The world’s largest survey of info security professionals spanned across banks, governments and multinationals.
It was coordinated by non-profit cyber security professionals association (ISC)² and has revealed that Britain is facing a cyber security skills ‘cliff edge’ with 66% of British companies chronically understaffed, much of the workforce going into retirement and only 12% of the UK workforce under 35, and 53% over 45 years old.
The result has been a widening skill gap, with the report showing that there will be a global shortfall of cyber security workers that will reach 1.8 million in the next five years, a 20% increase in the five-year projection made in 2015 (1.5 million by 2020).
Cyber security skills shortage
The findings indicate the skills deficit is already impacting British businesses, with 46% of UK companies reporting that the shortfall of cyber security personnel is having significant impact on their customers and a similar proportion warning that it is causing cyber security breaches. 46% of UK organisations expect to expand their cyber security workforce by more than 16% in the next 12 months, yet the shortage is holding them back.
The data also suggests that the skills shortfall means that many UK businesses are ill-prepared for the EU General Data Protection Regulation (GDPR), which will impose a mandatory 48-hour window for disclosing data breaches in May 2018.
Over a fifth of UK respondents currently predict their companies would take over eight days to repair the damage if their systems or data were compromised by hackers, far longer than the legally required window for publicly reporting breaches.
Neil Owen, director at Robert Half Technology identifies “this chronic shortage of skilled IT talent to fend off potential attacks comes down to two things – the evolution of cyber threats and the current skills shortage in cyber security. In an increasingly competitive labour market, candidates with the required skill set might not always be available. In these cases, businesses need to nurture talent internally and seek out development opportunity within their current workforce to mitigate the risk of falling victim to a cyberattack.”
Closing the door on millennials
As the fastest growing demographic, millennials will be critical for filling the employment gap.
In the UK, companies are failing to hire millennials, with only 6% of UK respondents stating that they will recruit from university graduates.
The data also indicates that currently only 12% of the cyber security workforce is under age 35, demonstrating the dwindling pipeline of talent entering the industry at a younger age.
Furthermore, 53% of the workforce are over age 45, suggesting that the UK is approaching a skill ‘cliff edge’ as the majority gets closer to retirement.
>See also: Britain’s cyber security gap…it’s bad
The data also indicates that employers are closing the door to many of the millennial generation, refusing to hire and train inexperienced recruits.
Only 10% of UK respondents say that the most demand for new hires is at entry level, and 93% say previous cybersecurity experience is an important factor in their hiring decisions.
The failure to diversify could become a vicious circle deterring younger generations from pursuing cyber security professionals, with research demonstrating that millennials are far more diverse than previous generations and more likely to be attracted to workplaces that represent the demographic.
Dr. Adrian Davis, Managing Director, EMEA at (ISC)², said: “A continuing industry refusal to hire people without previous experience, and a failure to hire university graduates means Britain is approaching a security skills ‘cliff edge’ due to the perfect storm of an ageing cyber workforce going into retirement and long-term failure to recruit from the younger generation.”
“We need to see more emphasis on recruiting millennials and on training talent in-house rather than companies expecting to buy it off-the-shelf. There is a need to nurture the talent that is already in this country and recruit from the fresh pool of talent that is graduating from university.”
The findings exposed evidence that SMEs could be suffering from being priced out of the cybersecurity talent market.
Just 23% of respondents work for UK SMEs and a staggering 61% of the UK cybersecurity workforce is concentrated in major organisations with over 2,500 employees.
The data shows almost three quarters of UK security professionals earn over £47,000 a year and 39% command annual salaries of over £87,000.
This demonstrates that the skills shortage is inflating salaries as more businesses compete for scarce talented resource.