The European Market for Cybersecurity
It goes without saying that there is currently a high demand for cybersecurity professionals in Europe as the digitisation of business grows at an ever faster pace and the gap in talent supply widens. Security strategist, data privacy consultant and cyber defence advisor, Cameron Brown (@AnalyticalCyber), who is currently based out of Frankfurt in Germany, identified the market trends affecting cybersecurity and the challenges being faced by both employers and candidates.
For employers looking to bring in qualified cybersecurity professionals, Brown asserts that there is a greater reliance on certification, particularly with entry level hires. “The challenge for employers,” he says, “is trying to assess if what a candidate proclaims to be on paper is really what they’re bringing to the job.” That need to verify a candidate’s credentials to ascertain whether they’ll be a good fit for a given role has certainly stepped up the significance of cybersecurity certs such as Security+, CEH, CISSP, CISA and CISM.
Increased demand has also shifted salary expectations in candidates’ minds as their anticipation of remuneration has grown in line with knowledge that employers are desperate to acquire the right people for the job. However, in some cases, organisations simply haven’t responded to that shift in the market. Brown explains many enterprises are still rather conservative in their mindset and haven’t evolved past the notion of cybersecurity being a technical subset of IT. “From an organisational perspective, departments are having a tough time justifying to their boards why they need to pay twice as much for a cybersecurity professional to come into the organisation compared to what they’re paying for a helpdesk administrator who works in IT,” says Brown.
While the more traditionally-minded companies are taking their time in adopting an evolved market view when it comes to cyber, they are increasingly finding themselves in hot competition with smaller, boutique firms and start-ups for talent. Furthermore, as Brown points out, those running and working for bespoke firms offering cybersecurity services or IT forensics, are not in any hurry to give up their agility in the market or the autonomy of owning a business to go and work for a large corporation. “What I’m seeing is that the big corporates are really trying to augment their cybersecurity capacity by buying smaller outfits and bringing them into the fold to create an appearance of youthful vigour,” says Brown. “That is a competitive strategy which I have observed in Europe and elsewhere which relies less on a clever or innovative business design and more on accumulated resources for service offerings around cybersecurity.” Noting acquisitions by the likes of Dell, Accenture, Cisco Systems, and Oracle in inducting smaller and medium sized firms into their conglomerates in order to either eliminate competition or accelerate the provision of service capacity for clients, Brown is concerned about culture clashes. “Whether it’s the right move really comes down to facilitating a cultural match during the M&A process,” says Brown, “because if this synergy is not nourished then ultimately it’s not going to be a beneficial investment for the parent company and unlikely the acquired business will continue to flourish or even that employees will stay on in the new environment.” Brown adds, “For boutique cybersecurity companies that are bolt-on acquisitions for larger multinationals, their former agile business models and flexible working conditions will inevitably be challenged by the new types of clientele and differing regulatory environments within which they will now need to operate.”
In terms of those seeking cybersecurity opportunities in the public sector, Brown explains that the disparity in pay between the public and private sector certainly makes things tougher for areas like government and law enforcement to bring in the necessary human capital. However, Germany has launched a big campaign to build their cybersecurity capacity at the federal level, with a country-wide recruitment drive evident in print media and posters in subways. “But it’s tough for them,” says Brown, “how do you convince someone to move from a private sector, well-paid job to a public-sector counterpart where the salaries just aren’t comparable?” Plus, Brown notes that technically skilled individuals working in cybersecurity tend to be more liberal and free-thinking in their conceptualisation of hierarchy and unlikely to envisage themselves kowtowing to a bureaucrat. “It certainly doesn’t help that challenges related to transparency and corruption have plagued many government agencies in recent times.”
Asked about the implications of Article 50 and the controversial Brexit vote, Brown is quick to reassure those operating in the EU and across Eastern Europe that Brexit is unlikely to magnify the skills shortage. “After all, the UK is facing the same challenges as the rest of the world in finding and attracting cybersecurity talent.” With a solid footing in the broader EU and administering an innovative grass-roots approach towards developing local talent, Germany in particular is taking a proactive stance towards nurturing its workforce. Sourcing talent coming out of Eastern Europe, in regions including Moldova and Romania, to name a few, Germany is proactively creating opportunity for young people. Scholarship programs within German universities and language education to nurture foreign candidates are forward thinking strategies for retaining young skilled workers in a country which is challenged by an aging population. This stands in stark contrast to nations like Australia that are adopting more stringent visa conditions for foreign workers.
Discussing opportunities for security professionals in the EU and foreign workers coming from third countries, Brown believes the closing of UK borders will pose a significant challenge for British businesses seeking to make solid hires in the cybersecurity space and other industries. “With the free movement of people likely to come to a close, UK companies will need to adopt a different approach to attracting talent,” says Brown. “There’s no highly skilled visa anymore and with admittance thresholds now ruled by those with a closed-minded view on who they want in the country, the government is not doing themselves or local businesses any favours.”
Acknowledging the big changes afoot in Europe, particularly in anticipation of GDPR next May, Brown explains that the legislation will likely bring Europe more in line with other global talent markets. For instance, the US has a more mature market where cybersecurity professionals typically command double the salaries of their EU peers. Brown puts this down to the cost of doing business in a country where people’s understanding of the utility of the cybersecurity service is essential to preventing corporate financial loss and disrepute. “Once GDPR rolls out, businesses that fall within the ambit of the regulation will be looking at a 4% penalty of worldwide turnover for failing to meet the strict data compliance standards,” says Brown, “so if you take TalkTalk, which was fined £400,000 by the IOC, under GDPR the penalty could well be in excess of £50 million.” Thus, the need for candidates well versed in regulatory compliance matters and equipped with a deep understanding of data privacy and cybersecurity issues will only elevate demand for skilled workers to serve the needs of employers in this space.