This article was first published in the April 2018 UK edition of Accounting and Business magazine.

Major corporate names including Equifax, Uber, Verizon and Wonga have suffered high-profile security breaches in recent years, hitting the brand as well as the headlines. Cyber defence and the protection of customer and business-critical data have risen to the top of the boardroom agenda as a result. 

In 2017 alone, there were 7.5 million ‘denial-of- service’ attacks, with a 20% increase in organisations reporting multi-vectored attacks (an upgraded version of this type of attack). And the stakes are high. According to the Center for Strategic and International Studies, annual losses from cybercrime globally are estimated to top £291bn, while the cost in lost productivity from last year’s WannaCry ransomware attack alone was estimated to be around £3bn. 

Businesses are struggling to keep pace with the cybersecurity arms race, as attacks become more diverse and advanced. At the same time, there are increasing chinks in the business armour. Technologies such as big data, the internet of things (IoT), artificial intelligence and robotics are disrupting firms faster than ever; and while they all present their own opportunities for innovation, they also leave organisations more vulnerable to cyberattacks. 

Take IoT, for example. The number of connected devices is predicted to grow to over 20 billion by 2020. Each one that is linked to a business provides a new window for a cyber criminal to climb through. Last year, a casino was hacked through its connected fish tank. Meanwhile, employees are increasingly demanding to bring their personal connected devices into the workplace, and concerns continue to rise over the potential IoT-related vulnerabilities that cryptocurrencies could pose. 

This all means that organisations face the challenge of securing vast amounts of data moving across their network while under siege from the increasingly sophisticated cyber attacks. The only way to combat this is to build up an effective shield of security skills and support technology across the business.

Skillsets in demand

The industry is facing an escalating digital skills crisis, and IT security is a major part of that – by 2021, there will be three million unfilled jobs in cybersecurity worldwide. Businesses have to keep pace with the wave of emerging new technologies at the same time as preparing for ever-more prevalent cyber threats. 

Despite the need to bolster businesses’ defences, new research reveals that demand for permanent IT-security staff has dropped 10% in the past year. However, salaries for these positions rose by 4% during the same period. The average salary for a cybersecurity role in the UK is now £60,004, compared to £53,240 and £46,154 for mobile and web development respectively. So, while organisations are looking for fewer IT staff, they are willing to pay a premium for the specialists.

The most popular skills that businesses are currently looking for are penetration testing, security architecture and operations, and biometrics. But there is also demand for security teams to have high-end qualifications in areas such as security information and ‘event’ management, identity access management and security software ArcSight, as well as a Certified Information Systems Security Professional qualification.

The same research report also showed that, despite the decline in permanent IT security roles, there was a 24% year-on-year rise in demand for IT security contractors over the same period. 

There are two reasons for this: regulation and the upskilling of the wider workforce. The General Data Protection Regulation (GDPR) is a top priority for businesses, given its impending introduction on 25 May. UK employers must ensure they have the right talent in place now, as failure to comply could leave them facing significant fines. Under GDPR, organisations must improve processes for reporting data breaches and justify how they collect and store data. They are faced with the challenge of staying both compliant and secure, while still being able to harness the power of their data. IT security staff who have long been focused on technology alone must now consider the wider business and help in these efforts. 

Companies are prioritising security contractors to plug the short-term gap in security compliance. But while this may be an effective immediate solution, organisations must not forget the longer-term view. Maintaining compliance with GDPR is not a one-off, and businesses must ensure that they have the necessary security resources in place to remain compliant in future.

Businesses are also looking to use contractors to upskill the wider workforce in IT security. People are the weakest link in any organisation’s security chain – if cyber criminals can get through to untrained employees, they are much more likely to be successful. Despite the threat of sophisticated technology-based attacks, just over half of businesses (52%) believe they are most at risk from within.

Employers are focusing on upskilling the entire workforce with cyber skills, to complement their recruitment of specialists. Using expert contractors to train the employee base and make sure staff are aware of their accountability will help strengthen the business’s defence against cyber attack. 

The government estimates that digital skills will be needed for 90% of jobs in 20 years’ time, and security is fast becoming a crucial part of that. Business leaders are rapidly sitting up and taking notice of the need to blend a permanent IT security team that manages complex and long-term security with expert contractors who ensure regulatory compliance and engage the wider workforce. 

Martin Ewings is director of specialist markets for consultancy Experis