Global demand for cyber security experts is forecast to outstrip supply by a third before the end of the decade, with companies struggling against what one senior industry figure has called the “largest human capital shortage in the world”.
(ISC)2, the security certification and industry body, predicts that companies and public sector organizations will need 6m security professionals by 2019 but only 4.5m will have the necessary qualifications.
Data from a range of security companies, recruiters and professional services groups show the extent of the problem company’s face as governments prepare new regulation forcing them to improve their cyber defenses.
The UK announced this week that it would increase spending on cyber security to £1.9bn by 2020. This will include opening a National Cyber Centre and Institute for Coding, as well as improving the level of teaching of cyber skills at schools.
Although budgets have increased, Tom Kellermann at Trend Micro, the cyber security company, says throwing money at security teams can only achieve so much.
“Even if we get authority in the budget to hire, where the hell are we going to find them?” he says, adding that his teams have dozens of openings, but “it’s very difficult to find the appropriate talent”.
Only 103,000 people worldwide, including about 68,000 in the US, hold a CISSP, one of the main cyber security certifications. But there were almost 50,000 job openings for CISSP-certified workers in the US in 2014 alone, according to recruitment analysts Burning Glass.
Competition is so fierce in the sector that security professionals on LinkedIn moved jobs more than twice as often as average workers in the year to April 2015.
According to Burning Glass, job postings in the US took 14 per cent longer to fill than the average for all jobs, making cyber security more difficult to recruit for than data science, advanced manufacturing and petroleum engineering.
The company says one of the challenges is that it is not enough for staff to understand the technology alone, a concern shared by Mark Brown, UK and Ireland executive director of cyber security and resilience at EY, the professional services company. “You need people who know the technology but can also speak the language of the boardroom, and translate tech talk into understanding for the C-suite,” he says.
Mr Brown adds that there is already “virtually 0 per cent unemployment” in the industry, but the shortage is only set to get worse.
(ISC)2 expects demand for security professionals to increase 10.8 per cent a year between 2014 and 2019, while supply will increase 5.6 per cent a year.
The shortage means security is a candidate’s market. Attendees at hacker events such as Black Hat, which held its European conference last week, are increasingly sought after by corporates.
Even sports brand Nike has hosted Black Hat after-parties for the past two years, a sign of the attention all types of companies are paying to security issues.
Businesses are employing a number of methods to attract cyber security staff. Researchers are well-paid and often allowed to work from home and research what they want, but Mr Kellermann says many of the most talented potential employees have no interest in taking a corporate job.
“They don’t want bosses, they don’t want to report to anyone, they don’t need structure. Sixty per cent of the people out there don’t necessarily want to work for a corporation, they just want to use their skills,” he says.
Some programmers have tried to attract former “black hats” — those who illegally hack companies and individuals for personal gain — to “ethical” hacking positions where they can help businesses identify potential problems.
But Mr Kellermann said low prosecution rates mean there is little incentive for hackers outside of Western Europe and the US to move to legitimate employment.
In the UK, salaries have increased up to 10 per cent year on year for security staff, and 16 per cent for consultants, but Chadi Malak, practice manager at specialist recruiters IQ InfoSec, says experts are “consistently undervalued”.
IQ InfoSec is widening the scope of candidates it considers for retraining for security jobs, but Mr Malak believes “we won’t have sufficient talent supply until there is school level introduction to security”.
Haroon Meer, founder of applied research company Thinkst, says companies will have to change the way they approach security. Last week researchers at Black Hat revealed new ways for criminals to manipulate oil stocks, break into offices or access millions of user records held in phone apps.
But Mr Meer says “the simple truth is that most of the high-profile breaches that we have seen in the last while have not been because of great attacker sophistication”.
He says companies should “realize that completely preventing a breach is a fool’s errand”.
He adds: “Telling the board ‘we will be compromised’ is not particularly inspiring, but it’s increasingly clear that the alternative path is a flawed one.”