The emergence and importance of Security
The skill shortage within the cyber security industry is well-documented, with reports stating that globally there is a global shortage of over 2 million vacancies. Does this mean there are a lot more people than jobs? Does this mean there are multiple cyber vacancies at every organisation in the country? Or does this mean that job hunters will be weighed down by multiple vacancies. The answer of course is never that simple and we wanted to give you a breakdown of the trends we get in hiring for staff in the cyber industry.
We would like to share three key findings
1) Technical roles are where you’ll struggle to recruit
There are many markets and sub-markets within the cyber security market. What this means is that certain skillsets are more niche than others, where the shortage will be much more noticeable. We have typically found that whilst it’s very hard to “pigeonhole”, the roles will fall in the following areas:
- Information Security Leadership - CISO/ Heads of Information Security
- Security Operations/ Engineering
- Application Security
- Penetration Testing
- Governance, Risk & Compliance
- Threat Intelligence/ Threat Hunting
- Security Architecture
What we have found is that heavily technical roles – application security, security engineering and penetration testing - it is far harder to identify suitable candidates than it is in more “hands off”, managerial roles. Although adverts are only one way of attracting candidates they can be used as a barometer for the marketplace. One of our recent adverts for an Information Security Manager generated nearly 500 applicants, whilst an advert for an Applications Security Engineer generated only 5 responses in the same period. There are a few reasons to explain this. With a technical skillset there is likely to be a narrower criterion for candidates than in a more generic role. Furthermore, skillsets such as application security are a recent phenomenon, especially outside larger enterprise companies. Security architecture is another area in demand with approx. 3000 jobs in the UK. The main challenge in this area is finding good permanent candidates as it is a skillset that companies have historically used contractors for. Whilst the trend is now towards hiring permanent staff, it remains challenging due to the smaller number of candidates with a solid permanent work history.
2) Business and Technical skillsets must go hand in hand
Security is a different skillset to recruit for your business than most other technical roles. There is often a lot of debate as to whether security should sit within the business or the IT department. IT\ technology is typically about delivery into the business, be it from a technical infrastructure or applications point of view and if delivered right, will save the business money. Security on face value will cost the business money, but the threats of getting it wrong far outweigh the costs of “doing it on the cheap”. As security is a business facing role, it’s essential that all security staff from people “non-technical” governance roles or heavily technical engineering roles understand the landscape they operate in from a business as well as a technical basis. People in governance roles will typically have a technical background meaning that whilst they are no longer “hands on” they are able to understand the technical environment they operate in from a threat and solutions perspective, whilst candidates in more technical roles, must understand the unique threats facing their business, and have a good grasp of the legislative, industry and business issues of the company they are trying to protect. Third party supplier management and management of external resources is a typical part of many security roles, meaning good communication skills are paramount.
3) Immaturity gives opportunities and threats
There has clearly been a huge increase in cyber security vacancies (6% in 2018 alone) over the past five years. There are many reason behind this – the number of businesses moving to the cloud and looking to protect themselves, a large number of high profile data breaches through to increased security issues from businesses becoming more reliant on on-line trade (e.g. OWASP Top 10). Security, once a niche role within the IT landscape, has now become one of the biggest buzzwords in the industry. This has presented many challenges, and we are often surprised at large enterprise companies recruiting their first IT security person in a “greenfield role”. This can be a superb opportunity for the candidate, but also a threat if their new employer is not willing to invest in the relevant resources to help their new hire protect the business. Whilst we are not seeing huge teams, we are seeing sensible companies recruiting people into specialist roles such as architecture, infrastructure or applications security engineering rather than employing all rounders with no real specialisation.