The virus spread across the world like wildfire. The software codenamed WannaCry is a member of what is known as the ‘ransomware’ family. Once installed on a computer, it encrypts the contents so that the owner/user is no longer able to access them and demands the payment of a ‘ransom’ to have the contents unfrozen. The spread of this virus has had a devastating effect on some companies. The UK’s National Health Service system was virtually paralyzed by the malware. On the continent of Europe, a number of major corporations suffered interruptions to their business, including Spanish telecoms operator Telefonica and automobile manufacturer Renault, which suffered disruptions to its assembly lines. By pure good luck, a young British cyber-security researcher managed to stop the process 'accidentally'. However, if the attack had been more widespread, it might have had a much more serious impact on national economies. “If the attack had been a bit more severe, we wouldn’t have been able to serve everyone,” reveals Michel Van den Berghe , the Chief Executive of France’s leading supplier Orange Cyberdefense, meaning that the company would not have had sufficient  resources to restore the systems of all its customers...

Just 1,200 hirings for the 6,000 vacant cybersecurity jobs in France in 2016

FRENCH COMPANIES REMAIN VULNERABLE

cybersécurité

Every time this kind of episode arises, it highlights a recurring weakness in France: the pool of experts in IT security is quite small, which leaves French companies highly vulnerable in the event of a massive attack.  Cyber-security firms are struggling to recruit staff, so that when such conflagrations break out at major corporations, there is always a shortage of firefighters. And according to Isaca, a non-profit association representing IT governance professionals, this shortage is a worldwide phenomenon. The results of an Isaca survey conducted earlier this year reveal that 27% of the 633 IT professionals polled acknowledge that they are not able to  recruit all the experts they are looking for. This figure rises to 30% among respondents based in Europe. Two out of three survey respondents say that in spite of receiving plenty of candidate CVs, they find that less than half of the job applicants actually possess the necessary skills. This gives some idea of the supply-and-demand gap.

6,000

JOB VACAN-CIES

ONLY 1,200 FILLED 


However, the problem seems to be more acute in France, where the realisation that these skillsets are currently falling short of requirements has come rather late in the day. According to Anssi, the French national agency for IT system security, only 1,200 of the 6,000 job vacancies in the cybersecurity field in France in 2016 were filled. Moreover, says Michel Van den Berghe, “the phenomenon is getting more serious.”  His company is planning to recruit 1,000 people over the next three years. Driven by the consumerisation of IT tools and the transformation of people’s daily habits, a wave of digitisation is sweeping across the corporate world. Company staff have lots of different ways of accessing the information system, any of which may open the door to perpetrators of malicious acts. Moreover, firms are nowadays having to recruit lots more computer security experts to help them comply with the vast array of regulations in force. “Regulation is accentuating the issue as companies are having to call on specialist suppliers who are themselves having trouble finding the necessary resources,” underlines the Orange Cyberdefense CEO. A crucial instance here is the new EU General Data Protection Regulation, which will be in force from 2018 and will apply to any company that collects, processes and stores personal data which might, either directly or indirectly enable a person to be identified. Another example is the law on military programming passed in France in 2013, which requires firms classed as Operators of Vital Importance to beef up their digital defence arsenal. The law affects over two hundred businesses in sectors as diverse as transport, energy, agri-foods and finance. In fact the situation could soon become rather worrying as the rapid growth in the number of objects connected to the Internet that have little or no security mechanisms installed is likely to aggravate the phenomenon over the next few years, leading to a new surge in demand for experts to remedy the problems that arise.

Training initiatives currently inadequate 

Meanwhile France’s teaching and training professions have not been sitting on their hands. A number of initiatives have been launched in the field of both academic teaching and professional training, with the aim of both producing the experts which the country needs and at the same time raising people’s awareness of digital risk at a very early stage.

There has been an increase in the number of specialized Master’s degrees, with the aim of training up young computing graduates who have some knowledge of cybersecurity.  At the same time Anssi is looking to build up a high-quality ecosystem by conferring on training courses labels such as ‘SecNumEdu’, which provides employers with a guarantee that job candidates have the requisite level of skills. However, the thirty or so training centres awarded the label are insufficient to meet the industry’s needs. Demand for cybersecurity experts – estimated at over a thousand a year – is such that the education system is struggling to keep pace with the requirements.

CYBERDEFENCE TRAINING AT ENSIBS

Ecole cybersécurité Ensibs

Moreover, very few training courses address all aspects of computer security, an area which requires a wide array of skills ranging from electronics to networks, computing, manufacturing systems and the law. At the moment, Ensibs (the South Brittany college of engineers) and Esiea (a private higher education institute for engineers based in the Greater Paris region) are the only engineering schools that have set up a multi-year training programme in computer security. “We offer a thorough three-year training programme teaching skills at a higher level than Master’s degrees, which only tackle part of the cybersecurity field”, points out Charles Préaux, head of Cyberdefence training for engineers at Ensibs. The programme is also one of the few in France to teach the practical skills of pro-active security, i.e. coping with the intrusion techniques used by hackers and malicious organisations to hack into systems. On the course, students learn, through practical exercises, to counter hacking activity concocted by their teachers. This year, the future engineering graduates were entitled to a week of practical training in near-real-life scenario conditions in which they were tasked to protect a hospital under attack.  The exercise was carried out in conjunction with the South Brittany hospital centre.

