The average salary paid to global and UK security professionals reached nearly $100,000 a year (£63,000) in 2014 driven largely by an acute shortage of candidates with the right qualifications, the latest biennial study by certification body (ISC)2 has found.
The previous Global Information Security Workforce study in 2013 spotted a reluctance to pay for security skills in many organisations but two years on and the problem appears to have shifted to availability with 45 percent globally (43 percent in the UK) citing this as a significant problem.
In the UK, the end result is that many organisations report being under-staffed, with one in five believing this would delay their response to cyber-attacks and breaches to as much as eight days, well beyond the 24-48 hour reporting requirement that will be part of the EU’s forthcoming General Data Protection Regulation (GDPR).
In the short term, the likely outcome is that more firms turn to outsourcing or the use of managed security services with between 20 percent and a third in the UK planning this in some form. Outsourcing is supposed to be about lowering costs but 41 percent mentioned not having in-house skills as the main motivation for taking this approach.
A deeper question is why the UK – indeed the world – never seems to have enough security people.
Concerns over workforce numbers are nothing new, indeed the lack of cybersecurity skills has become an obsession for the British Government which has launched a patchwork of training initiatives to try and boost the industry, mostly from national security standpoint.
The survey hints at some of the causes, including the astonishing fact that 94 percent of the nearly 14,000 respondents worldwide were male. The lack of women in security is often seen evidence of exclusion but whatever the reason it means that organisations are effectively hiring from only half of the available talent pool.
In the UK, security pros are also predominantly middle-aged which (ISC)2’s managing director Dr Adrian Davis believes suggests that there simply haven’t been enough people entering the profession in the UK in the last 20 years. This has caused a professional demographic full of experienced people but lacking younger and possibly cheaper candidates.
“We have noticed that the average age is rising both globally and UK. The average age is in the 40s now,” said Davis to Computerworld UK. Only five percent of the UK security workforce was under 30, something he blames on a lack of entry-level jobs. Security seems to be stuck in a mode in which only highly-skilled workers are getting a foot in the door, something that risked creating a professional barrier at a time when more people were needed.
“You can’t just grab someone off the street and turn them into an infosec professional overnight. There is a set of skills and knowledge they have to gain through education and practice,” said Davis.
“There are very few 16 year olds that know that there is a career in information security. We are not capturing people’s attention early enough.”
In 2014, one in five security professionals changed jobs, the highest churn rate (ISC)2 has seen in the three surveys it has done since its inaugural report in 2011.
Another theme picked up by (ISC)2 is the effect of technology sprawl on security with 32 percent of respondents globally saying they thought threats were now evolving faster than vendors could improve their products. Other factors included M&A, decentralised purchasing, and even vendors selling standalone products that added to management overhead.
The theme of sprawl and complexity has been a theme for years but it is interesting that security professionals still cite it when considering the security of their organisation – 62 percent said they believed the issue reduced security efficiency.
The result is that 39 percent said they’d like to reduce the number of vendors they use with about the same number wanting to avoid new products until the current ones were retired.
Of course this aspiration sits uneasily with the bloom of innovation among young security startups trying to make up for deficits created by an older generation of technology. It also tends to increase the number of vendors being used rather than reducing it.
Longer term, the solution to sprawl might end up being security services – outsource the technology, management and upgrading problem to a specialist firm.
“As with any severe drought, we have to admit that it will not rain soon, and we will not be flooded with skilled security staff in the foreseeable future,” said cybercrime manager Martin Lee of security firm Alert Logic, commenting on the results.
One logical response to the shortage would be a growth in managed services.
“The managed services model where skilled staff are aggregated together and shared across many different companies is the best use of a scarce resource,” he claimed.
(ISC)2, the world's largest not-for-profit infosec professional body, covers on this and other issues in its regular Computerworld blog, Infosecurity Voice.