back to article Hand in your notice – by 2022 there'll be 350,000 cybersecurity vacancies

The General Data Protection Regulation (GDPR) will force European organisations to expand their cyber workforce, causing demand to outstrip the supply of expertise. Two in five governments and companies will expand their cybersecurity divisions by more than 15 per cent in the next 12 months, according to a survey by the …

  1. WibbleMe

    So thats 350K white hats and by night... how many black hats humm?

  2. Anonymous Coward
    Anonymous Coward

    They'll just outsource it to India and what could possibly go wrong, Dido ?

    1. Anonymous Coward
      Anonymous Coward

      Outsourced to India

      Exactly my thoughts.

      These days, no boss will think of emplying people here. According to the IT Business world, it can all be done in India at half the price, to a higher standard and in half the time.

      In reality, only one of the above is even remotely true.

      But by the time the PHB's realise this, all the people with the skills will have retired, on the dole or are thoughly sick of training up their 'nodding donkey' Indian replacement.

      Been there, done that and now I'm more interested in my Allotment than firewalls, penetration testing and the like.

      1. Tom Paine Silver badge
        FAIL

        Re: Outsourced to India

        These days, no boss will think of emplying people here.

        Why, then, is unemployment is lower than it's been since the early 1970s and employment at an all time record high?

        Just for S&G I typed "IT security" into Jobserve just now:

        9,909 jobs for IT security

        http://www.jobserve.com/gb/en/JobSearch.aspx?shid=9CC35AE07E68E9A9F5

        1. Long John Brass Silver badge
          Pint

          Re: Outsourced to India

          9,909 jobs for IT security

          And out of that

          990 that don't ask for 10 years experience in a 5 year old technology

          99 that actually want to pay anything near market rate

          9 that are within 100km of where I live

          -9 that EXACTLY match my skill set (Oh you don't have experience with foo v9.0 sorry foo v1.0 thru v8.9 doesn't count

          Pint Icon: As we all need some(lots) libations to clear the palete after dealing with HR/Recruiting muppets

      2. Trigonoceps occipitalis

        Re: Outsourced to India

        Its like the engineering trinity: on time - on budget - on spec - pick two out of three.

        In this case: resilient, secure, cheap.

        1. Anonymous Coward
          Anonymous Coward

          Re: Outsourced to India

          "resilient, secure, cheap."

          Except, I don't think you're allowed to pick two. I'm not even sure you're allowed to pick one most of the time.

    2. Anonymous Coward
      Anonymous Coward

      re: Outsourced to India

      the problem is (not will be) that all that outsourcing has now driven wages and expectations *up*. To the extent that a lot of Indian outfits are slowly sliding their prices up. Which against the fall (and yet to fall) Sterling rate is starting to make those deals look a tad expensive.

      It's ironic, really, as it's the trickle-down economics so beloved of the free-marketeers in action.

      There is also an additional fly in the ointment that some skills simply can't be offshored, as no one in their right minds in Kolkatta is going to study 1970s COBOL.

  3. Anonymous Coward
    Unhappy

    Reality check

    Cloud Cuckoo Land

    "In order to manage the skills gap, (ISC)2 is calling on employers to do more to embrace newcomers and a changing workforce ahead of the adoption of GDPR, which comes into force next May. Training and a willingness to hire promising people from outside the existing cybersecurity workforce will be crucial."

    Real world

    "In order to manage the skills gap,companies will need "restructure" the current workforce, outsource to cheaper locations and not bother to invest in current staff."

  4. Anonymous Coward
    Anonymous Coward

    350K more jobs in India most of them filled by dead souls (as per Gogol).

    Why should I care?

    Disclaimer - I quite happily abandoned infosec as a field in 1999. I never regretted it.

    By the way, before honing your CV double-check if you have a Russian grandma, know a Russian grandma or have inadvertently breathed in some Russian grandma fart at some point. If you have - you are not getting the job in this climate (*). You are hereby disqualified on grounds of national security as you obviously have a red under your bed.

    (*)While it is OK for the royal family to have an occasional Russian relative, for the proles it is not

    1. Korev Silver badge
      Big Brother

      I guess that being POTUS Trumps those concerns

    2. phuzz Silver badge
      Trollface

      "I quite happily abandoned infosec as a field in 1999"

      Always good to have an up to date point of view, thanks.

