Cyber Security is an in-demand area where there just doesn’t seem to be enough skilled personnel available to fill the gaps in recruitment. With an increasing number of reported lapses and breaches in security globally, the demand for Cyber skills will keep on increasing.
Cyber Security recruitment impacted? Cyber Security recruitment will be impacted by IR35 regulations when these are introduced as part of the off-payroll rules in April 2021 in the United Kingdom.
The following could happen as a result of the introduction of IR35:
- Cyber Security contractors will leave
- Inside IR35 Cyber skills will be difficult to recruit
- Contractors rates may increase
- Contractors rates may fall
- Using permanent staff to fix the shortfall won’t work
- Loss of Cyber Security services
- Projects could run at risk
- Loss of flexibility in Cyber Security workforce
- Loss of industry expertise
- Loss of specialist skills
- Here today, gone tomorrow
- Double Jeopardy
- Costs increase if consultancies are used to make up the shortfall
- Cyber Security recruitment standards could be lowered
- Cyber Security’s importance demoted
- Recruitment agencies will lose
These points are discussed in details below.
1. Cyber Security contractors will leave
There is a real risk that Cyber Security contractors will just walk out of their current contract roles rather than go inside IR35.
Many organisations have failed to understand the risks of this happening and have made their decisions on applying a blanket ban on Personal Service Companies (PSCs) at a senior level. With Chief Financial Officers (CFOs) and the like deeming it wiser to do this and only hire contractors who are willing to work inside IR35.
These decisions on the blanket bans on PSCs are based on the assumption that their contractors will simply accept the drop in take-home income without any increase in rates. They see the transition as a simple business as usual transaction with limited risks.
Failure to understand the contractor mindset
There’s a complete failure to understand the mindset of the contractor, whose point of view is vital in understanding their reaction to having to go inside IR35.
A rate cut is difficult to swallow but it’s not necessarily going to be the main deciding factor in deciding to stay.
A rate cut will definitely rile contractors and push them closer to the exit but the retrospective risk of being caught by HMRC for IR35 is the bigger problem.
This IR35 risk could allow HMRC to go after the contractor for their previous time served at their current client. The onus will be on the contractor to prove they have not been working inside IR35 but this will be difficult if the client has put the contractor’s role inside IR35.
If the client has willingly put the role inside IR35 then any chance of them supporting the contractor in an IR35 tribunal is dead in the water. As they will probably accept all of HMRC’s arguments and not want any trouble from the taxman.
This retrospective risk will be the most worrying for contractors and will push them to jump ship.
Without this retrospective risk, many contractors would simply have bided their time at their current place even if it meant going inside IR35 until the market had corrected itself and many more outside IR35 opportunities had come along. However, retrospective risk leaves a bitter taste and little option other than leave.
I’ve worked with lots of contractors in recent years and many are petrified of the retrospective IR35 risk. The other financial aspects are important but these become minor when retrospective risk is assessed, especially considering how HMRC has handled the loan chargeback taxes by trying to impose a retrospective stance.
This retrospective liability hunts for tax liabilities going back 20 years. