Ahead of OWASP’s AppSec Europe 2017 conference, a global gathering of software and security experts this May, Gary Robinson, European board member of the Open Web Application Security Project (OWASP) gives his view on the future of skills in the industry.
The cyber security industry is enjoying a period of rapid growth that doesn’t look like slowing down and that is starting to create pressure on the talent pool across Europe.
In the wake of several high profile cyber-attacks corporations are quite rightly making security a priority, especially those who are creating new products and devices at risk of being hacked, such as driverless cars, wearables and Internet of Things devices.
The House of Commons Public Accounts Committee has criticised the UK government’s approach to forming a unified cyber security force, and placed cyber-attacks in the top four risks to national security. Industry body, TechUK has also called for G20 governments to focus on data and cyber security to help shape what it calls a “positive digital future”. The UK’s National Cyber Security Centre is taking the threat seriously too, as it plans to host seminars for politicians focused on potential cyber threats to democracy.
This increased focus on cyber security risks has in turn put skilled software security professionals in very high demand. A survey from ISC2, a security industry body, found 66% of the UK’s companies are suffering from staffing issues and do not have the number of specialists required to deal with the growing online threat.
The Public Accounts Committee has also acknowledged the difficulty it is having in recruiting people with the necessary skills to secure the nation.
The government’s Cyber Security Breaches Survey 2017 found that 46% of respondents identified a cyber-attack over the previous year. The figure grew to two thirds for medium-sized firms and 68% for large companies with more than 250 employees.
In Northern Ireland, I see an exciting, and rapidly growing cyber security industry. In 2016 Belfast was ranked as the top location target for FDI in the sector, and it is renowned for its strong talent pool in the technology sector in general.
The issue that the cyber security industry in Northern Ireland, and in many countries around the world, faces is that it is at 100% employment. In line with the UK government’s concerns, companies are starting to struggle to find qualified professionals who can fill the need from both local start-ups, established cyber security businesses and multi-nationals who have invested in the city.
According to recruitment specialists MCS Group, based in Belfast where the OWASP AppSec EU conference is taking place, in the past year cyber security professionals from England, Italy, Hungary, the US and the Netherlands have been recruited to fill job vacancies.
Average salaries in the Northern Irish IT industry are estimated at around £45,000 to £50,000, compared to the local average of £26,100 for a full-time employee (Northern Ireland Statistics and Research Agency, 2016), with senior roles paying up to £90,000 on offer. People with the right experience and qualifications in fields such as pen testing can “name their price” the company said.
Among the jobs that have seen the largest hike in salary in the past year are security researchers, with average salaries growing from around £30,000-£35,000 to £40,000-£45,000 for people with around two years of experience. The in demand jobs will vary from country to country but it gives an indication of just how in-demand those skills are at the present time.
One way forward is to make salaries attractive enough that skilled software developers want to retrain. As the market for cyber security grows, a relatively small investment in training would allow those developing software to transfer their skills from creating software to securing it.
As the industry in Northern Ireland is growing so rapidly, those who are coming into junior roles could expect to work their way up the ladder fairly rapidly and see themselves taking ownership of high profile projects and of course reaping the financial rewards.
Of course that would not help the overall shortage of programming and computer science skills in the wider technology industry. The long term solution lies in education.
The UK Cabinet Office has promised to develop the nation’s cyber skills as part of a £1.9bn investment, which will include a new programme for schools. Pupils in England and Wales are set to be offered intensive cyber security lessons in school. Targeted at 14 year olds, it is hoped 5,700 pupils will spend four hours a week over a five-year pilot programme.
The government is also supporting student who show an aptitude for cyber security by funding apprenticeship places for 16-year-olds. These students will be employed and trained in the industry by established specialists across England and Wales with a view to producing the next generation of professionals who will fill the skills gap.
In Northern Ireland there are a number of organisations focused on promoting STEM careers to young people and Queen’s University’s Centre for Secure Information Technologies is working with students at PhD level to produce world class researchers. But the specific need for a strong pipeline of talent coming through has yet to be addressed directly in the curriculum delivered at schools.
As a response to this need OWASP is offering Northern Ireland’s schools a free training day for young people on the opening day of the AppSec EU 2017 conference, at the Belfast Waterfront in May.
At what will be one of the industry’s largest gatherings in Europe this year, it is appropriate that the development of local talent is placed first on the bill. This is coupled with a similar session aimed at adults who may wish to train in cyber security.
OWASP’s work to promote careers is one way for us to support the continued growth of the sector.
For those thinking of their first, or next, career move, what’s clear is that as the world becomes more and more connected, cyber security is an industry that is set to grow exponentially.
To find out more about AppSec EU 2017 please visit the conference's website.
Image Credit: OWASP