      Fortunately IT is such a slow moving field that there's no chance of anything changing in almost twenty years.

      1. Dan 55 Silver badge

        Apart from the training. There's always less training.

  5. Velv Silver badge
    Alert

    So "there's going to be massive number of jobs in the arena we just happen to cell certification in", says report

    1. M7S
      Headmaster

      "cell certification"

      Would that be infosec as provided by one Manning, late of the U.S. Military?

  6. Christian Berger Silver badge

    I'm sorry, but at least in Germany...

    ... where we already have such mandatory rules, the job of the "Datenschutzbeauftragter" typically isn't staffed by someone particularly adept with technology. It's more a compliance type of position. You make sure you have an overview about what kinds of data are stored and when they are supposed to be deleted.

    It's not an infosec position.

    1. Doctor Syntax Silver badge

      Re: I'm sorry, but at least in Germany...

      "You make sure you have an overview about what kinds of data are stored and when they are supposed to be deleted."

      In the UK you'd need to supplement that with making sure data are actually deleted according to schedule (will this finally bring the DNA and ANPR data to heel?) and making sure marketing don't spaff customer lists to their chums in spamming businesses.

  7. Anonymous Coward
    Anonymous Coward

    17 months to retirement

    BUT

    WHO'S

    COUNTING

    16.9999999

    16.9999998

    16.9999997

    1. Dan 55 Silver badge

      Re: 17 months to retirement

      Change to long double and the digits will fly by.

      16.999999645342391029940312.

  8. Whitter
    WTF?

    £87,000+ ???

    "Demand is driving record salaries with 39 per cent of UK cyber workers commanding annual salaries of more than £87,000"

    Really? I only know a handful of "cyber" people earning anything remotely close. Job ads (or agency phone calls) almost never have anything breaking £50k.

    1. Dr Who

      Re: £87,000+ ???

      Ah but do you have the right skill set? Communicating risk to the board is an essential part of the job.

      If the phrases "gotta have the right hashtags" and "security depends on removing the scourge of end-to-end encryption" do not sound right to you, and if "pen testing" for you does not involve vigorously scribbling with your BIC biro then you're never going to earn £87K I'm afraid.

    2. Anonymous Coward
      Anonymous Coward

      Re: £87,000+ ???

      Depends on demand in your local area.. but it is possible, but you have to be willing to move or travel.

      15 months ago, I earned a conformable £55k pa managing an IT team in Hampshire, then got made redudant. 5 months ago I earned £65k managing an IT team in London. Now I earn £85k as a Security Administrator in the City, no management responsibility and I get a decent work life balance (purely because they know if they treat me like a bitch, I can walk next door straight into a new job) .. so it is possible, you just have to look.

      A/C to protect innocence.

      1. Dave 15

        Re: £87,000+ ???

        85k in London vs 55k next door... with the excessive commuter fare and the extra 3 hours a day travelling.. not enough by a long stretch

        And still not the 87k the report claims

        I agree with the posters that say ...

        a) if you don't have exactly the right experience you won't be considered (even though government ministers can go from managing hospitals to managing defence etc. and CEOs can go from crashing banks to running chemist shops).

        b) Companies just dont pay, which is why people aren't interested in doing engineering jobs of any description, 50k pa? yup, sounds good but then look at what it costs you (home near work in the expensive areas of the country... Cambridge, Reading, London, degree, suit, car, travel) and compare that with sitting at home all day watching tv and playing on your xbox in Cumbria on the dole with housing paid for ... suddenly doesn't look so good

        c) Training... just a joke, companies never have and never will in this country, they just dont have the foresight

        d) Outsourcing... yup, the answer to all 3 of the above, despite the continual failures of the idea (BA latest example whatever they claim... a pound to a pinch of the proverbial it was a bodged software upgrade)

        1. This post has been deleted by its author

  9. FuzzyWuzzys Silver badge
    FAIL

    "It is particularly concerning that employers appear reluctant to invest in their workforce and are unwilling to hire less experienced candidates. If we cannot be prepared to develop new talent, we will lose our ability to protect the economy and society."

