When the private details of all the British serving armed forces can get hacked, it is entirely appropriate for the World Economic Forum to describe cyber resilience as the defining mandate of our time. Yet Cybersecurity Ventures recently predicted a 3.5 million talent gap by 2025. Gartner reports that by 2025, more than half of significant cyber incidents will come from a lack of talent as well as general human error.
| Savannah Group has examined 520,000 Vice President or Director level individuals working in cyber-related roles to understand the leadership talent gap in more detail: which industries are most at risk, where the talent hotspots are and how organisations can be proactive in building cyber bench strength. |
UK engineering group Arup lost HK$200mn ($25mn) after fraudsters used a digitally cloned version of a senior manager to order financial transfers during a video conference, the Financial Times recently reported.
Manufacturing, energy and retail sectors are suffering from the largest talent deficits relative to threat in their industries
Cyber talent requirements differ between industries. The more digital a business, the bigger the threat. While we might expect the industries with the most cyber crime to have the most cyber talent, we have found that this is not the case. Savannah has analysed the number and proportion of cyber attacks, the distribution of senior talent and the relative gap between the two.
As smart manufacturing expands and the use of cloud technologies increases, the manufacturing industry has become a prime target for cyberattacks and has the biggest gap between the proportion of attacks (25.7%) and proportion of talent (7%). It is anticipated that cybersecurity spending in the manufacturing sector will reach US$30 billion by 2027.
The energy and retail industries are also experiencing significant talent deficits relative to the volumes of cyber attacks. In 2023, the energy sector experienced 11% of cyber attacks, with an average cost to victims of US$4.45 million. Only finance and insurance have a surplus of talent relative to the proportion of attacks.
Our research has found uneven talent growth across industries, with some (namely manufacturing, energy and retail) not growing their cyber bench strength fast enough relative to the size of threat in their industry. Based on current growth rates, by 2029 there will still be a talent deficit in these industries, albeit a smaller gap than today. By 2029, healthcare, education and media & telecoms have reduced their cyber talent deficits, based on current growth rates.
India is a cyber talent hotspot
The cyber security talent population is largely based in the USA with top talent sources almost exclusively US companies, particularly those based in California and New York where the combined number is higher than the entire UK cyber talent population. Hiring demand in both the US and the UK is very high, with large numbers of employers competing. India has just 17% of the total talent pool, however Asia is strong source for talent with India (particularly Bengaluru), Singapore and the UAE with available skilled individuals and lower competition.
Russia is both a high-level originator and subject of potential cyber threat with well-established cyber security firms such as Kapersky Lab, as well as several start-ups like Dr. Web, based there. It is likely to have significant numbers of high-quality cyber talent, although accurate data is more difficult to access. Following the outbreak of war, Israel has also faced a growing risk of cyber-attacks, particularly from other Middle Eastern countries. It is well-equipped to manage the threat with several global technology firms such as CyberArk, and Israeli-founded Semperis and Claroty, amongst many others.
International businesses would be wise to think globally when planning, structuring and hiring their future cyber workforce.
Manufacturing process improvement, analytics and business analysis are the skills in shortest supply
We examined the global cyber population to understand skills distribution and which skills are least prevalent.
Our expert team is here to help you acquire top cyber leadership today or through proactive succession planning and pipelining. Find out more about our approach here.
There is significant growth in the number of cyber consultants and advisors
We analysed[1] the change in the number of people with cyber experience by job title.
There has been a 10% and 8% growth in the number of cyber ‘consultants’ and ‘advisors’ respectively in the past 12 months. Over the same period, there have been more than three times as many job postings for advisors than the number of individuals working in the field. This finding is supported by the rapid expansion of cyber security populations within consultancy firms with Deloitte, EY and PwC all featuring in the top five organisations recruiting in this space.
Cyber safety requires more than technical knowhow. Board and Ex-Co leadership and culture are critical ingredients for organisations needing to build their cyber resilience. Consultants’ briefs are rightfully not just confined to technical matters.
The largest senior talent employers are financial services, technology and consulting businesses
The top employers of cyber talent have attrition rates between 6 and 19 suggesting that they are a target for other companies’ recruitment efforts. Attrition is particularly high in consultancy firms, EY and Deloitte, both having 19% attrition.
Succession planning, pipelining and retention are even more important for cyber talent
In the context of cyber talent deficits in most industries, we analysed the proportion of talent who had moved roles in the last 12 months and who were currently open to opportunities in cyber as compared to AI and Cloud.
We found that 35% of senior cyber talent is open to a move. This is more mobile than Cloud at 30% but less mobile than AI where 40% are open to move. It is common across these in demand, technology related disciplines to see both high appetite for new challenges and high mobility. Cyber is no exception.
We looked at some examples of leadership changes made in the wake of significant data breaches
- Facebook, March 2021, 533m users information leaked. https://www.linkedin.com/in/guyro/ – promoted to the newly created CISO role, June 2022.
- Experian Brazil, February 2021, 220m records lost. https://www.linkedin.com/in/brunomottarego/?originalSubdomain=br – hired as CISO, April 2022, 17 years security experience. https://www.linkedin.com/in/ssantarelli/ – took over the top role, joined from Pepsi with 25 years of security experience, replacing John King who had been at the business for 6 years.
- Syniverse, September 2021, 500m records lost https://www.linkedin.com/in/justin-dellaportas/ – hired with 7 years security experience in January 2022.
- Equifax September, 2017, 143m records lost: January 2018, hired https://www.linkedin.com/in/jamilfarshchi/ with 12 years of security experience.
- Reckitt, July 2017, 15,000 laptops, 2,000 servers, 500 systems crippled, lost £10m. Hired https://www.linkedin.com/in/ben-brophy/?originalSubdomain=ch in May 2018 with 18 years of security experience
[1] Our sample of 520K VP or MD level working globally in connection with cyber
In practical terms, proactive talent planning including succession planning, pipelining and retention programmes should be high priority with threats escalating and talent deficits growing.
Savannah works with organisations in transformation to add strength and depth to their cyber leadership today and for the future.
KEY CONTACTS:
Nick Davies: Partner, Digital & Technology Practice
James Davies-Love: Head of Talent Intelligence
Alex Martin: Managing Partner, Talent Intelligence
