What is the GISWS?
Since its first release in 2004, the biennial (ISC)²® Global Information Security Workforce Study (GISWS) has been gauging the opinions of information security professionals; and in turn, providing detailed insights into the important trends and opportunities within this increasingly crucial profession.
This year, the study conducted its largest-ever global survey of cybersecurity professionals, with over 19,000 individuals taking part (3,694 of which hailing from Europe), further allowing it to ascertain an even clearer and progressively more complete profile of the information security workforce; with stronger understandings of areas and issues such as pay scales, skills gaps, training requirements, corporate hiring practices, security budgets and career progression. Additionally, the study explored corporate attitudes towards information security; presenting a useful and reflective reference for governments, corporations, hiring managers, as well as information security professionals themselves.
The latest release from GISWS and what this means in Europe
This month sees the third release of data from the Global Information Security Workforce Study 2017: Benchmarking Workforce Capacity and Response to Cyber Risk, which was conducted by Frost & Sullivan for the Center for Cyber Safety and Education, with the support of (ISC)2, Booz Allen Hamilton and Alta Associates; and offers up a deeper exploration of the growing cybersecurity skills gap.
The report revealed a number of interesting findings, including a predicted cybersecurity skills gap for Europe of 350,000 (globally 1.8 million) by 2022, resulting in European organisations planning their fastest rate of cybersecurity hiring in the world – as 38% of surveyed hiring managers in the region admitting they intend to grow their workforce by at least 15% in the coming year. Though, this is despite the fact that two-thirds of organisations have also stated that they currently have too few cybersecurity workers.
While there are strong recruitment targets, a shortage of talent and disincentives to invest in training are contributing to this skills shortage, with 70% of employers around the globe already looking to increase the size of their cybersecurity staff this year.
This demand is set against a broad range of security concerns which continue to develop at pace, with the threat of data exposure clearly identified as today’s top security concern amongst professionals around the world. Concern over data exposure reflects the advent of new regulations aimed at enhancing data protection around the world, including Europe’s General Data Protection Regulation to be in force by May 2018.
This month’s report illustrates a revolving door of scarce, highly paid workers amidst a non-existent unemployment rate of just 1% in Europe. While organisations struggle to retain their staff – 21% of the global workforce stated they had left their jobs in the past year – they are also facing high salary costs, with 33% of the workforce in Europe, in particular, making over $100,000 USD / EUR €95,000 / GBP £78,000 per year.
“The combination of virtually non-existent unemployment, a shortage of workers, the expectation of high salaries and high staff turnover that only increases among younger generations creates both a disincentive to invest in training and development and a conundrum for prospective employers: how to hire and retain talent in such an environment?” states the report.
Recruitment and professional development strategies must change
The lack of professionals entering the industry has a two-fold impact on the profile of the workforce. Not only is it not increasing at a rate fast enough to fill the necessary roles, it has also led to a greying workforce, with just 12% of workers under 35, and 53% over 45. The profession faces a looming skills cliff edge, with the majority of workers getting closer to retirement and companies failing to recruit long-term replacements.
Recommendations by this release suggest that organisations need to adapt their approach to recruitment and draw from a broader pool of talent. This is backed by findings that show that workers with non-computing related backgrounds account for nearly a fifth of the current workforce in Europe, and that they hold positions at every level of practice, with 63% at manager level or above.
As the fastest growing demographic, millennials will be critical to filling this employment gap, but the attitudes must change in order to entice valuable candidates. Recruiters are currently not hiring enough recent university graduates, instead opting for those with more prior experience – 93% of respondents indicated that this is an important factor when making their hiring decisions.
Yet, employers could be doing much more to attract and retain younger people. The study found that millennials value organisation training as well as mentorship and leadership programmes. As a demographic that holds personal development in such high regard, businesses need to be catering to these needs to attract vital young talent.
Undoubtedly, there is a real mismatch between the skills recruiters are looking for and workers’ priorities for developing a successful career, suggesting skills sets may not be keeping pace with requirements. Currently, the top two skills workers are prioritising include cloud computing and security (60%) and risk assessment and management (41%), while employers prioritise looking for communication (66%) and analytical skills (59%). Only 25% and 20% of workers are prioritising communication and analytical skills respectively.
Improving gender diversity
In addition to the widening skills gap, diversity within the workforce remains low. The study also revealed that women form just 7% of the workforce worldwide in Europe; a level that has remained virtually unchanged since 2004. There are also signs of a rampant gender pay gap, with male professionals in Europe earning £9,100 more on average than their female counterparts. This is despite Europe’s female cybersecurity professionals tending to be better educated, with a higher proportion of them occupying managerial positions. In the UK for example, 50% of female cybersecurity professionals hold postgraduate degrees, compared to just 37% of men, with 64% of women in managerial positions compared to 57% of men.
A workplace where women are both paid less and more likely to be subject to discrimination can make it harder to promote such a profession to women. The lack of women also creates a self-perpetuating cycle with few established female role models to encourage the new generation.
But there are clear steps that can be taken to attract more women into cyber, and at the same time address the growing need for more staff. Much like with millennials, employers need to create inclusive work places that support and value women, via sponsorship and mentorship programmes that tie to the success and satisfaction of women at all levels. Equally as important, organisations must end pay inequity, and also draw from a wider set of backgrounds and degrees, including humanities and arts degrees, where there tend to be higher proportions of females.
Fundamentally, this is no longer just an issue of increasing workforce diversity, but an issue of economic and national security. The cybersecurity skills gap is growing wider every time the workforce is surveyed, and governments across the world are recognising that cyberattacks are critical national vulnerabilities. Attracting more millennials and women into the industry would not only significantly help reduce this shortfall in skills, but by diversifying the workforce, it will provide the necessary basis for a safer world, especially in today’s increasingly plugged-in society.