Nowhere in the world are cybersecurity experts better paid than in Luxembourg, according to a study by Techshielder published in early August.
The number is €129,163 a year, on average. However, Techshielder’s analysts are quick to point out that the cost of living is higher in the grand duchy than in the other cities in the study and that the number of available jobs is much lower. You’re slightly better off going to Washington, Singapore or Berlin, they conclude.
The study is based on job offers in the sector listed on two recruitment leaders, Indeed and Glassdoor. As of 25 August, Indeed had 42 cybersecurity jobs and Glassdoor had 124 (but only 26 posted over the previous month). More than half were located outside of Luxembourg City.
The results of the study could be interesting for nation-branding purposes, at a time when everyone agrees on the shortage of cybersecurity experts. Last year was marked by record losses due to cyber-attacks and ransomware ploys including at the biggest tech companies like Facebook.
Being able to respond to these threats is the second most in-demand skill in the job market, behind networking and ahead of European GDPR and US Privacy Act compliance, the study also says.
Europe needs 140,000 experts
It is difficult to get a clear picture of the level of staffing shortages companies face, given how the figures vary from study to study. However, according to “Cybersecurity: Building Business Resilience 2020”, a report by Vacancy Soft, there is a shortage of 140,000 cybersecurity professionals in Europe. For comparison, India needs 1m experts and the USA more than 350,000, according to TechTarget. The US Congress estimates the latter number at 460,000.
Indeed, the American authorities have taken up the subject at a political level. The idea is to abandon university-level requirements in favour of candidates who have just graduated from high school and who are perfectly capable of starting a career as long as they are well trained in these basic requirements.
“What’s missing are appropriate entry-level positions that only require a high school diploma and entry-level certification,” says James McQuiggan of KnowBe4, according to BankInfoSecurity. “An entry-level security operations centre analyst is a great starting point for someone who just graduated from high school with a certificate and a willingness to learn.” Others called for the introduction of two-year “CAP or vocational baccalaureate” courses and still others for improved training for existing employees.
New BTS programme in Esch
Such two-year courses, concretely adapted to the needs of the market, have already been launched by the Lycée Guillaume Kroll in Esch-sur-Alzette, which in June selected 14 students for its BTS Cybersecurity class. The same is true of the University of Luxembourg, which has 15 students in its master’s programme on information system security management. There are also courses at the House of Training and the Luxembourg Lifelong Learning Centre, as well as a master’s degree in cybersecurity at the European Institute of Excellence Business School.
The tricky part will be to match the training courses to the needs of companies. In its “State of Cybersecurity 2021” report, ISACA–an American association whose 155,000 members are all tech-sector professionals and come from 188 countries–says that 58% of companies continue to favour academics. However, companies tend to reproach these employees for two things: their lack of “soft skills” and their lack of experience. As many as 74% of job offers insist that candidates have experience.
According to the survey, it is also taking longer to find the right person. More than half of advertised positions are still vacant after three months, forcing 80% of companies to resort to technical help and 47% to temporary staff. This phenomenon may explain the rise in salaries: if companies prefer to outsource rather than recruit in a field they often know very little about, consultants must attract experts to find new clients. It’s a vicious circle.