Time needed to close the skills gap

Making up for the skills deficit will take time. “Although ours is one of the oldest training programmes in existence, our second student intake will be on the jobs market only this summer,” reveals Charles Préaux. Meanwhile the market will simply not wait. Faced with the urgent need to recruit computer security specialists, some employers are now taking the initiative and setting up their own training programmes. This year Orange Cyberdéfense, an entity set up by telecoms company Orange’s Orange Business Services, launched its own ‘university’ – the Orange Cyberdéfense Academy. One of the programmes on offer is a part-time course in the form of evening sessions in conjunction with CNAM, the National Conservatory of Arts and Crafts, at the end of which students are awarded a Higher Technical diploma or an Engineering diploma specializing in computer security, depending on the skills level attained by the students concerned. Employees on permanent contracts regularly spend the daytime working at customer premises.  The company takes a pragmatic approach and has occasionally shown flexibility in its requirements regarding the skillsets needed to take part in the programme. “Of course,some candidates already have experience in the security field, while others only possess computing skills. What they have in common is the desire to progress in this field,” underlines Ludivine de Lavison, Human Resources Director at Orange Cyberdéfense. The company has thus decided to base entry on the aptitude, personality and motivation of applicants. Another 6-week programme run by the Orange Cyberdéfense Academy is intended to train people in-house in one or more market technologies, the first one run addressing identity management and system access. This choice is certainly clear-headed. While there is a shortage of skills across all IT security areas, commentators agree that identity management is one of the most sought-after skills.

All commentators agree that identity management is one of the most sought-after skill areas

Orange Cyberdéfense points especially to a shortage of Active Directory services experts. Other skilled personnel that recruiters are keen to get hold of include ‘pentesters’ (penetration testers), whose job is to probe for ‘holes’ in IT systems; forensic analysts, who specialise in post-attack investigations; and Python/PHP developers, who are trained to check the level of security of a piece of software. These experts are “difficult to recruit because they are hard to spot on the web, unlike candidates looking for more functional jobs,” explains Ludivine de Lavison. It therefore requires an innovative approach if you wish to recruit people in this field. The old insistence on hiring a ‘five-legged horse’ – a graduate engineer with five years’ work experience who ticks all the boxes – is probably a thing of the past and employers are now becoming open to hiring people with other backgrounds. In recent years more and more firms have been looking carefully at people involved in hackers’ conventions – forums that attract computer nerds and geeks who do not always possess armfuls of degrees but are very adept at spotting holes and faults in systems. “Employers are now persuading these ‘good guy’ hackers to turn their skills to something that will earn them financial reward. This phenomenon has existed for quite some time in the United States and it is now spreading in France as well, indicating a distinct change in mentality. These people are not to be found through the media. You have to recruit them via word-of-mouth,” points out  Laurent Halimi, founder and CEO of Elitegroup Recruitment, a global leader in cybersecurity staffing.

Such people are difficult to recruit because they are hard to spot on the web, unlike candidates looking for more functional jobs.

For instance, companies such as OVH, Orange Cyberdefense, Qwant, Outscale and Hervé Schauer Consultants (part of the Deloitte group), plus also Anssi, came to the Nuit du Hack (’Hack Night) in July, in the hope of discovering that rare gem, an IT system audit expert.

Wage inflation driven by employer’s battle to hire talent 

TALENT SHORTAGE DRIVING UP SALARIES

inflation salaires

Pushed by the shortage of available talent, salaries in this field have been rising sharply. Young high school graduates can already expect to earn €35K per year as a starting salary, which is then likely to double within the space of a few years. “It’s not unusual to see a person’s salary rise from 70K to 130 or 140K within six years,” reveals Laurent Halimi. A cybersecurity specialist now earns around 30% more than a standard informatics person with the same overall level of experience. A battle is now raging between major companies, with some of them poaching staff from other firms. This staff turnover is in turn helping to pump up the atmosphere of wage inflation. Says Michel Van den Berghe:

“Wage inflation is now up at 20 - 40% depending on the skillsets. Alert centre staff, Computer Emergency Response Team (CERT) experts and Security Operation Center (SOC) people are rare commodities that are really sought after.”  The levels of remuneration now on offer are helping to attract the younger generation to this field, but nevertheless, this type of work is still relatively little-known. A global survey by Kaspersky Lab reveals that close to three quarters (71%) of all young people interviewed are not well informed about opportunities to pursue higher education studies in Information Security.  It would therefore seem to be a key priority for national education authorities to provide adequate information about available training in cybersecurity.

By Olivier Discazeaux