(ISC)² Global shortfall of cybersecurity workers to reach 1.8 million in five years, new research reveals
--Largest ever survey of over 19,000 cybersecurity workers highlights major UK skills deficit caused by continuing failure to recruit millennials
--20% increase in forecasted skills gap from two years ago; warns of looming ‘skills cliff edge’ as older generation goes into retirement
--2015 Global Information Security Workforce Study forecasted a 1.5 million shortfall of cybersecurity workers by 2020
--66% of UK companies have too few cybersecurity personnel; yet only 12% of UK cybersecurity workforce is under 35
--SMEs are hit particularly hard as just 23% of UK cyber professionals work for companies with fewer than 500 employees
London, 14th February 2017 – The largest ever survey of over 19,000 cybersecurity professionals, by the Center for Cyber Safety and Education™ (the Center) — part of its eighth Global Information Security Workforce Study (GISWS) sponsored bynonprofit professionals’ association (ISC)²®, has revealed that the world will face a shortfall of 1.8 million cybersecurity workers by 2022. This is an increase of 20% on the five-year projection made in 2015 by its bi-annual Global Information Security Workforce Study. In the wake of the UK Government Cybersecurity Strategy describing Britain’s cybersecurity skills gap as a “national vulnerability that must be resolved” the findings show that 66% of UK companies do not have enough info security personnel to meet their security needs, and it is impacting economic security.
The Center’s Global Information Security Workforce Study has surveyed the cybersecurity workforce since 2004, providing the most comprehensive report on the industry for over a decade. Its 2017 edition included responses from over 1,000 top UK cybersecurity professionals across banks, multinationals and Government bodies. The first release of the data has revealed that the primary reason for the skills gap is that organisations are struggling to find qualified personnel, with 47% of respondents citing this as an issue.
The findings indicate the skills deficit is already impacting British businesses, with 46% of UK companies reporting that the shortfall of cybersecurity personnel is having significant impact on their customers and a similar proportion warning that it is causing cybersecurity breaches. Forty-six percent of UK organisations expect to expand their cybersecurity workforce by more than 16% in the next 12 months, yet the shortage is holding them back.
The data also suggests that the skills shortfall means that many UK businesses are ill-prepared for the EU General Data Protection Regulation (GDPR), which will impose a mandatory 48-hour window for disclosing data breaches in May 2018. Twenty-two percent of UK respondents currently predict their companies would take over eight days to repair the damage if their systems or data were compromised by hackers, far longer than the legally required window for publicly reporting breaches.
Closing the door on millennials
As the fastest growing demographic, millennials will be critical for filling the employment gap.
In the UK, companies are failing to hire millennials, with only 6% of UK respondents stating that they will recruit from university graduates. The data also indicates that currently only 12% of the cyber security workforce is under age 35, demonstrating the dwindling pipeline of talent entering the industry at a younger age. Furthermore, 53% of the workforce are over age 45, suggesting that the UK is approaching a skill ‘cliff edge’ as the majority gets closer to retirement.
The data also indicates that employers are closing the door to many of the millennial generation, refusing to hire and train inexperienced recruits. Only 10% of UK respondents say that the most demand for new hires is at entry level, and 93% say previous cybersecurity experience is an important factor in their hiring decisions.
The failure to diversify could become a vicious circle deterring younger generations from pursuing cybersecurity professions, with research demonstrating that millennials are far more diverse than previous generations and more likely to be attracted to workplaces that represent the demographic.
The findings exposed evidence that SMEs could be suffering from being priced out of the cybersecurity talent market. Just 23% of respondents work for UK SMEs and a staggering 61% of the UK cybersecurity workforce is concentrated in major organisations with over 2,500 employees.
The data shows almost three quarters of UK security professionals earn over £47,000 a year and 39% command annual salaries of over £87,000. This demonstrates that the skills shortage is inflating salaries as more businesses compete for scarce talented resource.
Snapshot of key findings include:
--There will be a global shortfall of cybersecurity workers of 1.8 million by 2022; an increase of 20% from 2015’s GISWS report (1.5 million by 2020)
--47% of UK respondents said that the main reason for the skills shortage is that it is difficult to find the qualified personnel they require
--Only 12% of the UK workforce is under 35 years’ old
--Only 6% of UK respondents said their organisations recruit from among university graduates
--71% of respondents say that the biggest demand is non-managerial staff. Only 10% of UK respondents say that the most demand for new hires is at entry-level
--46% of UK respondents said that their organisation’s shortage of security workers is having an impact on customers (respondents who answered 4 and 5 on a scale of 1-5)
--45% of UK respondents said that their organisation’s shortage of security workers is having an impact on security breaches (respondents who answered 4 and 5 on a scale of 1-5)
--Over a fifth of UK respondents (22%) said their organisations would take eight or more days to remediate the damage if their systems or data were compromised by hackers, with 5% predicting that they would take six weeks or more.
--74% of UK security professionals earn over £47,000 a year and 39% command annual salaries of over £87,000.
