between the talent shortage and the AI ​​black swan

The shortage of personnel in the information security market in Russia is 31%, which is about 50 thousand cybersecurity specialists. By 2027, the total market demand for specialists may exceed a quarter of a million, and the shortage will increase. Our experts together with colleagues from the Center for Strategic Research North-West Foundation came to such disappointing conclusions.

In the first study of the labor market in the field of information security in Russia, we explain what awaits its main players by 2027. Read below about why the education system cannot cope with demand, why the problem of personnel shortages will remain relevant, and why the market structure will undergo a large-scale transformation. We did not ignore the possibility of an unpredictable factor that could turn the situation on the market upside down. The full version of the study is available Here.

Status and problems

The Russian information security market is actively growing today. As our experts have found out, the number of people employed in this field has doubled from 2016 to 2023 and reached 110 thousand people. The personnel shortage has also grown significantly: if at the end of the 2010s it was 25-30% of the number of people employed in the industry (20-25% of the total market demand for specialists), then by 2023 it will already be 45% of the number of people employed (31% of the market demand), or about 50 thousand information security specialists.

In the first quarter of 2024, 6,109 vacancies in the information security sector opened in Russia. Experts point out that this demand is distributed extremely unevenly across the country. Half of the vacancies are concentrated in Moscow and St. Petersburg. In several other large agglomerations, where new employment centers in information security are being formed, their number fluctuates between 100 up to 500. At the same time, in most regions the demand is less than 50 specialists.

The demand for information security professionals is growing in the context of a general labor shortage, an aging population, and limited capacity in the education system. The mass exodus of information security specialists from the country has also become a problem. Although the reverse process was observed in early 2024 — the return of a certain number of security professionals to Russia — the risk of new waves of personnel outflow abroad remains.

Market participants also note the high threshold for entry into the information security field. This is due to both the high demands of employers and the practice of hiring through connections. In such conditions, students and graduates prefer to get jobs in other sectors of the IT field. Moreover, requiring fewer competencies from a specialist, some areas can offer higher wages. For example, the median salary in development is 42% higher than in information security, and in analytics – 25%.

Experts also highlight the problem of high responsibility in information security. Mistakes in this area can have extremely serious consequences, causing irreparable financial and reputational damage to organizations. At the same time, responsibility is often shifted to security personnel, despite their lack of authority or resources.

Education is failing

The system of higher and secondary vocational education provides an annual influx of about 8-10 thousand people into the industry, while the real need for personnel is 2-3 times higher. The long period of training specialists will not allow solving the problem of personnel shortage in information security in the next 3-4 years. In addition, the education system releases junior specialists with minimal work experience onto the labor market. However, such specialists account for only 14% of vacancies. The market is most in demand for mid-level specialists with work experience and a portfolio of projects that do not require significant additional training.

From 2017 to 2023, the number of graduates who received an education in the field of information security increased by 69%. By 2027, their number may exceed 14 thousand people per year. However, even in this case, the education system will not be able to saturate the market. Moreover, not all graduates will end up employed in information security due to competition with the labor market in the IT sector. In addition, in 2-3 years, according to experts, the growth in the number of new specialists may stop altogether.

Another problem is the gap between the education system and market needs. In recent years, employer satisfaction with the level of graduates has generally increased, but the quality of training does not always meet industry demands. Educational and professional standards fix a conservative set of skills and competencies.

In the context of such a dynamic sphere as information security, only a practicing teacher who has skills in working with modern information security systems can implement advanced experience in training. However, practitioners are not attracted to teaching: this occupation takes a lot of time, and the level of remuneration in educational institutions is significantly lower than in companies in the field of information security. In addition, the academic community is extremely conservative – it does not show readiness for active cooperation with practitioners from the industry.

