The world will face a shortfall of 1.8 million cybersecurity workers by 2022.
That is according to a survey of over 19,000 cybersecurity people, by the Center for Cyber Safety and Education, in its eighth Global Information Security Workforce Study (GISWS) sponsored by nonprofit IT association (ISC)². That 1.8 million is an increase of 20pc on the five-year projection made in 2015 by its bi-annual Global Information Security Workforce Study.
In the wake of the UK Government Cybersecurity Strategy describing Britain’s cybersecurity skills gap as a “national vulnerability that must be resolved” the survey suggests that 66pc of UK companies do not have enough info-security personnel to meet their security needs, and it is impacting economic security.
The Center has surveyed the cybersecurity workforce since 2004. Its 2017 edition included responses from over 1000 UK cybersecurity people, across banks, multinationals and Government bodies. A primary reason for the skills gap is that organisations are struggling to find qualified personnel, with 47pc of respondents citing this as an issue. The skills deficit seems to be already affecting British businesses, as 46pc of UK companies report that the shortfall of cybersecurity personnel is having significant impact on their customers and a similar proportion warn that it is causing cybersecurity breaches. Near half, 46 per cent of UK organisations expect to expand their cybersecurity workforce by more than 16pc in the next 12 months, yet the shortage is holding them back.
The data also suggests that a skills shortfall makes many UK businesses ill-prepared for the EU General Data Protection Regulation (GDPR), which will impose a mandatory 48-hour window for disclosing data breaches in May 2018. Some 22 per cent of UK respondents predict their companies would take over eight days to repair the damage if their systems or data were compromised by hackers, far longer than the legally required window for publicly reporting breaches.
As the fastest growing demographic, millennials will be critical for filling the employment gap. In the UK, companies are failing to hire millennials, with only 6pc of UK respondents stating that they will recruit from university graduates. The data also indicates that currently only 12pc of the cyber security workforce is under age 35, demonstrating the dwindling pipeline of talent entering the industry at a younger age. Furthermore, 53pc of the workforce are over age 45, suggesting that the UK is approaching a skill ‘cliff edge’ as the majority gets closer to retirement.
Employers appear to be closing the door to many of the millennial generation, refusing to hire and train inexperienced recruits. Only 10pc of UK respondents say that the most demand for new hires is at entry level, and 93pc say previous cybersecurity experience is an important factor in their hiring decisions.
A failure to diversify could become a vicious circle deterring younger generations from pursuing cybersecurity, the study authors say, with research demonstrating that millennials are far more diverse than previous generations and more likely to be attracted to workplaces that represent the demographic.
SMEs could be suffering from being priced out of the cybersecurity talent market. Just 23pc of respondents work for UK SMEs and 61pc of the UK cybersecurity workforce is concentrated in major organisations with over 2,500 employees. Almost three quarters of UK security professionals earn over £47,000 a year and 39pc command annual salaries of over £87,000. A skills shortage is inflating salaries as more businesses compete for scarce talent, according to the authors.
Findings include:
– There will be a global shortfall of cybersecurity workers of 1.8 million by 2022; an increase of 20pc from 2015’s GISWS report (1.5 million by 2020)
– 47pc of UK respondents said that the main reason for the skills shortage is that it is difficult to find the qualified personnel they require
– Only 12pc of the UK workforce is under 35 years old
– Only 6pc of UK respondents said their organisations recruit from among university graduates
– most, 71pc of respondents say that the biggest demand is non-managerial staff. Only 10pc of UK respondents say that the most demand for new hires is at entry-level
– 46pc of UK respondents said that their organisation’s shortage of security workers is having an impact on customers (respondents who answered four and five on a scale of one to five)
– 45pc of UK respondents said that their organisation’s shortage of security workers is having an impact on security breaches (respondents who answered 4 and 5 on a scale of 1-5)
– Over a fifth of UK respondents (22pc) said their organisations would take eight or more days to remediate the damage if their systems or data were compromised by hackers, with 5pc predicting that they would take six weeks or more.
– 74pc of UK security professionals earn over £47,000 a year and 39pc command annual salaries of over £87,000.
Dr Adrian Davis, Managing Director, EMEA at (ISC)², said: “A continuing industry refusal to hire people without previous experience, and a failure to hire university graduates means Britain is approaching a security skills ‘cliff edge’ due to the perfect storm of an ageing cyber workforce going into retirement and long-term failure to recruit from the younger generation. We need to see more emphasis on recruiting millennials and on training talent in-house rather than companies expecting to buy it off-the-shelf. There is a need to nurture the talent that is already in this country and recruit from the fresh pool of talent that is graduating from university.”
Visit www.iamcybersafe.org.
Comment
At IT security product company IS Decisions, François Amigorena, CEO, said: “The findings from the ISC² report are hardly surprising, but I wouldn’t say the UK’s cybersecurity problem is just down to the fact that businesses are “understaffed”. Yes, hiring the right people with the right expertise is a serious challenge, but I don’t believe that companies should simply invest in cybersecurity professionals to bolster their defence. Everybody within the company, from the two-week intern to the CEO, has a role to play in protecting the business. Why? Because the biggest vulnerability within an organisation is the people — and hackers are now exploiting the naïvety of employees more than ever. You only need to look as far as the cyber attacks that have happened to Dropbox, Sony, eBay, Sage, Three and many other large multinationals to realise that all it takes is for someone to fall for a phishing email and inadvertently hand over their company login credentials.
“Then a hacker has all the time in the world to snoop around your systems without you even noticing. Even the most vigilant of cybersecurity experts within your organisation might miss it because they are, well, human. That’s why I wouldn’t say that the problem with businesses are that they are simply ‘understaffed’ — they are more under resourced if anything. Having the right technology resources in place is equally, if not more, important than employing the right cybersecurity professional because technology is less likely to miss the suspicious login of a hacker. The kind of technology that restricts logins to IT-approved workstations, geographies, times of day or mobile devices will alert you to danger much faster than any cybersecurity professional will — no matter how well you’re staffed.”
