The global IT security industry will face a shortfall of 1.8 million workers by 2022, according to a new study, while the UK faces the prospect of its workforce actually shrinking.
The Center for Cyber Safety and Education surveyed 19,000 cyber-security professionals for its eighth bi-annual Global Information Security Workforce Study (GISWS), sponsored by non-profit professionals' association (ISC)².
It found that the perceived shortfall in cyber-security experts had risen 20 percent, up from 1.5 million, the figure it published in its previous survey in 2015.
The UK government's recent Cyber Security Strategy called Britain's cyber-security skills gap a “national vulnerability that must be resolved”.
The survey found that two-thirds of firms in the UK don't have enough infosecurity personnel to meet their needs, and it is impacting economic security. Around 47 percent claimed the reason behind this was an absence of qualified candidates.
The skills shortage issue has already impacted UK firms, with 46 percent of UK companies reporting that the shortfall of cyber-security personnel is having significant impact on their customers and 45 percent warning that it is leading to security breaches.
The shortage means that companies may fail to comply with the GDPR, which will mandate a 72-hour breach notification window. Around 22 percent of survey respondents said it would take them eight days to recover from a data breach and report it.
The survey also revealed that the UK is failing to hire Millennials that could help fill the skills gap. Just six percent of respondents said they would recruit university graduates.
Only 12 percent of the cyber-security workforce is under age 35, which indicated a decreasing pipeline of talent coming into the industry.
Over half (53 per cent) of the workforce is over age 45, suggesting that the UK is approaching a skills ‘cliff edge' as these people approach retirement.
Dr Adrian Davis, managing director of EMEA at (ISC)², said, “A continuing industry refusal to hire people without previous experience, and a failure to hire university graduates means Britain is approaching a security skills ‘cliff edge' due to the perfect storm of an ageing cyber workforce going into retirement and long-term failure to recruit from the younger generation.
“We need to see more emphasis on recruiting millennials and on training talent in-house rather than companies expecting to buy it off-the-shelf. There is a need to nurture the talent that is already in this country and recruit from the fresh pool of talent that is graduating from university.”
Neil Owen, director at Robert Half Technology, told SC Media UK that his firm's own research on the matter showed that only one in three CIOs are confident that their teams have the skills to manage these threats.
“This chronic shortage of skilled IT talent to fend off potential attacks comes down to two things: the evolution of cyber-threats and the current skills shortage in cyber-security. In an increasingly competitive labour market, candidates with the required skill set might not always be available. In these cases, businesses need to nurture talent internally and seek out development opportunity within their current workforce to mitigate the risk of falling victim to a cyber-attack,” he said.
Matt Piercy, vice president and general manager EMEA at Zscaler, told SC that the lack of technical skills in-house restricts the freedom in which organisations can customise and manage their own security infrastructures. Instead, they have no choice but to look externally for assistance from consultants and managed service providers.
“Businesses need to be careful when selecting a technology supplier. A wrong choice could lead to a false sense of security, more chaos and disastrous consequences,” he warned.