19 Apr 2021

Cyber security – observations of the skills market

Guest Blog: Trends in the cyber security market by Sonja Townsend from Experis as part of our #Cyber2021 Week.

Cyber security has long been an underinvested and misunderstood niche within IT – often an ‘add-on’ to those who have been hired for other remits. Even those who consider themselves cyber experts often struggle to grasp the full range of skills required to really own the discipline, as it’s been a fuzzy area since its inception.

This issue isn’t aided by the fact that those who are recruiting to fill gaps in this area – which are plentiful and critical to organisational continuity and success – often don’t really know exactly how to articulate the skills and competencies that they need.

While this was a challenge even before Covid-19, the pandemic has brought the issue into sharp focus: as remote working became the norm, most weren’t prepared for this immediate shift. The pre-Covid skills and gap shortage was compounded with a sudden move to the Cloud and other technologies, which offered huge opportunities to opportunists who knew that attention was being diverted to business continuity.

As such, the need for cyber professionals has never been greater: many organisations compromised security and risk assessments that they would normally have insisted upon, given more time and less pressing priorities, understandably. Now, threats are on the rise and they are getting more creative, so customers and employees are increasingly vulnerable.

Observed trends in the market

As leading recruiters in this discipline, we can’t underestimate the growth and maturity we are seeing within cybersecurity: we have the jobs, but we need the people and the right expertise – and that is not necessarily available. In short, it’s a candidate market, but those candidates need the right skills and attitude to succeed. Cyber is taking centre stage and evolving as a more sophisticated and strategic function for organisations.

Recent drivers for the huge demand in cyber – many of which existed pre-Covid – include:

  • Replacing or migrating end-of-life firewall and related technology that is unsupported – for instance, Cisco and Check Point
  • Installing or strengthening data loss prevention and PUAM for bigger companies and banks)
  • Greater need for alerting technology and instant messaging for security events
  • Governance process and policy expertise gaps to complement to technical skills
  • The growing need for social engineering expertise to educate users to recognise phishing and other tactics, which can be very subtle and sophisticated
  • Security vendor consolidation: the majority of IT organisations plan to consolidate vendors over the next 3 years (overall simplification)
  • Rebooting policies and tools to make them suitable for remote workspace. This also includes the continued transfer to cloud security, as around half of organisations plan to work remotely post-pandemic

There has been a corporate migration to gain ISO 27001 certification over the past 18 months too, as quickly becoming the minimum standard. Bigger companies and regulated sectors in particular are recognising the value of this security standard - including integration with GDPR – in giving their customers confidence.

We have seen a growing focus on supply chain cyber security risks with our current clients and expect this to continue to grow. Suppliers supporting many enterprises is a common source of distinctive vulnerabilities that may incur damages associated with disruption and their potential impact on the workforce of both the suppliers and enterprise. In response, Experis has incorporated a Supply Chain Cyber Solution, enabling clients to measure and secure their supply environment.

Finally, we’ve seen organisations moving to consolidated technology security, making the vital step of analysing and understanding their environment, people and governance structure before layering the technology components on top.

Forecasts and predictions in the cyber market

With SMEs playing catch up to boost their in-house teams which have been largely understaffed, there are challenges because there is a substantial skills shortage: most contractors are in work, and permanent employees tend to already be in good, well-paid roles. Pre-Covid, there was already a need for 150% more cybersecurity experts, and the need has grown substantially over the last year.

To overcome the high remuneration that cyber professionals are demanding – along with the challenges of finding talent – many companies are now establishing or growing their in-house cyber teams. They are increasingly looking at training up their existing staff: it’s not only cheaper, but also develops more ‘business-centric’ expertise.

Newer, richer roles are emerging in cyber, with a shift toward people who are not only technical but who can also be put in front of clients and report directly to management. The consultative and forward-thinking approach is becoming more important as cyber becomes more ‘centre-stage’ – companies are moving away from experts who are hidden away, as they have a lot of value to offer, which is being recognised at last.

Security is not a state that can be achieved; it’s a state of continuous change.

Our clients are increasingly looking for cyber professionals who have a real world, user-focused approach, rather than one based on textbooks. They need people who really understand the potential impact of cybersecurity threats on their business and users – not only now, but in the future, and in many potential scenarios.

Specific skills and competencies that we see anticipated demand for include:

  • Risk identification and management
  • Technical fundamentals
  • Data management and analysis
  • DevSecOps, which introduces security earlier in the life cycle of application development
  • Cloud, automation and threat-hunting

To complement these skills, interpersonal skills, business acumen and agility will grow even more important. The employment landscape will favour those who can explain the value of their work to clients and senior managers directly.

How to stay relevant in the market

Our clients are looking for engaged experts who continually examine and challenge their environment, constantly learning and evolving. To make sure you stand out:

  • Share and shout about your successes: what problems did you encounter and how did you approach them? Get involved in blogs, LinkedIn groups, professional groups, post your code on GitHub…make yourself known to professionals in your discipline.
  • Showcase your ‘soft skills’ – these are increasingly important as cyber professionals are respected for their role in business continuity and commercial success.
  • Self-development is key, so continue training and learning on the job, and make sure to recertify in the major CISM / CISP / Cisco

The landscape has changed, so it’s not enough now to just be good at your core discipline. Make sure you are showing the range of competencies you can offer beyond your technical skills. It’s time to be proud of what you can do, as it’s now more valuable than ever.

Experis is the global leader in professional IT and resourcing solutions, operating in more than 50 countries worldwide. As true market specialists, our recruitment consultants are technically, vertically and geographically aligned, placing skilled digital professionals into permanent and contract assignments.  For more information and search current Cyber jobs, visit www.experis.co.uk.

Dan Patefield

Dan Patefield

Programme Head, Cyber and National Security, techUK

Charlie Wyatt

Programme Assistant, techUK

Jill Broom

Programme Manager, Cyber Security & Central Government, techUK

Sam Wyatt

Sam Wyatt

Programme Manager, Defence and Cyber Security, techUK