Roses are red, you're over the moon, 'cos you work in infosec, and you're retiring soon

The UK's aging cybersecurity workforce is approaching a "retirement cliff edge," according to a new survey.

Only six per cent of UK companies are recruiting graduates, while 66 per cent already have a cybersecurity skills shortage due to being unable to find qualified personnel, according to a poll by cybersecurity professionals' association (ISC)².

Much of the workforce is edging towards retirement, with only 12 per cent of the UK workforce under 35, and 53 per cent over 45 years old, it is claimed.

Enterprises have brought this problem on themselves by refusing to hire and train inexperienced recruits. Only 10 per cent of UK respondents say that the most demand for new hires is at entry level, and 93 per cent say previous cybersecurity experience is an important factor in their hiring decisions.

The lack of cybersecurity workers is causing a dramatic spike in wages, with the top third commanding annual salaries of more than £87,000. The skills shortage is inflating salaries, as more businesses compete for scarce talented resources, according to (ISC)².

Dr Adrian Davis, managing director, EMEA at (ISC)², said: "A continuing industry refusal to hire people without previous experience, and a failure to hire university graduates, means Britain is approaching a security skills 'cliff edge' due to the perfect storm of an ageing cyber workforce going into retirement and long-term failure to recruit from the younger generation."

"We need to see more emphasis on recruiting millennials and on training talent in-house rather than companies expecting to buy it off-the-shelf," he added. This means that smaller businesses, in particular, face a dilemma because they are unable to afford the personnel required to protect them from cybersecurity threats. Only a quarter (23 per cent) of UK cyber professionals work for companies with fewer than 500 employees.

The findings come from the (ISC)² Global Information Security Workforce Study, which involved a worldwide survey of 19,000 info security professionals across banks, governments and multinationals.

Almost half the UK organizations quizzed said that their organizations' shortage of security workers is already having an impact on customers and security breaches.

The skills shortfall means that many UK businesses are ill-prepared for the EU General Data Protection Regulation (GDPR), which will impose a mandatory 48-hour window for disclosing data breaches from May 2018 onwards. A quarter (22 per cent) of UK respondents currently predict that their companies would take more than eight days to repair the damage if their systems or data were compromised by hackers – far longer than the legally required window for publicly reporting breaches.

The global shortfall of cybersecurity workers will reach 1.8 million in the next five years, apparently. ®