New immigration proposals 'would widen' the already yawning cyber-security skills gap

News by Tom Reeve

New proposals to control immigration post-Brexit put forward today could make it even harder to recruit the cyber-security staff needed to secure UK organisations.

Organisations could find it harder to fill vacant cyber-security positions (pic: Westend61/Getty Images)

The cyber-security industry could find it much more difficult to recruit skilled staff from abroad under new immigration rules being put forward by the government in a white paper today.

Among the proposals is a £30,000 minimum salary for long-term work visas. The salary threshold would have been used as a proxy to assess the ‘skill level’ of a job with the aim of limiting low skilled immigration which is seen as a threat to British workers.

While salaries for medium and highly-skilled cyber-security professionals is much higher than this limit, it could cause problems recruiting for entry-level analyst roles, some of which pay less than this. It could also affect the partners of those considering coming to the UK who work in less well-paid professions.

The government wants to reduce net immigration to the UK, a key message it feels came out of the EU referendum in 2016 from a public keen to reduce the number of low-skilled workers undercutting the wages of British citizens post-Brexit.

Home secretary Sajid Javid said that the current level of 273,000 is "very high" and should be cut so that immigration is no longer a burden on communities and infrastructure.

However, precise policy objectives have not been forthcoming from the government today. For instance, Javid refused to reiterate the Conservative Party manifesto pledge to reduce immigration to tens of thousands. Asked repeatedly on the BBC Radio 4 Today Programme this morning if the government was sticking to the manifesto pledge, Javid said only that "the objective is to bring net migration down to more sustainable levels".

And the £30,000 minimum salary, widely trailed in the past few weeks as a key plank of the proposals, will now be put out for consultation. The base salary figure would apply to EU nationals applying for five-year visas, a limit that already applies most non-EU workers.

Despite the lack of clarity on other matters, it is clear that the government intends to scrap the current annual limit of 20,700 high-skilled workers from the EU and elsewhere applying for Tier 2 visas, a recommendation of the Migration Advisory Committee.

Any restrictions on immigration are only going to exacerbate the cyber-security skills gap. Between 30 and 40 percent of cyber-security professionals in the UK are from the EU, according to Spencer Symmons, director at the CPS Group, a tech recruitment firm, and he estimates that there is currently a shortage of around 50,000 cyber-security professionals in the UK.

The UK is already becoming less attractive to EU immigrants, he said: "While there are all sorts of reasons contributing to that, the overriding factor is the instability in our politics and our economy. Once the dust settles on Brexit and the path forward is clearer, I imagine the UK will continue to attract top talent. Some of the best businesses in the world operate here, and those candidates chasing the best opportunities will continue to make the move."

David Warburton, senior threat research evangelist for the EMEA at F5 Networks, is concerned that throttling immigration levels will deter students from studying in the UK, having a knock-on effect on recruitment.

Warburton said: "Despite the promise of a higher than average graduate starting salary of £30,000, these new immigration measures can act as a deterrent for the high percentage of foreign, undergraduate and post-graduate students studying information security in the UK. These students could soon start to consider studying in countries offering the same education with an easier path to employment."

In his experience, it can take up to nine months to fill a vacancy, but that could get much worse. "With new immigration policies, we could see vacancies left unfilled for 12 to 18 months. It goes without saying that understaffed cybersecurity teams will have a detrimental impact on an organisation's defences, leaving them open to more vulnerabilities," he said.

Jeff Curley, head of online and digital at Radware, said that "many organisations look towards graduates and other entry level staff to fill level one positions in their security operations centres. The impact on these organisations will be that to stand a chance of getting so-called medium-level skilled migrants from the EU they will need to go over the £30,000 threshold, thereby increasing their security analyst annual salary budget."

Curley agrees that political instability overall is making the UK less attractive to skilled foreign workers who can easily find work in other countries. "The potential to save money and transfer the pot at a favourable exchange rate back to the migrant's home country has been significantly damaged by the low value of the pound since the 2016 referendum.  Plus the UK is simply no longer at the top of the list for prospective employment countries due to an unstable political atmosphere creating doubt that the UK would be the safest move for a migrant that had the choice to go elsewhere," he said.

Simon Hember, director at Acumin, a specialist cyber security recruitment consultancy, agreed that the UK is already becoming a less attractive place for foreigners to build a career. "The UK already loses out to several other countries on the highly competitive global security market, and if we cut or loosen ties with EU agencies such as Europol, we risk losing further influence. Global collaboration is extremely important in the fight against international cyber-crime, and we may risk our position as a leading force in the battle," he said.

Style tag for CMS

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews