UK Exposed: Cybersecurity skills shortage putting businesses in the firing line

While businesses across the country grapple with post-BREXIT contingency planning, a lack of experienced and qualified professionals with the right cyber skills is presenting an additional major challenge.

Back in 2014, Jon Oltsik, principal analyst at Enterprise Strategy Group ESG, predicted a growing cybersecurity skills shortage panic over the coming years, saying:

"We won’t have an appropriately-sized army of cybersecurity professionals and some organisations will be left high-and-dry. As this happens, the cybersecurity skills shortage will become more visible and more problematic than industry, national governments, and large organisations seems to anticipate."

Some of the most acute infosec skills shortages Oltsik identified, based on ESG research at the time, were:

43% Cloud computing and server virtualization security
31% Endpoint security
31% Network security
30% Data security
30% Security analytics/forensics

Fast-forward four years
In technology, four years is a long time. But when it comes to training up the next generation of cybersecurity professionals it would appear this is still not the case. What’s more, the UK appears to be at the top of the world-rankings of countries that need — but lack — the best people to step into the breach.

In early 2017, Indeed, a major online recruiter for IT security roles, published its report on the Global Cybersecurity Skills Gap. As the title of the report suggests, the skills gap is certainly not unique to the UK, but their research does illustrate particular strains on businesses here.

Measuring the number of clicks on job postings, Indeed reported that job seeker interest in cybersecurity positions in the UK only met 32% of employee demand in 2016, down from 37% the year before. This was one of the lowest levels of the ten countries involved in the survey, second only to Israel, and less than half of the interest levels indicated in the US and Canada.

"Executive management and boards of directors are now recognising that cybersecurity is not just a tech problem, it’s a business problem."

A boost for employees
Of course, this is great news for professionals who are already experienced or breaking into the cybersecurity jobs market. With supply and demand firmly on their side, the evidence indicates they are in a strong position to negotiate the best salaries and find new job opportunities if necessary to drive their careers forward.

To illustrate the situation, Veronica Mollica, founder and executive information security recruiter at Indigo Partners, explains the growing cost of maintaining in-house security staff in a recent cybersecurity business report published by CIO online:

"The cybersecurity job market is on fire. Our candidates are facing competing offers from multiple companies with salary increases averaging over 30%. Current employers are scrambling to retain talent with counter offers including 10% and higher salary increases for information security team members to remain on board."

In his article, Jon Oltsik puts it like this: "Cybersecurity employees with years of faithful employment at small regional banks, Universities, and State governments will get offers they simply can’t refuse. This will cause a panic at many organisations when they lose security professionals who more or less “owned” their informal incident detection and response processes."

The impact on businesses
High salary demands and employee attrition rates are important considerations for IT and HR to manage. But the lack of available talent is now a key issue for the board to mitigate the potential impact of a data breach on stock price, customer loyalty, customer acquisition, and the brand.

Commenting on the shortage of security professionals in Network World, Rashesh Jethi, a director at Cisco, said: "It’s probably 10- to 12-times harder to find cybersecurity professionals than it is to find general IT professionals."

In the same article, Charlie Benway, executive director of the Advanced Cyber Security Center (ACSC) added: "Executive management and boards of directors are now recognising that cybersecurity is not just a tech problem, it’s a business problem. We're starting to see more executive-level emphasis on cybersecurity, more resources coming into cybersecurity, across all industry sectors. That has definitely increased the demand..."

So, how are senior management teams — especially in small to medium-sized organisations — expected to increase their IT security when the skills to do this are in such short supply?

In Cisco’s Mitigating the Cybersecurity Skills Shortage report, it is evident that companies are starting to bolster in-house cybersecurity expertise with professional security services. Using security partners and managed security service providers (MSSPs) — who continually invest in security expertise, intelligence, and innovative new technologies — has risen in popularity as a way to keep pace with a dynamic threat environment.

With the demand for the cybersecurity workforce expected to rise to 6 million (globally) by 2019, with a projected shortfall of 1.5 million, finding the right support looks likely to be a growing challenge. For businesses in the UK facing some of the highest skills shortages in the world, working with external partners is possibly the best way to reduce their exposure to an increasingly complex and dangerous future.

Key takeaways:

  • Jon Oltsik was right - the panic has begun
  • It's Hot! The cybersecurity job market is on fire
  • The skills gap in the UK is more significant than in other countries
  • The lack of available Cybersecurity talent is major concern for UK businesses