How UK cyber security is under threat from Brexit
3 December 2018
Simon Hember, Director at Acumin Consulting, shares his thoughts on how Brexit will impact the cyber security industry.
With the final divorce date of March 29th, 2019 looming ever closer, the UK and EU are at the time of writing still scrabbling to try and establish a deal that all parties find acceptable. In the meantime, citizens and businesses alike are waiting with bated breath to learn how the final agreement will impact their livelihoods.
The tech sector is one of the industries left the most exposed by a bad Brexit deal, and indeed the current state of play poses some significant challenges. Most technology companies are extremely reliant on recruiting international talent and will be left in a difficult position as freedom of movement is curtailed.
For example, leading British chip manufacturer Arm employs over 200 EU citizens at its Cambridge headquarters. Like many tech companies, it relies on access to a highly mobile and talented pool of professionals to supplement its native UK workforce, and many of these workers are currently unsure of their future ability to live and work here. This is a common occurrence as the UK lacks the home-grown talent needed to meet the demand of its burgeoning tech sector.
Within the tech sector, the threat to the cyber security industry is one of the most concerning issues under Brexit, as a lack of talent here will mean not only lost revenue and jobs, but an increase in the cyber threat facing citizens, businesses and national security.
Also of interest: Data transfers from EU to the UK could become complicated post-Brexit
Widening the skills gap
Like most technology companies, security businesses are extremely reliant on international talent to make up the shortfall in UK security professionals. The fall in migration heralded by Brexit could have a significant impact on the fight against cyber criminals and nation state threats, particularly with most companies already struggling to recruit security professionals.
Demand for experienced security practitioners is at an all time high, and the lack of available personnel has drastically inflated industry wages. We have observed security salary growth more than doubling that of the UK average, with some roles, such as Security Managers and Data Protection Officers, seeing double-digit growth.
The UK talent drought means that some companies must search for several weeks or even months to fill vacant security posts. In the meantime, the lack of resources can leave them more vulnerable to cyber-attack, particularly when the vacancy is a leadership position or one that requires specialist experience. These gaps are specific, skilled and business-critical roles that cannot be compromised on.
Also of interest: UK’s Cyber Discovery programme to continue for a second year
The shrinking talent pool
Creating more barriers for migration will serve to widen the security skills gap further still and enforcing stricter visa requirements will serve to minimise the UK security talent pool. One of the biggest issues being hammered out during the lengthy Brexit negotiations has been the free movement of skilled workers.
The final immigration strategy has yet to be agreed, but proposals include treating EU citizens in the same fashion as other migrants from around the world and implementing more measures to restrict immigration to highly skilled workers.
The government often defines skill levels by salary, with a minimum threshold currently standing at £30k per annum. There have been suggestions this could increase to as much as £50k a year under the new system, which would be extremely damaging to the cyber industry.
Many different cybersecurity roles are paid less than £50k, and most “underpaid” professionals are to be found in the public sector, which generally cannot match the salaries offered by private sector companies. Even if the current £30k threshold remains in place, it is common to find essential roles such as security analysts earning at this level.
Even if an EU worker is still eligible to work here under the new measures, the UK will still become a much less attractive choice of country to move to and build a career. The UK already loses out to several other countries on the highly competitive global security market, and if we cut or loosen ties with EU agencies such as Europol, we risk losing further influence.
Global collaboration is extremely important in the fight against international cybercrime, and we may risk our position as a leading force in the battle.
Also of interest: Will 2019 be any different to 2018?
The rocky road ahead
With the volume and complexity of cyber attacks increasing, as well as awareness of the threat, security now underpins everything a technology company does. Cyber security has rapidly climbed up the board agenda, from being relegated to a background IT issue to becoming established as an essential element that defines business strategy.
Look at organisations such as leading banks and insurers that are currently in the process of migrating thousands of applications to the cloud as part of their digital transformation efforts.
The success of these projects is underpinned by the organisation’s security capabilities. Without enough skilled security professionals available to carry out essential tasks, the UK is at risk of becoming an undesirable destination for organisations to operate and do business.
Unless provision is made now to ensure that the UK can welcome skilled, cyber and tech professionals in a post-Brexit landscape, the industry, and country at large, are in for some serious challenges in the coming years. Businesses must be prepared for already high wages to skyrocket further as the already small talent pool continues to shrink.