yossarian6 - Fotolia

UK immigration rules fly in the face of cyber security skills shortage

Despite the UK’s shortage of cyber security skills, recent changes to immigration rules make it no less difficult to hire skilled workers from outside the European Union

At the Conservative Party Conference in 2013, the defence secretary Phillip Hammond announced plans to take on "hundreds" of cyber security experts to serve as "cyber reservists" to defend national security.

The plan was to have them working with existing government IT security teams, with Joint Cyber Units in Corsham and Cheltenham and other units in the defence network.

The cost of up to £500m is fairly negligible against the cost of cyber crime to the UK industry of £27bn – but the bigger issue is, where does that technology talent come from?

In November 2015, prime minister David Cameron said his government would fund an increase of 1,900 intelligence personnel, echoed by chancellor George Osborne who said in his speech to GCHQ that "as the threat develops, we will need to make sure that our capabilities develop to match it".

It is clear there is a problem that needs to be solved, and finding the people to fill the void has been a key strategy for the past two governments. Despite that, the skills shortage continues and recent changes to the  Home Office's immigration rules have made it even more difficult to hire skilled workers from outside the European Union (EU).

According to paragraph K2 of page 43 of the Statement of changes in immigration rules, published in October 2015, “cyber security specialist” is on the official skills shortage list, from 19 November 2015. The skills shortage list is the list of occupations which the Migration Advisory Committee recognises as being in shortage, and which the government has agreed that Tier 2 (work permits) can be obtained for, without the need for a further test of the resident labour market. This makes it is unnecessary to advertise those jobs in the EU for 28 days before hiring outside.

However there is a downside to this, according to Victoria Sharkey, partner at immigration legal practice MediVisas. Fresh changes recognise the shortage of skilled cyber security specialists – but taking advantage of the 28-day advertising waiver may present tougher challenges than adhering to it, she says.

Restrictive practices

“This is going to be really challenging for startups, as working with UKTI (UK Trade & Industry) will apply to an incredibly small number of companies,” says Sharkey. “So most will still have to advertise the job as usual, to show that there are no EU nationals who could do this.

"It is restrictive. In an industry which is about innovation, people should not need to advertise to bring in programmers in this key area – especially when government has acknowledged the shortage.”

This is because the Home Office has also introduced the need to become a "qualifying company" to hire non-EU immigrants. To become a qualifying company is where the problems begin, and arguably advertising for the 28 days inside the EU could put up fewer hoops to jump through.

Read more about the cyber security skills shortage

Sharkey explains that, to become a qualifying company, they will need to be licensed as a sponsor to secure an employee on Tier 2 work permit. Companies with fewer than 20 staff – which means most startups – will have to register and work with UKTI, as well as register with the Home Office as a sponsor, before a certificate of sponsorship is granted to enable them to hire from outside the EU.

Also, to be a qualifiying company, a company cannot be more than 25% owned by a larger company which has more than 250 employees. So for example, if a startup had angel investment from a large global IT company, they would also not be able to take advantage of the advertising waiver, as that investor employs more than 250 people.

No positive effect on industry

Another requirement to qualify for the advertising waiver is that an employer needs to obtain and retain references for a migrant worker going back five years, to prove that the employee has the relevant experience. Sharkey says: "This is ridiculous in the days when most references mention only dates of employment for legal reasons.”

Many employers will issue references via their human resources (HR) departments, she says, and will not specify relevant experience or leadership, unless they had “team leader” as a job title. Particular to the cyber security specialist, the shortage relates to a person with a minimum of five years’ relevant experience, and demonstrable experience of having led a team.

"In short, any claim to be helping the industry is nonsense, because there are so many hoops the employer has to jump through that it is almost certainly going to be easier for them to just advertise the position as they have to now," she says. “I would be extremely surprised if these changes made any difference at all to employers.”

There are fewer applications for IT professionals to work in the UK than there were 20 years ago – as many larger companies outsource – but UK industry's increased need for cyber security professionals will not benefit from these changes.

“It is great that cyber security has finally been recognised, but once employers look at this they will realise trying to become a qualifying company and making sure the applicant has references as required is more cumbersome than advertising the job for 28 days,” says Sharkey. “So this is the Home Office being seen to do something, but not making any changes to have any positive effect on the industry.”

Adrian Davis, European managing director at (ISC)2, said its Global Information Security Workforce Study identified a current need for security analysts, but the skills shortage goes right across the board. “This measure may reflect more about immigration policy than the shortage itself,” he says.

“I suspect experience is required across many disciplines that they seek to provide for through immigration.”

A request for comment was sent to both the Home Office and immigration minister James Brokenshire, but both declined.


Read more on Hackers and cybercrime prevention