    Welcome to an IT career in the 21st Century! I well remember when my career started back in the late 1980's they couldn't throw enough training at you, pushed from course to course all the time. Roll forward 30 years and I haven't seen the inside of training room in 10 years, when I want to learn something these days I'm expected to do it off my own bat in my own time.

    1. Anonymous Coward
      Anonymous Coward

      Those were the days when UK IT companies often had their own dedicated training centres. New courses were added as products were introduced. In many cases a good techie wrote and delivered the first course. Then a professional lecturer took it over for future delivery.

      Courses were also good for company integration. You had several days socialising with people you hadn't met before. Eating, drinking, sharing rooms, playing squash or croquet, and even early morning swims.

    2. Aqua Marina

      "...are unwilling to hire less experienced candidates"

      I remember in 2002 being told I was unsuitable for a job, because I didn't have 5 years experience in Windows 2000.

      1. Anonymous Coward
        Anonymous Coward

        Years of experience in a new product

        That old thing.

        Yep, A Job advert wanted 5 years of Windows 8.1 two months after it was released. For a laught, I said that I had the experience. I got the interview but the PHB was a complete tosspot.

        The same with SQLserver 2012. Hadn't even been released and adverts were wanting 2 years experience with SQLServer 2012. The Recuitment agencies are idiots.

        Win some, lose some.

  10. Korev Silver badge

    What do they actually do?

    £87k is a huge salary for the UK, what do these jobs actually entail? Our Cybersecurity people mostly seem to run around with Excel sheets of vulnerabilities found in scans and nag the system owner to fix it - an important job but not one that commands a £90k salary. Penetration testing etc is a lot harder, but I can't believe that the UK needs 350k of them.

    Happy to be corrected on my assumptions above...

    1. Tom Paine Silver badge
      Pint

      Re: What do they actually do?

      £87k is a huge salary for the UK

      Not in London and immediate environs, it isn't. Have you seen what rents are like down here? And it's a fiver a pint...

      (Admittedly if you're a dual income household it goes a lot further. But I'm not bitter... much.)

    2. tfewster Silver badge

      Re: What do they actually do?

      You're talking about vulnerability management and auditing there, which involves scanning, pen-testing and interminable meetings about how to fix the problems with 0 resources.

      There's also Incident Response (Long periods of boredom followed by a few hours of frantic activity), Policy and Compliance (that no-one listens to), and Identify and Access Management (The nasty people who make it difficult for techies to do their jobs).

      I do the technical bits for free, as I enjoy that. But I get paid handsomely for the meetings and paperwork.

  11. Anonymous Coward
    Anonymous Coward

    There is no skills gap.

    Its just fucking expensive to certify and there are pointless barriers to entry.

    The CEH for example requires you to attend the course or prove two years experience. Given how easy the cert is these are silly requirements.

    The OSCP takes 6 months and a few thousand to pass.

    The CISSP is largely a management cert and worthless to a hands on practioner or pentester.

    I could go on.

    Theres also the issue of credibility. The CEH for example is the security industry equivalent of banging a fat chick. You'll do it because tje recruiters want it, but you'd be ashamed to tell your mates about it.

    1. Outer mongolian custard monster from outer space (honest)
      Stop

      Re: There is no skills gap.

      OSCP doesn't take 6 months. I'm doing mine next week starting & I will take the exam in a month.

      I'm already CREST certified, I'm doing OSCP next because it appears to be a more internationally accepted qualification and when I have that, I'll be working towards another higher certification with CREST, I think your right in that CEH and CISSP are something people get because they're easy and just keywords for a CV. I for one hope CREST and OSCP certs continue to be hard to get and the value placed on holders of them are priced accordingly.

      The poster going on about lack of training & unwilling to invest on talent inhouse is close to the mark. I worked in security for the past 15 years solid, watched all the people around me get cyber stuck in their titles and fed breadcrumbs of courses and free training & just carried on doing the work quietly. I decided I should take some time off and have a extended holiday as I was starting to burn out and now I hold a number of very fresh shiny new certs I've paid for myself and when I'm all rested and certified I reckon I'll be hungry and sharp for a new role and I'll hit the ground running and make a asset of myself instead of grinding my way through the week like so many people do. So this whole article is good news for me.

