Martin Ewings, Director of Specialist Markets, Experis, talks about the challenges ahead as GDPR reconfigures the digital landscape.
This year, UK businesses have faced a series of regulatory demands, including the much talked about GDPR, which came into effect on 25 May. Compliance has now become a key boardroom issue – with fines for GDPR breaches set at 4% of annual turnover or €20mn, whichever is greater.
But this has also introduced new IT security challenges; businesses have had to improve their processes for reporting breaches and justify how they collect and store data.
In response, business leaders are having to demonstrate that they have cybersecurity policies, procedures and skills in place to survive beyond what is being dubbed, “the year of regulation”. Equally, there must also be a longer-term lens as businesses look to the future. The complexity of cyberattacks is increasing and analysts predict that there will be 3mn unfilled jobs in cybersecurity worldwide by 2021. Employers must battle for the right skills to ensure their business is safe and compliant.
Despite this imperative, research reveals that demand for IT security staff dropped by 5% in the past year (from Q4 2016 to Q4 2017). The report showed that, despite a 24% year-on-year (Q4 2016 – Q4 2017) increase in the demand for short term IT Security contractors, there was a 10% decrease in demand for the larger market of permanent staff. With this apparent disconnect between the compliance and security imperative, and the skills that organisations are investing in, it’s important that cybersecurity is addressed first-hand in the boardroom.
Here are three key issues that senior executives must consider.
Taking cybersecurity beyond a compliance tick box
IT and security staff have, for many years, been primarily focused on the protection of the technology, data and infrastructure, but to meet the stringent new GDPR requirements have had to broaden their scope and consider the impact on the wider business.
This could explain the surge in demand for contractors, as businesses have focused their attentions on plugging the short-term gaps by recruiting a high volume of talent in the months leading up to implementation. With concerns over the financial penalties for non-compliance, it’s hardly surprising. However, while this may be an effective immediate solution, organisations must not forget the longer-term view.
Maintaining compliance with GDPR is not a one-off, and organisations must ensure that they have the necessary security resources in place to remain compliant for the coming years. Having the right people and the right talent will prove essential. For businesses, this means engaging their entire workforce to ensure a long-term solution. It’s key that all employees across all departments are aware of their responsibilities in relation to GDPR and have the right skills and knowledge to remain compliant in their day-to-day activities.
Cybersecurity is no longer just an IT issue
This is especially true when you consider the fact that people are often the weakest link when it comes to cybersecurity. If hackers can get through to untrained employees, they are much more likely to be successful in breaking into the organisation. Research shows that careless or untrained staff members are the most likely access point for cybercriminals.
As a result, improving employee awareness of data security, specifically in large organisations, has become paramount in recent years. Businesses may have bolstered their cybersecurity defences to protect their core assets, IP and data, but even the most advanced systems do not account for a lack of employee awareness.
IT Security as a result must become a necessary responsibility for every employee within the company. And this is another way that organisations can effectively use IT contractors. Expert contingent staff can be utilised to train and upskill permanent staff across the business with the cybersecurity tools they need to protect against emerging threats; without adding more expensive permanent headcount. This will also help to increase employees’ awareness of security, as well as their own accountability to protect the business, ultimately helping to strengthen defences against cyberattack.
Retaining a specialist cyber team
Despite the drop in volume demand for permanent IT security staff, the value of each position on the market has increased significantly. Salaries for these positions rose by 4% in the past year (from Q4 2016 to Q4 2017). The average salary for a cybersecurity role in the UK is now £60,004 – much higher than the likes of Mobile (£53,240) and Web Development (£46,154). This greater value can be attributed to the ever more complex cyber security threat that organisations face, as businesses are willing to pay a premium for more specialist security professionals.
As a result, competition among IT security professionals for these lucrative roles is fierce, with candidates battling it out for fewer jobs. Candidates looking to fill these permanent positions must make sure they are equipped with the most in-demand skills on the security market. Currently, businesses are looking to hire individuals with specialist penetration testing, security architecture and security operations and biometrics skills. But there is also a growing need for security teams to have high-end qualifications, such as CISSP (Certified Information Systems Security Professional), SIEM (Security Information and Event Management), IDAM (Identity Access Management), and ArcSight. These specialists will be vital to securing a business’s long-term resilience against the ever more sophisticated cyber onslaught.
While employers may have had their focus on the short-term priorities, with eyes firmly fixed on compliance in recent months, the cybersecurity issue that boardrooms across the UK are facing is much bigger than this. The UK government estimates that digital skills will be needed for 90% of jobs in 20 years’ time and security is fast becoming a crucial part of that. As employees become more of a target for cyber attackers, businesses should capitalise on the presence of expert contractors to train up their wider employee base and complement their more specialised recruiting efforts. With this combination in place, businesses will give themselves a fighting chance of not just winning the short-term battle, but also the long-term cybersecurity war.