Cybersecurity engineers and analysts have been identified as being on the Shortage Occupation List (SOL), in the first full review of officially recognized careers where the shortages “are most severe and where the consequences of those shortages are most serious” since February 2013.
According to the UK Government’s Migration Advisory Committee (MAC), “job shortages in roles such as cybersecurity analysts/engineers and IT network engineers” are now recognized, while the “occupation as a whole ranked highly in our shortage indicators and had an above average vacancy rate.”
In the previous partial update, published in 2015, the job “cybersecurity specialist” was added under the section “information technology and communications professionals not elsewhere classified.” Then, the shortage related to “a person with a minimum of five years’ relevant experience and demonstrable experience of having led a team.”
Since the 2015 partial update, while the need for more skilled cybersecurity professionals remains in this list, it now states “there will be no minimum experience requirement as applying an experience caveat could hinder the development of cybersecurity at all levels.”
This change in requirement follows criticism of hiring practices, where five to 10 years experience is common and cited as a deterrent to new applicants.
In an email to Infosecurity, Ed Williams, director EMEA of SpiderLabs at Trustwave, said: “The security industry is to blame to some degree, there is very much a gatekeeper philosophy, which is starting to be broken down, but not nearly quick enough from my perspective. This industry is so fast paced and exciting, we should be pulling in the brightest and best – these don’t have to come from Computer Science backgrounds.”
The MAC stated the impact of the skills shortage on cybersecurity development, saying that there have been reported delays to “software improvements and features as they do not have the labor or expertise to fulfil demand” and this has led to “an increasing reliance on workers from outside the UK and there is a growing concern surrounding the future skills base for roles within new technical areas.”
The MAC cited “several sources amongst Government and the private sector” who agreed that there is a shortage of digital skills within the UK, evidenced by consistent vacancies in digital occupations, growth in demand for digital skills as well as documented deficiencies across the population in terms of digital skill. However, the MAC acknowledged that “there is not enough domestic supply of sufficiently skilled labor to fill this demand.”
According to Deloitte’s Digital Disruption Index for 2019, only 18% of respondents believe that UK school leavers and graduates have the right digital skills, while only 25% of digital leaders in the UK believe their workforce has sufficient knowledge and expertise to execute their digital strategy.
In the section ‘Digital and IT Occupations,’ careers as IT specialist managers, IT project and programme managers, IT business analysts, architects and systems designers, programmers and software development professionals, web design and development professionals and information technology and telecommunications professionals were listed as being in shortage. Cybersecurity careers appeared under section SOC 2139 – information technology and telecommunications professionals.
The MAC said that “short-term mitigations have helped to fill shortages to some extent, but this has had limited impact as the skills required simply are not available.”
As well as short-term mitigations, the MAC said that long-term strategies also have their limitations; as up-skilling staff “is constrained by the lack of expertise in cybersecurity and secondly, these strategies are yet to mature, and so the scale of their impacts cannot truly be assessed until the future.”
As part of the UK’s Digital Strategy, it stated that “there will be even greater demand for people with specialist digital skills” as the digital economy grows.
“As we leave the European Union, it will be even more important to ensure that we continue to develop our home-grown talent, up-skill our workforce and develop the specialist digital skills needed to maintain our world leading digital sector,” then Secretary of State for Culture, Media and Sport Karen Bradley MP stated.
She acknowledged then that “a strong pipeline of specialist skills – from coding to cyber” was needed, and initiatives like the NCSC’s Cyberfirst have enabled that. However, a more immediate solution is needed until the next generation begin work.
To be placed on the SOL, a job must meet three requirements:
- Skilled (are the jobs skilled to the required level?)
- Shortage (is the job in shortage?)
- Sensible (is it sensible to try to fill those shortages through migration?)
According to the Migration Advisory Committee, being on the SOL conveys certain advantages:
- Not having to conduct a Resident Labour Market Test (RLMT)
- Exemption from the £35,000 minimum income threshold for settlement
- Priority in the event that the cap binds
In the last Cybersecurity Workforce Study from (ISC)2, it claimed that there is a 2.9 million workforce “gap,” with the APAC region suffering the biggest shortfall of 2.14 million, followed by North America (498,000), EMEA (142,000) and Latin America (136,000).