Doubling demand and changing structure

In 2027, the overall market demand for specialists may increase to 235–261 thousand people (depending on the scenario — moderate or dynamic). Increasing the volume of personnel training and automation of labor will cover most of the demand. At the same time, employment in 2027 will amount to 181–196 thousand people, i.e. the deficit will increase in absolute terms to 54–65 thousand, decreasing in relative terms to 23–25%.

The demand for employees in the market is distributed across five functional groups, the largest of which in 2023 were low-tech jobs, as well as multifunctional specialists without specific professional roles. The share of such employment amounted to more than 40% of the market.

According to experts, by 2027, functional roles in the Russian IT labor market will be distributed more clearly, and its structure will become more similar to the structure of the markets of more technologically advanced countries, such as the USA and Germany.

Both the dynamic and moderate market development scenarios envisage a reduction in the formal employment of multifunctional specialists due to an increase in the depth of the division of labor and the hiring of professionals. Some information security functions will be outsourced to specialized information security service providers. As a result, a significant increase in the share of qualified personnel is expected. First of all, this trend will affect basic positions – information security engineers and information protection specialists.

At the same time, the growth dynamics will be different. The demand for information security engineers and architects, as well as specialists in cryptographic information protection, will increase the most. The sector related to government regulation of the information security sphere also expects significant growth — for example, the demand for specialists in the protection of critical information infrastructure will increase. On the other hand, the need for penetration testers, cybersecurity analysts, and SOC L2 will not grow as much: their share in the structure of qualified personnel will decrease.

AI “Black Swan”?

The study notes that artificial intelligence is the main technological trend that will influence the labor market in information security in the next three years and in the longer term. The introduction of “strong” AI should significantly increase labor productivity in information security and significantly increase the potential for automation. Scaling artificial intelligence may lead to a decrease in the rate of salary growth in the industry, a significant slowdown in the rate of hiring specialists, and even large-scale layoffs. This is possible provided that strong AI does not open a new class of tasks in information security in which a person will be more effective than a machine.

However, experts believe that AI that outperforms humans in any task will most likely appear beyond the 2030s or not appear at all.

The study notes that the impact of AI on the information security labor market will be multifaceted. Experts highlight three key aspects of this impact:

1. Automation of business processes using AI will lead to a decrease in the number of some vacancies and personnel positions in the information security labor market. This is especially relevant for first- and second-level SOC analysts.

2. The creation of new types of business processes will lead to an increase in the number of professions and the volume of employment, primarily among architects and engineers.

3. Transformation of business processes using AI will require changes in the professional competencies of employees in the field of information security – retraining and movement within the labor market. In addition, the use of artificial intelligence, having increased the efficiency of novice specialists, will lower the threshold for entry into the profession.

Interesting: The introduction of AI will lead to the opening of new vacancies, many of which are currently considered niche. In particular, the segment of machine learning specialists in information security will expand significantly. It is expected that by 2027, about 12 thousand new jobs will appear for them. Some of these vacancies will be filled by the flow of specialists from other market segments.

Clouds, Crypto and Other Trends

In Russia, along with the scaling of cloud infrastructure and the lifting of restrictions on the use of clouds in state corporations and large businesses, the demand for information security specialists capable of working in cloud environments will also grow. In 2022, only 3% of companies used cloud services, but by 2025 this figure should grow to 6% of the market (about 130 thousand companies).

Responsibility for cloud security lies not only with the cloud service provider, but also with the user. If companies have to be responsible for cloud information security themselves, the number of cloud security specialists could grow to 84,000 by 2027.

The use of digital currencies and the development of fintech will increase the demand for information security specialists from the banking and financial sector. According to existing estimates, Russian banks will spend 30-50 billion rubles on the introduction of the digital ruble, a significant part of which will go to the creation of information security systems and staffing.

Against the backdrop of sanctions and the departure of foreign vendors from the Russian market, there is a need for high-quality solutions in the field of information security. In these conditions, from 2024 to 2027, the annual growth of the Russian information security market is expected to be approximately 22%. The share of domestic vendors will also increase significantly: from 70% in 2023, it will grow to 95% by 2027.