      1. Doctor Syntax Silver badge

        Re: There is no skills gap.

        "The poster going on about lack of training & unwilling to invest on talent inhouse is close to the mark."

        This is where freelancing scores. You make your own decisions about training. Clearly it means loss of billable hours as well as fees and travel and accommodation if you don't live near enough to the training centre. But a client unwilling to train up their own staff is going to have to take in a freelancer to fill the skills gap.

    2. Ken Hagan Gold badge

      Re: There is no skills gap.

      "The CEH for example is the security industry equivalent of banging a fat chick. You'll do it because the recruiters want it..."

      Are these recruiters the reason why there are so few women in IT?

      1. TheVogon Silver badge
        Trollface

        Re: There is no skills gap.

        "Are these recruiters the reason why there are so few women in IT?"

        No, that's the fault of bean-to-cup coffee machines

    3. Anonymous Coward
      Anonymous Coward

      Re: There is no skills gap.

      "The CISSP is largely a management cert and worthless to a hands on practioner or pentester."

      It's certainly at a higher level than most practitioner or pentester exams, and I would suggest therefore far more valuable. Its by far the widest and in depth knowledge base of any certification I have otherwise come across. For instance a 6 hour! exam.

  12. Anonymous Coward
    Anonymous Coward

    £87K for *contract* CyberSec is a bit low :-/

    And I wonder how much PI insurance will be once GDPR starts to bite fine-wise...

  13. coldcraft

    You think any Euro companies would pay to relocate someone from the US with a Sec+? ...asking for a friend.

  14. Anonymous Coward
    Anonymous Coward

    It's all total...

    Bullshit. There seems to be a quorum here in the comments that the "cyber" positions that need to be filled are all show and little substance. Business (and government) gave up a long time ago on actually doing anything of substance to reduce computer security risk. This is window-dressing to lull the shareholders into a false sense of security. Those positions don't require computer science skills because they won't be *doing* computer science. They'll be taking inventory and transcribing reports by computer scientists. What those responsible for the headline gloss over is that the ranks of real computer scientists (and technologists whose experience gets them close to the mark) is shrinking. A huge percentage of those currently in the field are happily retiring year over year, and warning their sons and daughters to find some other more lucrative pursuit. Interesting how this comes on the heels of reports that there are massive layoffs now happening in the Indian tech sector.

    Personally I can't wait to see the tweet in ALL CAPS from a frustrated CEO who can't browse the Internet because the company PC on his desk is infested with malware, and whose twitter account then gets hijacked by some young pup from Eastern Europe who used a key logger to grab the passwords and account numbers for all the moron's offshore slush funds.

    1. Doctor Syntax Silver badge

      Re: It's all total...

      The children of those retiring now will already be in mid-career. It's our grandchildren we should be warning off. Why did I just give grandson/apprentice my copy of Unix The Book? (I just looked inside the cover. Publication date 1982. 35 years I've been doing this stuff. Where did they all go?)

      1. Long John Brass Silver badge
        Terminator

        Re: It's all total...

        @Doctor Syntax

        Know how you feel mate; 32 years at the coal face myself. No sprogs therefor no grand-sprogs, but mates have; I've been telling the fresh faced little bastards that Bio-Tech would be where I would be investing my interest if I was in their shoes.

        Luckily none of them seem interested in IT; They have watched their fathers grey & burn out. The money has been mostly good, but those days are behind the industry now I think.

        1. Dave 15

          Re: It's all total...

          Other suggestions than biotech...

          for girls, get boob implants and get on a tv show... plenty of follow on work for a big boobed star (no brains needed)

          for boys, go and kick a football around a park

          for either try doing a few hours of acting school then if you can't do film work you can be a politician or CEO (basically they are both just acting roles)

          All of these pointless activities lead to multi-million pound salaries for the lucky few, multiple chance by reward and decide that it pays better to try ... and fall back to the dole in a quiet cheap corner of the UK if you fail, nothing to lose really.

