Largest ever survey of over 19,000 cybersecurity workers highlights major UK skills deficit caused by continuing failure to recruit millennials
- 20% increase in forecasted skills gap from two years ago; warns of looming ‘skills cliff edge’ as older generation goes into retirement
- 2015 Global Information Security Workforce Study forecasted a 1.5 million shortfall of cybersecurity workers by 2020
- 66% of UK companies have too few cybersecurity personnel; yet only 12% of UK cybersecurity workforce is under 35
- SMEs are hit particularly hard as just 23% of UK cyber professionals work for companies with fewer than 500 employees
London. The largest ever survey of over 19,000 cybersecurity professionals, by the Center for Cyber Safety and Education™ (the Center) — part of its eighth Global Information Security Workforce Study (GISWS) sponsored by nonprofit professionals’ association (ISC)²®, has revealed that the world will face a shortfall of 1.8 million cybersecurity workers by 2022. This is an increase of 20% on the five-year projection made in 2015 by its bi-annual Global Information Security Workforce Study. In the wake of the UK Government Cybersecurity Strategy describing Britain’s cybersecurity skills gap as a “national vulnerability that must be resolved” the findings show that 66% of UK companies do not have enough info security personnel to meet their security needs, and it is impacting economic security.
The Center’s Global Information Security Workforce Study has surveyed the cybersecurity workforce since 2004, providing the most comprehensive report on the industry for over a decade. Its 2017 edition included responses from over 1,000 top UK cybersecurity professionals across banks, multinationals and Government bodies. The first release of the data has revealed that the primary reason for the skills gap is that organisations are struggling to find qualified personnel, with 47% of respondents citing this as an issue.
The findings indicate the skills deficit is already impacting British businesses, with 46% of UK companies reporting that the shortfall of cybersecurity personnel is having significant impact on their customers and a similar proportion warning that it is causing cybersecurity breaches. Forty-six percent of UK organisations expect to expand their cybersecurity workforce by more than 16% in the next 12 months, yet the shortage is holding them back.
The data also suggests that the skills shortfall means that many UK businesses are ill-prepared for the EU General Data Protection Regulation (GDPR), which will impose a mandatory 48-hour window for disclosing data breaches in May 2018. Twenty-two percent of UK respondents currently predict their companies would take over eight days to repair the damage if their systems or data were compromised by hackers, far longer than the legally required window for publicly reporting breaches.
Closing the door on millennials
As the fastest growing demographic, millennials will be critical for filling the employment gap.
In the UK, companies are failing to hire millennials, with only 6% of UK respondents stating that they will recruit from university graduates. The data also indicates that currently only 12% of the cyber security workforce is under age 35, demonstrating the dwindling pipeline of talent entering the industry at a younger age. Furthermore, 53% of the workforce are over age 45, suggesting that the UK is approaching a skill ‘cliff edge’ as the majority gets closer to retirement.
The data also indicates that employers are closing the door to many of the millennial generation, refusing to hire and train inexperienced recruits. Only 10% of UK respondents say that the most demand for new hires is at entry level, and 93% say previous cybersecurity experience is an important factor in their hiring decisions.
The failure to diversify could become a vicious circle deterring younger generations from pursuing cybersecurity professions, with research demonstrating that millennials are far more diverse than previous generations and more likely to be attracted to workplaces that represent the demographic.
The findings exposed evidence that SMEs could be suffering from being priced out of the cybersecurity talent market. Just 23% of respondents work for UK SMEs and a staggering 61% of the UK cybersecurity workforce is concentrated in major organisations with over 2,500 employees.
The data shows almost three quarters of UK security professionals earn over £47,000 a year and 39% command annual salaries of over £87,000. This demonstrates that the skills shortage is inflating salaries as more businesses compete for scarce talented resource.
Snapshot of key findings include:
- There will be a global shortfall of cybersecurity workers of 1.8 million by 2022; an increase of 20% from 2015’s GISWS report (1.5 million by 2020)
- 47% of UK respondents said that the main reason for the skills shortage is that it is difficult to find the qualified personnel they require
- Only 12% of the UK workforce is under 35 years’ old
- Only 6% of UK respondents said their organisations recruit from among university graduates
- 71% of respondents say that the biggest demand is non-managerial staff. Only 10% of UK respondents say that the most demand for new hires is at entry-level
- 46% of UK respondents said that their organisation’s shortage of security workers is having an impact on customers (respondents who answered 4 and 5 on a scale of 1-5)
- 45% of UK respondents said that their organisation’s shortage of security workers is having an impact on security breaches (respondents who answered 4 and 5 on a scale of 1-5)
- Over a fifth of UK respondents (22%) said their organisations would take eight or more days to remediate the damage if their systems or data were compromised by hackers, with 5% predicting that they would take six weeks or more.
- 74% of UK security professionals earn over £47,000 a year and 39% command annual salaries of over £87,000.
Dr. Adrian Davis, Managing Director, EMEA at (ISC)², said: “A continuing industry refusal to hire people without previous experience, and a failure to hire university graduates means Britain is
approaching a security skills ‘cliff edge’ due to the perfect storm of an ageing cyber workforce going into retirement and long-term failure to recruit from the younger generation.
We need to see more emphasis on recruiting millennials and on training talent in-house rather than companies expecting to buy it off-the-shelf. There is a need to nurture the talent that is already in this country and recruit from the fresh pool of talent that is graduating from university.”
Lucy Chaplin, Manager at KPMG’s Financial Services Technology Risk Consulting, said: “Industry is experiencing a talent shortfall because employers are too focused on recruiting people with existing cybersecurity experience, which is like complaining that there’s a shortage of pilots but refusing to hire anyone who is not already an experienced pilot. We find that hiring and training inexperienced people pays off in better retention rates and a more diverse workforce. We recruit for attributes, such as analytical skills, rather than experience, and almost 50% of our new graduate hires are women, most of them with no previous industry experience.”
Rob Partridge, Head of BT Security Academy: “The findings confirm that graduates are being overlooked for cybersecurity roles and it is now an economic and security imperative that we change this trend. Industry needs to recruit more young people in general by offering more graduate jobs and in-work training. BT is committed to giving young people the chance and will be recruiting graduates and degree apprentices once again this year, in addition to the 170 we announced last year. Universities also need to place more of an emphasis on teaching cyber in their degree courses to prepare students for work in the connected economy.”
Angela Messer, a Booz Allen executive vice president, and the firm’s Cyber innovation business leader and Cyber talent development champion: “Millennials will and in many cases are already critical players who enable the success of our collective cyber defence. To attract, retain and empower these millennials, it’s clear from the Global Information Security Workforce Study that our industry must be innovative not only in its tradecraft, but also in how we support this next generation of information security professionals. At Booz Allen, we provide opportunities for skills development by offering traditional training and covering certification or advanced degree program fees, as well as non-traditional learning opportunities, such as our Kaizen capture the flag platform and hacker space labs.”