Implementing a cyber-security strategy isn’t easy. If it was, the world would be a lot more secure!
Unfortunately, the reality is that many organisations struggle to put their plans into practice.
But there is hope. Your business has a plan, a blueprint to make itself more secure.
This is the second piece in a series of articles looking at the challenges of effective strategic implementation. It is accompanied by a free downloadable guide full of actionable steps, the link for which you can find at the end of this article.
Both the series and the guide draw on the experience of Chameleon Cyber Consultants’ Mo Ahddoud, who has honed his expertise in cyber-security for 25 years.
In the first piece, we looked at common implementation mistakes that organisations make with their cyber-security strategy. Now we’ll examine in more detail at an industry-specific challenge that plays a large part in one of those mistakes: namely that organisations lack the right in-house resources because of a global shortage of cyber-security professionals.
Is there a cyber-security skills shortage?
In short, yes. There are at least tens of thousands of jobs available in the UK cyber skills sector, with the gap between job availability and jobs being filled continuing to grow.
Despite a general trend showing workforce shortages, recruiting cyber-security employees into your organisation is uniquely challenging. Younger generations lack knowledge about and interest in the sector, leading to lower recruitment of graduates than in other industries.
On top of recruitment challenges, only 29% of employees in cyber-security consider themselves to be very satisfied with their job. This is considerably lower than the average across all sectors, leading to a high number of resignations and going some way to explaining the shortage.
The scarcest skills in the cyber-security industry
With fewer workers trained in cyber-security, it can be challenging to find employees with the necessary skillset to protect your company from intrusion.
A 2022 Ipsos report into the UK cyber-security sector found that companies are struggling to fill a variety of roles, including analysts and testers.
Analysts are among the most common in-demand roles, while penetration testers were the most common specialist role facing shortages. Crucially, these roles serve a wide range of organisations—many smaller businesses won’t have any need to hire software developers, but every company will want to make sure they are as secure as possible.
Even then, I’d say 9 times out of 10 for the businesses we work with, it isn’t worth them hiring someone full-time. What would most benefit them is having access to the right level of expertise when they need it.
This isn’t just in skilled technical roles either. Leadership positions are among the generalist roles that over half of businesses have found it difficult to fill. The skills these businesses lack are often around developing and implementing strategies, integrating technology, and establishing effective business-as-usual activities.
How the cyber-security skills shortage affects your business
Security breaches are becoming more common, with smaller businesses increasingly finding themselves as the target of cyber-attackers.
The skills shortage in the industry means that organisations who lack the right cyber resources find it difficult to secure their perimeter and are underprepared for recovering from a breach.
If you can find the right people, those employees with the necessary training and skills expect higher salaries, putting them in a stronger position to negotiate their pay. Workers in the cyber-security sector earn twice as much as the average wage across other sectors.
When combined with the costs of enlisting a recruitment agency, hiring cyber-security staff on a full-time basis puts a significant dent in your budget. This is why many businesses are turning to outsourcing models that allow them access to the right expertise as needed.
What’s being done to tackle the cyber-security skills shortage?
77% of businesses identify cyber-security as being a high priority issue—and for good reason. Despite a challenging outlook, there are initiatives aiming to combat the scarcity of skilled cyber-security professionals.
Microsoft is addressing the cyber-security skills shortage by helping more women join the industry. Identifying that only 17% of cyber-security workers are female, Microsoft has created a partnership to recruit and train more women.
Meanwhile, EY is meeting their cyber-security needs by partnering with colleges and universities to attract younger generations with the desired qualifications and skills. Educational partners could provide a stream of recruitable graduates, helping to tackle the skills shortage in your business as well.
The UK Government has partnered with cyber-security firm the SANS Institute to develop an upskilling programme, identifying that it is cheaper for companies to promote from within than hire externally. Through such programmes, IT staff are being equipped with cyber-security skills—avoiding loss of talent and securing higher retention rates.
Despite the shortages, there are solutions
The initiatives above are a sign that organisations are working to address the lack of expertise in the industry. While your business may not be able to cherry-pick the very best security personnel for every vacant role, by understanding what skills are most in demand, and where your needs lie, you can prioritise filling the most important positions.
Typically, if you’re looking to spearhead a significant implementation, these roles will be towards the top of your organisation. Outsourcing is growing in popularity as a solution, particularly for senior roles.
We expect this trend to continue. Allowing businesses to invest only in the expertise they need, rather than hiring someone without a clear idea of the workload that role would have, helps keep costs down.
Recruiting for leadership positions can be especially difficult but finding the right security partner can give your organisation a fresh external perspective as well as a flexible pricing model.
This is why we felt our CISO-on-demand offering could help businesses by providing experienced leadership without the costs of recruiting and retaining such a senior position on a full-time basis.We’ll cover prioritising the right roles in our next article, and until then, you can check out our free actionable guide of further practical steps to enhance your business’s security today.