Cybersecurity specialist: a profession under mounting pressure

Talent drain at the DGA! The French Direction Générale de l’Armement and other government agencies involved in cybersecurity are struggling to attract and retain staff, according to a parliamentary report. This is hardly surprising, given that even the private sector – with its more attractive salaries – has a glaring shortage of cybersecurity engineers. Companies are struggling, while job seekers are rubbing their hands. 

While the French President has publicly referred to “the hardening of Russia“, citing Moscow’s cybersecurity operations as an example, the DGA is experiencing a cybersecurity brain drain. As revealed by our colleagues at La Lettre, the parliamentary report “on the challenges of cyberdefense” published on January 17 points to the challenges in retaining cybersecurity skills in organizations linked to national defense, including the Direction Générale de l’Armement.

“Resignations have increased across all DGA professions, and particularly in 2022 for cyberdefense. The sharp trend we saw in 2022 is continuing at an even faster pace in 2023,” say the rapporteurs, Anne le Hénanff (Renaissance) and Frédéric Mathieu (La France insoumise). This loss is affecting staff across the board, ranging from the most “qualified and experienced…which poses a major risk to maintaining a ‘skeleton’ of skills capable of keeping the DGA’s technical cybersecurity skills at the highest level“, to young recruits. “The DGA is also seeing an increase in the number of resignations of engineers with two years’ experience or less, which means that the major training effort made by the Ministry is not paying off“, the parliamentarians say.

This is due to lower salaries at the DGA than at other government agencies employing skilled cybersecurity specialists: the starting monthly salary for a cybersecurity engineer at the DGA is €2,350, compared with €2,400 at ANSSI (the French National Cybersecurity Agency). 

“Job security is linked to skills, not status”.

The gap widens after 11 years of experience: €3,300 at the DGA versus €4,000 at ANSSI or €5,300 at the French DGSI (General Directorate for Internal Security). Above all, for a specialization that hires 75% civilians, for whom “job security is linked to skills, not status“, in the words of the report, the civil service is far less attractive than the private sector, where their expertise fetches a high price, so much so that “the market is structurally unprofitable“, as Anne le Hénanff and Frédéric Mathieu acknowledge.

The two MPs have put forward several ideas to tackle the problem, including the harmonization of pay scales, “cross-cutting career paths” to boost careers, and a “non-aggression pact” between intelligence agencies to prevent aggressive poaching. They also raise more controversial ideas, such as bringing Article 42 of the Military Planning Law into play for DGA cybersecurity engineers. This law allows military personnel in possession of sensitive information or know-how to be prevented from going to work for certain companies once they have returned to civilian life, in the name of “the fundamental interests of the Nation in the event of private activity in relation to a foreign power“. However, the two MPs admit, in the hushed language typical of this type of report, that preventing civilian cybersecurity experts from building their careers as they wish is probably an excellent way of discouraging them from applying to the DGA. “In a context of fierce competition on the job market, any additional constraint poses a risk to the ministry’s attractiveness“.

“The market is in a structural deficit”

In fact, the civil service does not have to put obstacles in its own way to have trouble recruiting. If the DGA and other public agencies hire a large majority of civilians for cybersecurity functions, it is because, on the one hand, “competitive examinations for civil servant engineers have met with mixed success, with more or less 50% of positions filled“, according to the parliamentary report and, on the other hand, cybersecurity experts hold the upper hand in a job market where there is a chronic shortage of such skills.

The latest barometer of cybersecurity professions published in July 2023 by ESG (Enterprise Strategy Group) and the Information System Security Association International (ISSA) highlights this alarming situation. According to “The Life and Times of Cybersecurity Professionals, Volume VI“, “71% of organizations claim to be impacted by the cybersecurity skills shortage, which is an increase of 14% from 2021.  Alarmingly, those citing significant impacts also increased from 12% in 2021 to 27% in 2023.” 88% of those surveyed said it was “extremely difficult“, “difficult” or “somewhat difficult” to recruit cybersecurity professionals. 

This survey of private and public sector professionals in the USA, Europe, Asia, Africa and Latin America details the consequences of this global shortage.

“71% of organizations are impacted by the skills shortage in cybersecurity”

Nearly half (49%) of job vacancies go unfilled for weeks or even months, workloads are increasing for 61% of teams surveyed, and 43% of respondents complain of high burnout and attrition rates among cybersecurity professionals. 39% find it difficult to train or even make full use of the security technologies at their disposal, and almost a third (30%) complain that their organization has hired juniors for lack of more experienced candidates.

Consulting firm Wavestone confirms this alarming trend. Its “Cyber Maturity” study from April 2023 says, “more than 15,000 positions are open but not filled” and that among respondents, “there is approximately 1 person dedicated to cybersecurity for every 1,300 employees…this number is still too low in respect to upcoming challenges“. To attract new audiences to these professions, the Ministry for National Education, ANSSI and Cyber Campus launched a national campaign in late 2023 called “Demain Spécialiste Cyber” to present cybersecurity careers to students and young people. With personal testimonials, quizzes and practical information, the site aims to raise awareness of careers in IT security and attract new profiles, particularly women, who are largely underrepresented in the sector.

However, the outlook for recruiters remains bleak: the recession (or near-recession) is squeezing budgets and prolonging hiring times, even as the threat continues unabated.

Worries that “skills will evaporate”

According to CESIN (Club des Experts de la Sécurité de l’Information et du Numérique), in 2023 49% of companies will have experienced at least one successful cyberattack, a figure that remains stable compared to 2022. However, growing international threats and major events such as the Olympic Games are likely to increase the pressure on the cybersecurity job market. The event’s potential surface of attack is indeed gigantic: fifteen competition venues for the Olympic Games and eleven for the Paralympic Games, in the capital and four neighboring départements, including Seine-Saint-Denis, which will host the Olympic and media villages. The IOC has even secured several stadiums outside the capital region as well as in Tahiti for the surfing event. Between state, political and criminal actors, the ComCyberGend (Gendarmerie Command in Cyberspace) anticipates at least 4.4 billion potential attacks, the same number of cyberattacks as the Tokyo Olympics.

In addition, one of the Games’ two main cybersecurity providers, Atos, is currently undergoing restructuring and is likely to be split in two. One company would be Eviden, encompassing cloud computing as well as big data and security activities, i.e., strategic cybersecurity activities and supercomputers. The other company, Tech Foundations (TFCo) would cover the traditional consulting and outsourcing activities. The issue is that nothing guarantees that this complicated operation will be completed in time for the Olympics.

How can we keep up troops’ morale and ensure that they are still at the ready when the time comes? During the sprint to the finish line, Atos/Eviden will need no less than 3,000 full-time engineers. “Our fear is that, given the climate of uncertainty hanging over the company, a large number of employees will go elsewhere and skills will evaporate“, a government representative was quoted as saying in Le Canard enchaîné on November 1. Why join or stay with a company with an uncertain future, when you are in a strong position on the job market? It is a safe bet, however, that salaries at Atos are more attractive than those at the DGA.