The state policy in the sphere of information security has a multidirectional character. On the one hand, measures to stimulate the development of domestic solutions lead to the creation of new jobs in this sphere. On the other hand, increasing labor productivity and security of state services leads to the release of labor. Nevertheless, the balance will be positive: under a dynamic scenario due to state regulation, the growth in the need for information security specialists will reach 29 thousand people, and under a moderate one – 28 thousand.

Interesting: Experts allow for the possibility of growth of the share of foreign vendors to 8% — due to expansion of companies from friendly countries, especially from China, into the domestic market. In this case, the need for architects and engineers may decrease significantly — by 10-15 thousand.

Given the development of Russian bug bounty platforms, a corresponding increase in the number of bug hunters providing their services on such platforms is expected. The development of bag hunting and its emergence from the shadows in Russia can be facilitated by the adoption of a corresponding law.

How to satisfy the hunger for personnel

To avoid a serious shortage of personnel and inadequate “overheating” of salary offers in the labor market in the information security sector, experts recommend that market participants and regulators take a number of actions.

Expansion in education

The shortage of personnel will require increased cooperation between vendors and large employers in information security and educational institutions. This applies to both secondary vocational education and higher education institutions. It will also be necessary to scale up existing practices: conduct student internships, create basic departments, organize various events where students can learn more about in-demand professions and try themselves as information security specialists.

Advanced training and retraining programs

Experts recommend that market players more actively use professional retraining programs to attract interested personnel and train them for their tasks. The practice of creating private universities and implementing educational programs in partnership between vendors and their clients interested in specialists with skills in operating specific solutions is also promising. However, the study notes that due to the high mobility of employees, investments by corporate players in their training may not pay off.

Attracting regional personnel and schoolchildren

In the conditions of personnel shortage, the development of the remote format and the opening of offices across the country allow regional specialists to be attracted to work in companies whose offices are located in Moscow and St. Petersburg. The creation of coworking spaces and the placement of company offices on university campuses will help to effectively attract personnel in the regions.

In addition, experts advise involving promising schoolchildren in information security — popularizing specialties in this field and introducing gamification into education. Schoolchildren can also get involved through bugbugs platforms, since searching for vulnerabilities does not always require education. For example, the youngest hacker in Russia is only 11 years old.

Interesting: From 2017 to 2021, the share of women in the information security field worldwide increased from 11% to 25%. It is expected that by 2025, this figure will reach 30%. The involvement of women in the cybersecurity industry is one of the factors in reducing the labor shortage. By 2027, the number of female information security specialists in Russia may increase by 22 thousand.

New approaches to developing standards for certification

One of the solutions to the problem of developing professional standards that are not keeping up with the dynamic changes in the market could be the formation of a non-governmental association of the largest players in the information security market. Such an association is capable of forming its own frameworks and standards that can be adopted at the industry level along with state ones. Experts also recommend promoting vendor certificates on the labor market.

conclusions

According to the study, the overall increase in demand for information security specialists in Russia by 2027 will be more than 100 thousand people. Only 86 thousand of them will be covered by training and involving new specialists.

The largest trends in the transformation of the labor market in the next three years will be digital currencies (up to 44 thousand new jobs), cloud technologies (plus 43 thousand high-tech jobs, minus 41 thousand low-tech), as well as regulation and import substitution (30 thousand additional jobs).

By the end of the three-year period, employment in the labor market should become more technological and form a large segment of information security architects and engineers (almost 100 thousand in-demand specialists versus 21 thousand today), capable of working in conditions of complex tasks, a high level of automation, and a constantly changing landscape of cyber threats.

In conclusion, it should be noted that these trends are capable of not only causing a reorganization of the IS labor market and specialized education, but also influencing the restructuring of related markets. First of all, the skills, competencies and knowledge developed in IS can be disseminated in other security sectors. For example, telephone fraud prevention technologies can be used in operational investigative activities and in the field of ensuring national security.