Dr. Adrian Davis, Managing Director, EMEA at (ISC)², said: “A continuing industry refusal to hire people without previous experience, and a failure to hire university graduates means Britain is approaching a security skills ‘cliff edge’ due to the perfect storm of an ageing cyber workforce going into retirement and long-term failure to recruit from the younger generation. We need to see more emphasis on recruiting millennials and on training talent in-house rather than companies expecting to buy it off-the-shelf. There is a need to nurture the talent that is already in this country and recruit from the fresh pool of talent that is graduating from university.”
Angela Messer, a Booz Allen executive vice president, and the firm’s Cyber innovation business leader and Cyber talent development champion: “Millennials will and in many cases are already critical players who enable the success of our collective cyber defence. To attract, retain and empower these millennials, it’s clear from the Global Information Security Workforce Study that our industry must be innovative not only in its tradecraft, but also in how we support this next generation of information security professionals. At Booz Allen, we provide opportunities for skills development by offering traditional training and covering certification or advanced degree program fees, as well as non-traditional learning opportunities, such as our Kaizen capture the flag platform and hacker space labs.”
Lucy Chaplin, Manager at KPMG's Financial Services Technology Risk Consulting, said: “Industry is experiencing a talent shortfall because employers are too focused on recruiting people with existing cybersecurity experience, which is like complaining that there’s a shortage of pilots but refusing to hire anyone who is not already an experienced pilot. We find that hiring and training inexperienced people pays off in better retention rates and a more diverse workforce. We recruit for attributes, such as analytical skills, rather than experience, and almost 50% of our new graduate hires are women, most of them with no previous industry experience.”
Rob Partridge, Head of BT Security Academy: “The findings confirm that graduates are being overlooked for cybersecurity roles and it is now an economic and security imperative that we change this trend. Industry needs to recruit more young people in general by offering more graduate jobs and in-work training. BT is committed to giving young people the chance and will be recruiting graduates and degree apprentices once again this year, in addition to the 170 we announced last year. Universities also need to place more of an emphasis on teaching cyber in their degree courses to prepare students for work in the connected economy.”
Richard Horne, cyber security partner at PwC said: "Supporting and developing the next generation of cyber security talent is essential to the future of the industry. At PwC, we are on track to recruit more than 1,000 technology specialists over the next four years at both graduate and experienced levels. Cyber security hires will be a significant part of this and this year we're increasing the number of graduates we're recruiting to meet increasing client demand.
"We believe it's important to help our graduates experience the many different paths a career in this field could follow by offering a rotation programme around our teams, ranging from threat intelligence and incident detection and response to security transformation programmes and legal and regulatory compliance. Cyber security roles can often be seen as purely technical but today's well-rounded cyber security expert has a diverse skillset, with not only technical knowledge but also wider business skills like creativity, organisation, relationship-building and communication."
About the Center for Cyber Safety and Education’s Global Information Workforce Study
The first release of data from the Global Information Workforce Study, the Millennials – the Next Generation of Information Security Workers report was sponsored by Booz Allen Hamilton, and is the first of a series to be released by (ISC)² in 2017 as part the new format for the bi-annual Global Information Security Workforce Study. Several reports will be released throughout the year with new, previously unpublished information and insights about the global information security workforce. The next report will focus on women in cybersecurity, which will be released in early March.
Center for Cyber Safety and Education
The Center for Cyber Safety and Education (Center), formerly (ISC)² Foundation, is a nonprofit charitable trust committed to making the cyber world a safer place for everyone. The Center works to ensure that people across the globe have a positive and safe experience online through their educational programs, scholarships and research. Visit www.iamcybersafe.org.
(ISC)² is an international nonprofit membership association focused on inspiring a safe and secure cyber world. Best known for the acclaimed Certified Information Systems Security Professional (CISSP®) certification, (ISC)² offers a portfolio of credentials that are part of a holistic, programmatic approach to security. Our membership, over 120,000 strong, is made up of certified cyber, information, software and infrastructure security professionals who are making a difference and helping to advance the industry. Our vision is supported by our commitment to educate and reach the public through our charitable foundation – The Center for Cyber Safety and EducationTM. Visit www.isc2.org.
© 2017 (ISC)², Inc., (ISC)², CAP, CCFP, CCSP, CISSP, CSSLP, HCISPP, SSCP and CBK are registered marks of (ISC)², Inc.
About Booz Allen Hamilton
Booz Allen Hamilton (NYSE: BAH) has been at the forefront of strategy and technology for more than 100 years. Today, the firm provides management and technology consulting and engineering services to leading Fortune 500 corporations, governments, and not-for-profits across the globe. Booz Allen partners with public and private sector clients to solve their most difficult challenges through a combination of consulting, analytics, mission operations, technology, systems delivery, cybersecurity, engineering, and innovation expertise.
With international headquarters in McLean, Virginia, the firm employs more than 23,000 people globally, and had revenue of $5.41 billion for the 12 months ended March 31, 2016. To learn more, visit BoozAllen.com.
+44 (0)20 3141 2975