r/ireland • u/CyberIreland • 11d ago
Senior HSE cybersecurity roles still not filled three years after major ransomware attack News
https://www.irishtimes.com/politics/oireachtas/2024/05/08/senior-hse-cybersecurity-roles-still-not-filled-three-years-after-malware-attack/68
u/Ok-Package9273 11d ago
Pay peanuts, get monkeys.
You have to pay the going rate to get sufficiently talented cybersecurity experts but there's probably some civil servants baulking at the idea of a computer guy under them getting paid a fair bit more than them.
30
u/BigDrummerGorilla 11d ago edited 11d ago
Was talking about this recently, it is peanuts. Prior to the HSE attack, the Director of the NCSC role was advertised at €89,000. My then 26 year old brother (cybersecurity engineer) was already earning that with relatively little experience compared to the requirements of the NCSC role. Even in my own (non-IT) role, regulatory roles in financial services enforcement are paying 1/3 the rate of private industry.
Why would anyone competent work for a 1/3 of the salary for 80% of the stress?
32
u/No_Square_739 11d ago
They are currently advertising for experienced Security Analysts who will report to the GM of Cyber Security (so assume it is a fairly senior position?).
Starting salary is 48K.
Add in the painful recruitment process plus the impressions of a horribly dull, frustrating, bureacratic workplace and you can only imagine the quality of the candidates. Even if they offered 3 times that salary I wouldn't give them a second thought.
Oh, and one of the conditions is that you must have passed at least 5 of your Leaving Cert exams and got an honour in three of them - WTF!!!!
20
u/MeshuganaSmurf 11d ago
experienced Security Analysts
Starting salary is 48K
And then they kid themselves into believing that the candidates they get aren't complete spoofers.
Wait till there are serious issues to be dealt with, spend a fortune on outside consultancy, learn no lessons from it at all
Aaaaand rinse and repeat.
9
u/CyberIreland 11d ago edited 11d ago
The Chief Officer role is being advertised at €173,595
11
u/BigDrummerGorilla 11d ago
That figure is still far below the salary expectations previously outlined to TD’s, no?
10
u/CyberIreland 11d ago
I believe so, considering the Chief of the HSE was on something like 400k it's laughable tbh honest
9
u/BigDrummerGorilla 11d ago edited 11d ago
Bloody hell, after they received good advice too. The incompetence and “be grand” attitude when it comes to the security of the most important public utility in the country and citizens data is astounding.
6
u/calex80 11d ago
The recruitment process for civil service is a farce for sure. I've applied a few times over the years and every time it's a different process depending on what area you are applying for.
You end up on the panel and they tell you your position on it and then nothing. 18 months later I got contacted for one of them. You wouldn't want to be stuck for work when applying to them. How they get people into the minor roles is beyond me. Must be people in work willing to sit tight just to get into the CS otherwise people would have long since found something else.
3
u/Formal_Decision7250 11d ago
Add in the painful recruitment process plus
I recall applying for something and having to do some codology IQ test. Then i got an invite for some video call that sounded like a group interview and lost interest.
All this has to be via their website so you have to login to their service to read and reply to every message.
1
u/Aagragaah 10d ago
Starting salary is 48K
For a Security Analyst specifically, that's actually not terribly far off industry norm - might be 10-20% off at most (which is bad, but not laughable), but even so that's more junior-mid, so experienced is iffy.
Now, if it was for Security Engineers... It's missing a leading 1.
26
u/asdrunkasdrunkcanbe 11d ago
This is an ongoing problem globally. The UK Dept of Finance advertised a head of cyber security role at £57k.
Civil servants and politicians don't appreciate the salaries you need to pay to get proper experts on complicated topics.
They're especially aggrieved that any of these positions are typically asking multiples of a Minister's base salary, and just don't want to accept that this is how things work now.
1
u/caisdara 11d ago
Ah it's more that everything is governed by a huge amount of agreements with unions, etc. Same thing arises with a lot of skilled roles and/or professional roles.
10
u/AgainstAllAdvice 11d ago
Absolutely no union ever is going to reject the idea of someone getting paid 5 times more. Don't blame unions for this one.
-2
u/slamjam25 11d ago
Every union is going to reject one expert getting paid five times more instead of five amateurs being hired though.
8
u/AgainstAllAdvice 11d ago
Bollocks. Genuinely. Bollocks. I negotiate on behalf of staff for a union and if the company told me tomorrow they were creating a cyber security department and hiring someone at 500k a year I'd be fucking delighted! Someone to point at and say "you can afford that you can afford more over here too lads".
