China’s cyber security ambitions could fall short due to labour shortage

Tremendous gap between the demand and supply for talents in the data security industry. 

Digitalisation is leading China’s high economic growth as a new engine. And with the support of emerging technologies such as 5G, AI, cloud computing, IoT (Internet of Things), blockchain, and big data, China’s digital industry is booming. However, data security has turned into a new issue against the complexity of the digital economy.  

As the implementation of relevant laws and policies drive the large expansion of the data security industry, the incremental market is bound to grow with the increasing new demand. Global recruiting group Hays, suggests that challenges and opportunities coexist, and China’s data security sector will benefit from the regulation in the long run with the forming of a more sustainable development environment for the industry. In the short term, however, there is a tremendous gap between the demand and supply for talents in the data security industry. 

In July 2021, China’s Ministry of Industry and Information Technology released a three-year draft action plan for the high-quality growth of the cybersecurity sector (2021-2023).  

According to the draft plan, the scale of the cybersecurity industry is expected to exceed RMB 250 billion by 2023, with a compound annual growth rate of over 15 percent. The cybersecurity investment in key industries such as telecommunications should account for 10 percent of the total investment in digitalisation.  

In September the the regulation for safe protection of critical information infrastructure went into affect according to a State Council decree signed by Premier Li Keqiang.

According to the regulation, critical information infrastructure refers to important network infrastructure and information systems in public telecommunications, information services, energy sources, transportation and other critical industries and domains, in which any destruction or data leakage will have severe impact on national security, the nation’s welfare, the people’s living and public interests.

Intensive protection will be imposed on this infrastructure, with measures to monitor, defend against and deal with cybersecurity risks and threats from inside and outside the country. Critical information infrastructure will be protected from attacks, intrusions, interference and destruction, and illegal and criminal activities in this regard punished, the regulation said.

Security management institutions must be set up by operators with stipulated responsibilities to establish and improve the management and appraisal system for network safety, beef up security protection capabilities, and formulate emergency plans.

An information sharing mechanism will be built among relevant departments, operators and network security service institutions, to ensure the timely collection, evaluation, sharing and releasing of information concerning network security threats, vulnerabilities and incidents.

Safe operation of critical information infrastructure in energy sources and telecommunications should be safeguarded as a priority, and the two industries should also take measures to safeguard critical information infrastructure in other industries.

This marked another major legislative milestone in maintaining information and digital security since the ratification of the Cybersecurity Law in 2017. At the same time, China’s Personal Information Protection Law (PIPL) is expected to come into force on 1 November 2021. The PIPL will work together with the Data Security Law and the Cybersecurity Law to form the legal framework of data governance and become an important cornerstone for ensuring digital security and the development of the digital economy.    

Data Security Law: short-term impact vs long-term development of the industry 

When it comes to the impact of the legislation on the data security industry, Jessica Wang, Managing Director of Hays China believes that the 2017 Cybersecurity Law could act as an overall framework for data security, while the Data Security Law and the PIPL would provide enterprise entities with detailed guidance and corresponding punishment measures in terms of the usage, storage, transfer, and destruction of information and data. This will help enterprises clarify their obligations and responsibilities. Meanwhile, the latter two laws can help phase out enterprises that mishandle or illegally collect and use data. Therefore, these three laws will eventually promote the long-term and sustainable development of the data security industry.  

For some industries like the internet, finance, and consumer goods, data collection and data use are obviously key to core business which usually requires high frequency and extensive use of data to make strategic decisions. Thus, the legislation on the security of data collection and data use determines the foundation for the long-term growth of enterprises in these fields. 

Wang notes that usually multinational corporates have considerable experience in compliance, especially with regulations for data security. For example, the General Data Protection Regulation (GDPR) has been put into effect in Europe since 2016 which businesses operating in the region are already quite familiar with, which makes it easier for MNCs in China to adapt to the changing regulatory environment. On the contrary, it is of great significance for domestic enterprises to improve the awareness of relevant laws and regulations of data security and make strategic plans on recruiting talents, whether they operate domestically or plan to expand into overseas markets in the future.   

In addition, more enterprises have attached greater importance to data security issues due to the further systematisation of government monitoring and regulations. As a result, service providers in data security see huge growth potential; businesses including cloud services, network security, threat detection, and response may become the infrastructure to the economy. We may see continuing rise of new companies and expansion of subdivisions in data security. 

The huge growth potential in the data security industry is not only beneficial to talents but also reflects the current talent shortage in this field. 

Talent shortage: a long-term issue 

At the 2021 Cybersecurity Talent and Innovative Development Summit and the 6th China Information Security Talent Training and Employment Seminar, industry leaders agreed that the transformation of the digital industry requires reconstruction and upgrade of organisations and skills. It is necessary to establish an internet security talent pool with balanced and comprehensive capabilities.  

According to the latest number, each year there are only 20,000 graduates major in cybersecurity, and the cybersecurity talent shortage in China is about half a million to one million. “The estimate is in fact quite conservative. After the implementation of relevant laws and regulations, the explosive growth of the data security industry will highlight the pressure of recruiting talents for both corporates and service providers,” Wang said.   

According to the 2021 Hays Asia Salary Guide, the annual salary of junior level staff in cybersecurity ranges from RMB 300,000 and 800,000, and it is likely to rise by around 30 percent. Despite this, the talent shortage cannot be solved easily in the short term. “The current situation is that there is a talent shortage of all levels of positions, and the demand for talents is greater than ever,” she added. 

With the acceleration of digitalisation in various industries, many other sectors related to cybersecurity face talent shortages involving financial technology, biopharmaceuticals, and traveling apart from the internet sub-sectors such as software providers, cybersecurity, cloud services, and social media. 

Wang addressed the middle and high-level positions of this field such as data protection officer (DPO) are usually provided with considerable pay, with annual salary usually ranging from RMB 800,000 to one million while large internet tycoons may even offer RMB two to three million. However, qualified candidates are rare to find. On the one hand, suitable candidates are required to have work experience for over a decade, which only a few can meet the requirement in the domestic talent pool. On the other hand, it also needs all-rounders who are possessed of strong technical skills and are familiar with laws and regulations. In this sense, the sector is now under a circumstance with “many job vacancies but only a few candidates”.  

In addition, Hays noticed that a group of candidates are making a “mid-life career switch” to data security.

The demand for candidates’ capability changes with the gradual improvement in the requirement of the government and enterprises for data security. According to Wang, in general, the most competitive candidates in this field are those who graduate from top domestic universities with relevant degrees, while capable of learning new and complex things quickly. Besides, companies mostly favour all-rounders who understand laws and regulations, corporate governance, and risk assessment with a solid foundation in technology and the potential for continuous growth at the same time.  

Responding to the concern of overheating of the data security sector, Wang believes that nowadays data security is quite like programmingy from other IT professions, i.e., programming or software engineering. Nevertheless, this practice is not enough to address the talent gap. Jessica emphasises that China is now urging universities and technical schools to train data protection and information security-related talents which now many universities have set up relevant majors to make up for the talent gap.  

Candidates expect to improve comprehensively as employers call for all-rounders  

Despite the talent shortage, the data security industry also is suffering from the unmet demand for comprehensive capabilities. The continuous progress of digital technology and the digital transformation of the real economy cannot develop without professional and innovative talents who master digital technology and can scientifically analyse and deal with data.  decades ago, in which programming has already become an indispensable part of the infrastructure for the economy, and so will data security be. We may expect more diverse positions to thrive in the field and demand for talent acquisition will remain active in quite a long time. 



Leave a Comment

Related posts