s top talent because ethical hackers don’t want to work for it.
The blog post describes the frustration of recruiting for security engineer roles at MoJ Digital and Technology. All too often it seems those who apply are only capable of delivering a “templated report that looks like a list of results from an automated scan”.
“We want people who have ethically hacked systems to hack our systems,” said the blogger, “but instead we end up with ethical folk (who) want to hack.”
Change of approach
As a result the department changed its approach to advertising, instead advertising in venues used by more technically-minded or academic researchers, such as forums, Internet Relay Chat (IRC) channels and conferences.
That resulted in interest either from top talent abroad who couldn’t relocate, or from promising mid-level individuals who were quickly snapped up by industry.
“Security-minded folk who can think originally still don’t think working for government (which is not all about intelligence agencies) is cool,” added the blogger. “And for good reason; some see government IT to be a massive legacy monolithic monster (partially true) where they will forever be in a dank corner, trying to troubleshoot memory issues in some mid-90s middleware, and be valued by how many colour-coordinated reports they can churn out (not true).”
Looking forward, the blogger concluded: “It is up to us to give them the freedom to use their creativity, and put to use what they’ve traditionally done purely for the kicks. We need to incentivise these talented people with (nearly) free reign, explain the stakes to them, let them shape security practices in a department along the lines they feel comfortable.
Let them work flexible hours, let them work from (nearly) wherever they want. They already have the expertise to know what goes in a good policy and what broken guidance looks like. Let us show them how their efforts can make a difference.”
Machine situational awareness software to continuously monitor and evaluate potential threats
CyberUK 2017 will take place in Liverpool next March
GDPR is an opportunity for government says Elizabeth Denham