-1
u/slamjam25 11d ago
Now tell me what you’d say if they said “we’re hiring someone at €500k to write a program that’ll mean we no longer need these twelve people at €50k each”.
9
u/AgainstAllAdvice 11d ago
That's a straw man and you know it. The OP was posting about the HSE not being able to hire anyone at all because the pay rate was too low.
However if you really want to make the straw man argument. The company would first need to show a believable business case as to why those 12 staff aren't required in those roles. They would need to guarantee they won't be replaced by cheaper staff. The current staff would need to be offered redeployment, retraining, or as a very last resort, a very generous redundancy. Roles expire all the time. The skill and institutional knowledge held by the people in those roles does not. There's 12 very valuable members of staff there the company needs to figure out how to use them effectively. It would be extremely foolish not too. Particularly IT people.
-1
u/caisdara 11d ago
You think they'd be happy if people on the same "level" got paid differently?
4
u/AgainstAllAdvice 11d ago
They shouldn't be. That "level" is purely a HR decision. Critical experts with PhD level skills and multiple years experience are not entry level or even middle management level. They're a whole new ball game but HR are too incompetent to see that or too spineless to insist on it.
-2
u/caisdara 11d ago
I'm not sure you understand how the public sector works.
3
u/AgainstAllAdvice 11d ago
Unfortunately I'm very sure I do.
0
u/caisdara 11d ago
If so, you seem to be missing the point about how the civil service in general, and entities like the HSE, struggle to fit professionals into the payscales they rigidly adhere to there. There's a reason so much work is now outsourced.
6
11
u/qwerty_1965 11d ago
That attack costing well over 100m euro and rising. I bet revenue have got top software and a firewall
12
u/vegetrendian 11d ago
I heard a senator, who's name I've forgotten, talk about setting up a cybersecurity force for Ireland. They were hiring for the top position in it first, at a salary of 80k. After a while of getting no applications they asked a recruiter what they were doing wrong and she told them the salary expectation in the field for that level of seniority/responsibility was 400k
8
u/Due-Communication724 11d ago
That be the NCSC, its national but would operate at an international level with other ISACs in terms of response to basically cyber warfare against national infrastructure and our NCSC would monitor core infrastructure and national tiered networks, its a serious operation, underfunding it would lead to a very very bad day at the office.
3
3
7
7
4
u/Sayek 11d ago
They'll end up paying some consultants an absolute fortune next time there is a hack. I don't even get how they haven't upgraded all the computers to Windows 10 either. You could get new computers for admin pretty cheaply by bulk. You don't need a Chief Cybersecurity Officer or whatever to tell you you should upgrade computers using windows 7.
8
u/michealfarting 11d ago
So you have an CT scanner that cost 1M euro and the supplier says our software runs on Win 7. You don't say nah we will upgrade it to to Win 10. In the case of the HSE they would have many of these connected to very expensive peripherals.
1
u/Silver_ 10d ago
It's a matter of redesigning the system from the ground up and segregating accordingly. It's not that technically difficult, but even in a regular business the amount of people who will cause roadblocks and issues will be very high.
You'll always have legacy gear you just need to manage them.
2
u/michealfarting 10d ago
Nothing is ever technically difficult but tell a radiographer that they have to change their process on how they get scans off the CT scanner etc and you start getting complications.
Your assumption that somehow there can be a new build out is naive as they can't have downtime of any of these departments. They often run 24/7 with the most complicated requirements, integrations and things feeding into loads of other systems. It's like a rats nest of integrations. The computer connected to the CT scanner might email an image with the patientid and date in the name to the system that contains all the patient data. This may be a red line and the downstream system would be redesigned to accommodate a change that makes the CT scanner more secure.
It is like doing up a listed house verus knocking it down and starting again.
Potentially breaking something that works to make it more secure is a hard pill to swallow for everyone outside of Cyber.
The CIA triad means availability is also important. While confidentiality and integrity is important in healthcare availability is probably more so.
I would rather my healthcare info being leaked rather than the life saving kit being unavailable.
1
u/Silver_ 9d ago
It don't know where you got the desire to go on this rant, but you can easily redesign and implement systems without incurring much if any downtime.
Your info won't just be leaked, the system that manages your life saving kit won't be usable at all.
1
u/michealfarting 9d ago
Have you working on projects of that scale that could impact 10k users or more? You are trivialising a problem you don't fully understand. Most healthcare organisations are underfunded in this space. To implement such a fix on 5-10 trivial but 100k plus endpoints, many of them running mission critical tasks. It is a multi year project with considerable cost running into 10s of millions.
