Cyber Security Job Market Update – What’s Behind the Growing Demand for Mid-Level Professionals?

Sophie Spencer, Director and Head of Cyber Security, Barclay Simpson

Taken broadly, demand for cyber security professionals in the UK job market has fallen. There are simply more candidates for cyber security jobs than roles available.

In part 1 and part 2 of my discussion of the London cyber security job market, I’ve pointed to the supply-side impact of the employer National Insurance rise, which was both immediate and severe. I’ve also discussed factors such as the drive for cost-cutting, following years of increased cyber security spend due to widespread home-working and new regulations such as DORA.

What I’d like to look at in this blog post is the concentration of demand and recruitment activity at the mid-level of the cyber security profession – as opposed to junior/graduate and senior roles – throughout the UK.

Why is mid-level recruitment holding its own while junior and senior cyber security opportunities flounder? And is it really so much easier for experienced cyber security professionals to secure their next role, or do they face challenges too?

How are cyber security graduates faring in the job market?

Let’s start by looking at graduate cyber security jobs.

The first point to make about cyber security graduates is that they’re more numerous than ever. In response to feverish hype around a skills shortage, the number of cyber security graduates has increased by 34%, according to the Department of Science, Innovation and Technology (DSIT).

A quick reality check on this reveals many CISOs now arguing that there never was a skills shortage in the first place.

What we’re left with are thousands of graduates who responded constructively to the ‘skills shortage’ by gaining a cyber security degree. This year’s cohort is now out there in the job market, looking for their first professional role.

But there are few job opportunities available for them, and even bits of work experience are hard to find. AI automation of routine security tasks is part of this picture – it’s effectively replacing ground-level work that graduate trainees would previously have done.

So cyber security unexpectedly becomes part of the collapse of the graduate job market which the UK is waking up to right now – a bewildering discovery for those talented graduates at the sharp end of a broad trend.

In today’s cost-cutting and stagnant pay environment, if cyber security employers are unwilling to swap out a mid-level professional with a cheaper graduate, then something serious is going on.

Why can’t employers take a pragmatic approach and provide on-the-job training for junior cyber security professionals?

I genuinely think that most CISOs would like to do just that. If their teams weren’t getting by with skeleton staffing to protect the perimeter of a business that is being battered by hackers on a daily basis (at least), they would truly embrace that scenario.

But the reality is that many of them are lurching from crisis to crisis in stressful environments. Their under-resourced teams are having to react rapidly to constant attacks. It’s almost impossible for them to get out of fire-fighting mode and regain the upper hand. Bringing in a junior team-member to train and nurture in such a setting is clearly a near-impossible ask.

Senior Positions in the Cyber Security Job Market

At the other end of the job market, CISOs and other cyber security leaders are sitting tight. They’re aware that the market is difficult, and they’re not prepared to leave unless they really need to. This gives rise to high levels of pent-up demand. A lot of them want to move, but not right now.

This problem is exacerbated by well-documented levels of stress and burnout among cyber security leaders. The buck stops right there with them. With no seat on the board, they can nevertheless find themselves personally liable for incidents outside of their control. More and more cyber security leaders are asking themselves whether this is what they want to do for the rest of their working lives.

Meanwhile, many of those capable cyber professionals reporting to them are starting to question how desirable a CISO position is. Many find the role increasingly unattractive, and others are put off by the levels of stress and the risk of burnout. Instead, some candidates are considering similar roles, such as Head of GRC or Head of Security Architecture.

Challenges in the Mid-Level Cyber Security Job Market

The DSIT’s Cyber Security Skills in the UK Labour Market 2024 reported that 61% of jobs advertise for individuals with two to six years of experience.

At the mid-level, cyber security roles have become more technical. Employers need people with the breadth and depth of experience to help them withstand the ever-increasing sophistication of cyber attacks.

But recruiting for mid-level cyber security positions isn’t easy either. It should be, because there are plenty of candidates available. In a cost-conscious business setting, however, employers have become highly specific, niche even, in their requirements. The steady flow of ‘bread and butter’ mid-level roles that we used to see has become a trickle.

Other challenges at this level include:

• Unusual skill combinations – As the DSIT reported, growing numbers of employers now stipulate a challenging mix of skills and attributes, such as a combination of cloud and coding experience.
• Family commitments – Experienced cyber security professionals are more likely to have a family, and may be unwilling or unable to accommodate increasingly office-based working arrangements.
• Training and professional development shortcomings during the pandemic are now feeding through to the mid-level of the profession, creating a demographic gap.

Going back to cost pressures, many companies may be understandably reluctant or unable to pay a recruitment agency. As a result, their HR departments are assuming direct responsibility for recruitment.

But if the HR team has itself been squeezed, or its HR officers are unused to recruiting for specialised roles, this can be difficult. Without a familiar pool of candidates, they’re forced to rely exclusively on advertising, which generates huge volumes of responses. Understandably, they may lack technical knowledge or the time to filter the CVs effectively, and the ideal candidate may remain hidden as a result.

Looking to the Future

Unfortunately, until the broader UK economy starts to improve and we see more investment in technology and business, it’s unlikely that the junior end of the market will improve. The Big Four and other consultancy firms, which in the past have been major employers in the graduate job market, have slimmed down their graduate programmes recently as part of cost-cutting exercises.

At the senior end of the cyber security job market, it’s more a question of confidence. Many CISOs are keen to change cyber security jobs but are unwilling to do so at the moment. Given the pent-up demand at this level, once confidence returns to the market we are likely to see many CISOs changing jobs almost immediately.

It’s all about the wider economy. While we await the Autumn Budget, what I can do as a recruiter is to use my expertise to match cyber security professionals to those high-quality roles that are still out there.