yossarian6 - Fotolia

UK immigration rules fly in the face of cyber security skills shortage

Despite the UK’s shortage of cyber security skills, recent changes to immigration rules make it no less difficult to hire skilled workers from outside the European Union

At the Conservative Party Conference in 2013, the defence secretary Phillip Hammond announced plans to take on "hundreds" of cyber security experts to serve as "cyber reservists" to defend national security.

The plan was to have them working with existing government IT security teams, with Joint Cyber Units in Corsham and Cheltenham and other units in the defence network.

The cost of up to £500m is fairly negligible against the cost of cyber crime to the UK industry of £27bn – but the bigger issue is, where does that technology talent come from?

In November 2015, prime minister David Cameron said his government would fund an increase of 1,900 intelligence personnel, echoed by chancellor George Osborne who said in his speech to GCHQ that "as the threat develops, we will need to make sure that our capabilities develop to match it".

It is clear there is a problem that needs to be solved, and finding the people to fill the void has been a key strategy for the past two governments. Despite that, the skills shortage continues and recent changes to the  Home Office's immigration rules have made it even more difficult to hire skilled workers from outside the European Union (EU).

According to paragraph K2 of page 43 of the Statement of changes in immigration rules, published in October 2015, “cyber security specialist” is on the official skills shortage list, from 19 November 2015. The skills shortage list is the list of occupations which the Migration Advisory Committee recognises as being in shortage, and which the government has agreed that Tier 2 (work permits) can be obtained for, without the need for a further test of the resident labour market. This makes it is unnecessary to advertise those jobs in the EU for 28 days before hiring outside.

However there is a downside to this, according to Victoria Sharkey, partner at immigration legal practice MediVisas. Fresh changes recognise the shortage of skilled cyber security specialists – but taking advantage of the 28-day advertising waiver may present tougher challenges than adhering to it, she says.

Restrictive practices

“This is going to be really challenging for startups, as working with UKTI (UK Trade & Industry) will apply to an incredibly small number of companies,” says Sharkey. “So most will still have to advertise the job as usual, to show that there are no EU nationals who could do this.

"It is restrictive. In an industry which is about innovation, people should not need to advertise to bring in programmers in this key area – especially when government has acknowledged the shortage.”

This is because the Home Office has also introduced the need to become a "qualifying company" to hire non-EU immigrants. To become a qualifying company is where the problems begin, and arguably advertising for the 28 days inside the EU could put up fewer hoops to jump through.

Read more about the cyber security skills shortage

Sharkey explains that, to become a qualifying company, they will need to be licensed as a sponsor to secure an employee on Tier 2 work permit. Companies with fewer than 20 staff – which means most startups – will have to register and work with UKTI, as well as register with the Home Office as a sponsor, before a certificate of sponsorship is granted to enable them to hire from outside the EU.

Also, to be a qualifiying company, a company cannot be more than 25% owned by a larger company which has more than 250 employees. So for example, if a startup had angel investment from a large global IT company, they would also not be able to take advantage of the advertising waiver, as that investor employs more than 250 people.

No positive effect on industry

Another requirement to qualify for the advertising waiver is that an employer needs to obtain and retain references for a migrant worker going back five years, to prove that the employee has the relevant experience. Sharkey says: "This is ridiculous in the days when most references mention only dates of employment for legal reasons.”

Many employers will issue references via their human resources (HR) departments, she says, and will not specify relevant experience or leadership, unless they had “team leader” as a job title. Particular to the cyber security specialist, the shortage relates to a person with a minimum of five years’ relevant experience, and demonstrable experience of having led a team.

"In short, any claim to be helping the industry is nonsense, because there are so many hoops the employer has to jump through that it is almost certainly going to be easier for them to just advertise the position as they have to now," she says. “I would be extremely surprised if these changes made any difference at all to employers.”

There are fewer applications for IT professionals to work in the UK than there were 20 years ago – as many larger companies outsource – but UK industry's increased need for cyber security professionals will not benefit from these changes.

“It is great that cyber security has finally been recognised, but once employers look at this they will realise trying to become a qualifying company and making sure the applicant has references as required is more cumbersome than advertising the job for 28 days,” says Sharkey. “So this is the Home Office being seen to do something, but not making any changes to have any positive effect on the industry.”

Adrian Davis, European managing director at (ISC)2, said its Global Information Security Workforce Study identified a current need for security analysts, but the skills shortage goes right across the board. “This measure may reflect more about immigration policy than the shortage itself,” he says.

“I suspect experience is required across many disciplines that they seek to provide for through immigration.”

A request for comment was sent to both the Home Office and immigration minister James Brokenshire, but both declined.


Read more on Hackers and cybercrime prevention

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

Hiring supposed "security specialists" from outside the UK, let alone EU, is no way to address a skills shortage when the biggest risk is that of hiring contractors and new staff who are competent but "bent". More-over it is unnecessary when raw talent (e.g. among existing staff) can be trained faster (eight weeks in the Cybersecurity Academy pilot https://www.sans.org/media/emea/Cyber-Academy.pdf)
than experienced outsiders can be hired, (currently an average of ten weeks before allowing for vetting, visas and/or "gardening leave").
This whole premise is fundamentally flawed. Industry wants to hire anyone from anywhere in the world at any price and not pay the cost of training in the UK. While the government wants to develop this competency within the UK using up skilling of the 7.2 million well qualified UK workers. The difference in the two views is who pays the cost of training. We have seen this issue appear several times in recent years when suitable UK workers sit on the dole or are discriminated at application upon age or disability. The employers generally don't brief there recruitment agents well and seldom deliver according to the recruitment industry the very people the employers seek. This disconnect has seen potential employers embarrassingly claim these spurious arguments as complete political policy.This re enforces the view that labour force utilisation thought to be as low as 38 % could be even lower in the UK than our competitors.Two remarks discussed recently on this issue is government failure to invest in training due to large scale government cuts and a disconnected recruitment system in UK PLC.