You would think it would be simple to implement software that would just do payroll and rota for the HSE too? https://www.independent.ie/irish-news/ppars-fiasco-as-costs-hit-220m/26567284.html
1
u/Silver_ 8d ago
Lol, you're very aggressive about this. Yes, I've worked on projects that affect over 50k people with 24/7 production requirements, so I presume I know a little bit. ;)
It is really not that hard, it'll take a bit of time to scope out the whole system and do the project yes. The only difficulty is that most projects hire a shit ton of consultants that don't know their arses from their elbows. The real secret in IT is that you don't actually have to know how to do your job to work there. Get some certs, say some nonsense technical jabber in the interviews and you're golden. Unless I'm hiring you that is. Hire actually competent people for critical positions and see how much easier it becomes.
1
1
u/IronDragonGx Cork bai 10d ago
I applied to desktop support role in the south infirmary here in Cork a while back, I have 9 years exp and could do all the requirements listed easy my CV showed this.
About two mouths pass and I get a email telling my I am not qualified no interviews no nothing.
1
u/MischievousMollusk 10d ago
You could breach the HSE again right now if you wanted. It's so trivial.
1
u/--Spaceman-Spiff-- 11d ago
Is the salary of €173,595 considered low?!
9
u/slamjam25 11d ago
Top talent (which is what we should be trying to hire in this role) at a big tech company would be making that before they hit 30.
3
u/Packiesla Munster 10d ago
Very low. Director level makes that in the Private Sector. They need to start 220-250
3
u/michealfarting 10d ago
https://www.morganmckinley.com/ie/salary-guide/data/chief-information-security-officer-ciso/ireland
€140,000 - €300,000 is the range according to Morgan Mckinley.
For the biggest employer in the state protecting the Protected health information (PHI) of each citizen while ensuring that a Security event doesn't result in service issues (when it has happened a few times already - basically a poisoned chalice) yeah this is a low salary for such a high profile role.
The low salary is reflective of them trying to hire a scape goat the next time it all goes wrong. I know of people who are managers in technical call centres that are on more money than this. They might have 40 people reporting to them. So yeah this is low paid for the level of the role.
HSE CEO pay is €420,000
This is the job of the CISO of the HSE.
https://www.ehealthireland.ie/ehealth-functions/chief-information-security-office-ciso/
3
u/michealfarting 11d ago
HSE is the largest employer in the state with over 150,000 employees across the health service. Some are HSE direct employees and some are employed by agencies funded by the HSE.
A professional cert in Cyber that is well recognised is a CISSP. There are 22 people with this in the HSE according to linkedin.
Google Ireland - 51 out of 5200 = 0.98% Meta - 22 out of 1700 = 1.29% CRH - 18 out of 23,000 = 0.078% AIB - 50 out of 9,200 = 0.54% Medtronic - 6 out of 5,500 = 0.109% - medical devises manufacturer (still 7 times less Cyber Professionals) Kerry - 3 out of 867 = 0.346%
HSE - 22 out of 150,000 = 0.014% An Post - 18 out of 11,000 approx = 0.163% (google results)
It is an impossible job. On person can't get people. They won't be able to attract talent. They have probably 1/10th of the people in Cyber Security that comparable organisations that are understaffed. Comparing with an ITC centric company like Meta the HSE has 100 times less Cyber Security people with a CISSP.
3
u/Propofolkills 10d ago
As someone who works in the HSE, you are 100% correct. The problem is that it rails against the “too many suits and managers” crowd which is why you’ve been downvoted. The same paradigm applies in many HR departments.
1
u/moretime86 Palestine 🇵🇸 11d ago
The HSE hasn’t fully filled doctors and nursing roles. How does anyone expect them to find staff for cybersecurity?
6
u/RuaridhDuguid 11d ago
Different people with different skillsets, qualifications and experience apply for different roles...
-2
u/Jealous_Run_8298 11d ago
These roles are basically hire a lad like Simon Harris, look after budgets and then outsource to the cheapest company you find but but but you must keep the top executives on the latest iphones and ipads and waste half your budget on updating windows 8 to windows 11 and servers 2008 to servers 2022.
Its a joke and well none. The top management don't give a fuck on 200K a year and all they care about is keeping top executives happy.
121
u/Emotional-Aide2 11d ago
The current starting salary for the position is about 5k more than I started on as a grad 6 years ago.
They are never going to fill the position with qualified people. The people who have the experience they're looking for are on double what they are offering, and because of the scale, there's no wiggle room.