  15. This post has been deleted by its author

  16. Anonymous Coward
    Anonymous Coward

    The reason why these people move on so often is because they are all mostly charlatans (not the band) and they run out of pointless stuff to say and report after 6 months in a company.

    1. Korev Silver badge
      Pint

      "charlatans (not the band)"

      Upvote and a pint for the Möngöl Hörde lyric

      Even if it was accidental.

  17. 0laf Silver badge
    Trollface

    Certs are good mmkay

    Clearly all certs are a meaningless racket, created as a self fulfilling business for cert companies to fool HR robots into insisting that having a cert is the be all and end all of infosec.

    Except for the one I've just done, you have to be a technical genius, business guru and sexual tyrannosaur to get that one. Natch.

    And £87k, many lols. I've seen a few advertised above 60k outside London and they are invariably CISO roles or CHECK team leaders.

  18. John 104

    @AC

    "What those responsible for the headline gloss over is that the ranks of real computer scientists (and technologists whose experience gets them close to the mark) is shrinking. A huge percentage of those currently in the field are happily retiring year over year, and warning their sons and daughters to find some other more lucrative pursuit."

    As one of the latter, technologists with experience, and with kids, I have encouraged them to pursue careers in anything but IT. Not development (shit hours, low pay), not infrastructure (declining need). My son is pursuing aerospace engineering, and my daughters are undecided at this point (young). They are all smart and will do fine after college.

    It isn't helped by the cloudification of everything. Companies see an IT salary that can be cut since infra moves to the cloud. Problem solved! So there are less positions open as the infrastructure is consolidated to the big players. As such, salaries will go down for those roles in the short term.

    Folks that grew up tinkering with PCs to get games to work are aging out (myself included). Its all plug and play these days and doesn't require any troubleshooting skills or thinking to make things work. And the next step was a career in IT because not everyone could do it. You should see how useless our help desk guys are when there is an actual problem with hardware or operating systems...

    So you are either very adept at technology or go to college and get a high paying job, or you don't have the exposure that a lot of folks had to get them started and get low pay and low prospects. Doesn't bode well for the industry in the next 20 years.

    1. Custard Fridge

      Your post makes me feel like Marvin the paranoid android "I think you ought to know I'm feeling rather depressed"

    2. Anonymous Coward
      Anonymous Coward

      "Its all plug and play these days and doesn't require any troubleshooting skills or thinking to make things work."

      But when things go wrong - that is when experience and an aptitude for troubleshooting become essential***.

      When I took early retirement there was no one who could take my technical trouble-shooting role. I was pulling rabbits out of hats after a couple of years in the industry - but it took a lot of hard graft to find my way round both the hardware and software on many different new systems.

      In my sunset years the technical youngsters either wanted a career progression into middle management - or expected external diagnostic tools products to give them instant answers.

      ***The obligatory reference to E.M.Forster's 1909 story "The Machine Stops"

  19. Anonymous Coward
    Anonymous Coward

    I'll pass, thanks

    I know too much to do cybersecurity work. It's shit and you can't win.

    Programming also pays better in good years, even working remotely.

  20. PTW
    Windows

    Old is new again.

    It was NCE, MCSE, CCIE, now there's some new "must have" cert for the 20 (or 30) somethings to shell out for. All by paying your money to some "training" company that trains you in cramming answers; critical thinking NOT required.

    Cue loads of bods getting certified and depressing wages again.

    *Full disclosure, I completed my MCSE in two weeks; but you know what, it didn't teach me how to figure out NT4 won't install from CD if you call your CD drive, "CDROM" under DOS. *$^"* ^$&"£%%*"$!!!1! I don't know if the bug still happens in a VM, in theory it should as it's a DOS/NT issue. Go on, try it, you know you want to....

    No longer a Windows User, just a bum ----->

  21. AmoebaUK

    Aren't these security roles for people who are too crap/thick to code?

  22. J J Carter Silver badge
    Holmes

    Don't need many peeps...

    "Cyber" work is ideal of use of AI deep learning agents, looking for unusual patterns in the matrix.

    Cloud will also reduce the attack surface as box patching is systemically undertaken by AWS/Microsoft at their hyper scale data centres.

    All this GDPR nonsense sounds like former CLAS consultants hoping to get back to billing £1k/day!

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019