Cyber Security Centre director salary should be up to €185,000 higher, TDs told

Director role vacant at national centre leading response to HSE cyber attack

The role had been offered with a salary of between €106,000 and €127,000. Photograph: iStock

The role had been offered with a salary of between €106,000 and €127,000. Photograph: iStock

 

The salary on offer for vacant role of director of the National Cyber Security Centre (NCSC) should be between €220,000 and €290,000 in order to compete with the private sector, TDs and Senators have been told.

That is considerably more than the €106,000 to €127,000 pay that had been on offer for the role.

The Oireachtas Committee on Communications heard from cybersecurity experts in the wake of the ransomware attack on the HSE.

The NCSC is spearheading the State’s response to the attack but it does not have a director.

The committee also heard that the budget for the NCSC should be “at least 10 times” its current funding of €5.1 million.

This morning, Bláthnaid Carolan, an expert in cybersecurity recruitment said this is an “extremely important new position” and a “critical new hire” for the NCSC.

She said if it is to hire for success they need expertise and the remuneration “must be competitive” and should be benchmarked with the private sector.

Ms Carolan said the jobs market is very competitive and similar private sector roles attract salaries of between €220,000 and €290,000 per annum with additional benefits and bonuses.

She said that the success of the NCSC hinges on “getting this hire right”.

Ms Carolan suggested the benefits package should amount to between €150,000 and €200,000.

Minister of State for Communications Ossian Smyth last week said an individual had been selected for the job following an open competition but the person decided not to go ahead with the appointment.

The salary scale that had been offered in a public appointments service competition had ranged from €106,000 to €127,000.

Mr Smyth said he would be recommending a higher salary for the role but the sum has not yet been determined and would have to be approved by Government.

He said the Government is trying to recruit someone who would normally have a cybersecurity role in a multinational company “so we have to take into account what they would be paid if they had a job in one of those companies”.

Speaking at today’s meeting Senator Gerard Craughwell said Ms Carolan’s suggestion of a salary of up to €290,000 for the job had “sent shockwaves through the entire committee”.

He said the HSE boss is on a package of €420,000 so the €290,000 suggested for the NCSC director is “not extraordinary” but he also said the State doesn’t pay bonuses so he asked if the basic salary would have to be higher.

Ms Carolan said it is an “exceptional role” and “There’s an exception to every rule and we really need to make it attractive to attract and retain the right person to this role.”

She added: “Maybe we might look to the NTMA [National Treasury Management Agency] who applied private sector packaging towards hiring particular key talent for the NTMA albeit within the public sector and possibly apply a model akin to that.”

The NTMA chief executive is on a salary of €480,000.

The committee also heard from Pat Larkin, a former Defence Forces member who is the chief executive of cybersecurity company Ward Solutions.

He suggested that the budget for the NCSC should be “at least ten times” the €5.1 million allocated to it this year.

Mr Larkin compared per capita spending here with the UK and said that to bring it to that level the NCSC should have a budget of around €50 million.

He added that the solution to improving cyber security in Ireland doesn’t rest with the NCSC alone.

Mr Larkin also told the committee that the financial scale of cyber crime has now overtaken the global illicit narcotics trade.

He said that in Ireland “We need to raise our game nationally from an immature to optimised approach to cyber security to protect our citizens, our Government and our economy.”

He said there needs to be “a global consensus to say this activity is a higher order of crime particularly when it attacks critical national infrastructure, our health systems.”

Mr Larkin added: “Without being dramatic about it there are adverse patient outcomes from what’s happened in the health system leading to increased mortality.”

He said Ireland must try and mobilise organisations like the United Nations to say cybercrime is unacceptable and the assets of the perpetrators must be targeted as if they are “narco-terrorists”.

He also said: “We’ve got to go after have the states that are ambivalent or facilitating or perpetrating this as international pariahs.”

Committee chairman Fine Gael TD Kieran O’Donnell asked why the Irish health service is attacked and how Ireland is perceived in terms of cybersecurity.

Padraic O’Reilly co-founder of US-based company Cybersaint said “simplest answer is that data is valuable” and he added: “hospitals are getting hit over here as well.”

He said: “I can understand reputational concerns with respect to that but everyone’s getting hit. It’s a global problem.

“These actors are inside states that often don’t police their activities so they’re criminal organisations.

“They punch a clock. They show up in the morning and they work and they are professional and they’re criminals.

“And they’re very disciplined at what they do...and what they’re after is data.

“Health data is very, very valuable…because if you steal it the organisations are inclined to negotiate with you”.

Mr O’Reilly said the Government’s position that it will not pay a ransom is “very impressive” adding: “Many of the companies here that are compromised get into quick negotiations and often say publicly that they’re not going to pay the ransom but they’ve already paid it.”