Despite an increase in cybercrime of 48 per cent from 2013 to 42.8million[1], the equivalent of 117,339 attacks a day, a recent survey has found that global information security budgets have decreased by four per cent[2] over the same period. Security spending as a percentage of IT budgets has remained stalled at 4 per cent or less for the past five years.
Therefore, protection against hackers is becoming a huge issue - partly because security software can be flawed and a skills shortage is making internal cyber security specialists ‘thin on the ground’ and therefore too expensive for many companies and governments to hire as an internal resource.
Also, those organisations rich with confidential data that can be sold on the thriving black market are not necessarily those able to lure the best security engineers. State and local government, universities and small businesses, for example, struggle to recruit the talent they need to protect the information they hold.
As a lot of these organisations don’t have the right people in-house to protect themselves from cyber-attacks they are turning to management consulting firms to deliver high quality advice on how to mitigate against the threat to cyber-attacks. According to the Management Consultancies Association (MCA) a quarter of all management consulting work in the UK now involves digital, and work related to protecting organisations from cyber threats is rapidly growing. In 2013, 8,000 consultants were either recruited or redeployed into digital.
Often consultancies don’t just need to recruit people with the right technical skills, some can redeploy those consultants that have deep knowledge of physical security. For instance, Richard Krishnan of KPMG advised police forces and other law enforcement agencies on physical security for over a decade, but has now made the shift to become a director for KPMG’s cybersecurity team. He says: “A lot of the skills are extremely transferable, how you think about a threat, how you allocate resources and try and mitigate the threat is very similar to physical security,” he continued, “Admittedly the terms used take a lot of getting used to but the basic principles are extremely transferable. I have found I actually have an advantage over the IT people as I understand the business angle and bring a fresh perspective.”
Some consultancies also utilise ‘ethical hackers’ or ‘white hats’ (a reference to old Westerns in which the good guys all wear white hats) to help them expose flaws in their client’s defences and advise on how to minimise these weaknesses. These ethical hackers come from a variety of backgrounds from the best graduates with IT degrees to reformed hackers. These ethical hackers are often tasked with challenging the organisations defences by “penetration testing” them, this requires a lot of trust as the organisation is essentially asking the ethical hacker to hack into their system, leaving them potentially vulnerable. They need a strong work ethic, very good problem-solving and communications skills, and the ability to stay motivated and dedicated.