Why the burning desire for security clearance?
08:00 Wednesday, 01 December 2021
UK Cyber Security Council
The UK Government's web site is extremely descriptive when it comes to the various forms of security clearance that are required before a contractor is permitted to see certain types of government data - particularly that classified "secret" or "top secret". The most common level of clearance one comes across in job advertisement is the Security Check, or "SC" clearance. This is required for "frequent and uncontrolled access to SECRET assets and/or occasional, supervised access to TOP SECRET assets" (their capitalisation, not ours) and to become cleared you must go through a variety of checks in areas including your financial/credit history, your criminal record and the records of your recent employment. Higher-level access, via the Developed Vetting ("DV") process, obviously needs more rigorous research into your history, which includes you and your referees being interviewed along with a full inspection of your personal finances.
There's just one question, though: although clearance is obviously required if one is applying for a role that will involve working with the Government (or at least their sensitive data), why do so many job ads ask for it even though they're nothing to do with the Government and don't do Government work?
A job ad for a cyber architect at a recruitment firm says that you should have clearance (it doesn't specify which variant) or "be able to undergo security clearance". What does this even mean? Everyone can take part in the clearance process, so it can't be that; and if they mean you should be able to pass the clearance checks… with the best will in the world, you can't be sure of that unless you have actually done it, because esoteric details can cause clearance to be declined.
And this approach isn't unique: one recruiter is looking for someone who is "eligible for SC clearance" - as we have just noted, the only way you can really know you're eligible is if you've been cleared. Likewise, the line "You will need to be eligible for SC level UK Security Clearance" in the advert for another role. Amazon Web Services has perhaps taken the best approach - after all, one imagines there might be Government data on AWS disks at some point - with the line: "This position may require the applicant selected to obtain and maintain a UK security clearance".
One of the job ads referred to here makes a blatant reference to the fact that you'll be working with Government agencies, so the need for clearance is fair enough, even if the logic is off. The others don't, and time and time again one sees an ad and thinks: why are they asking for this if it looks like I'll have no contact with data that would require clearance?
In some cases, it could be a differentiator. We know that even with the oft-written-about skills gap in cyber security there are many, many applicants for roles (particularly senior ones), and if you have a crop of candidates of roughly equal suitability then SC or DV clearance might be a useful means of picking a winner. It's also a potential screening benefit, with a Government-approved credential building your confidence on top of whatever pre-employment checks you do for new staff.
Often, though, there is no realistic need for clearance, so one has to question why it is being asked for. Sometimes it's self-importance on the part of the employer, and there is no actual reason why they should need anyone with clearance. Sometimes it's because the employer is trying to get onto the Government's approved supplier list, so it's future-proofing via the recruitment process.
Whatever the case, though, if you don't have clearance and you think a role is therefore closed to you: ask them why it's needed. Because in a significant number of cases, the answer will be that it is actually a nice-to-have and the role isn't closed to you after all.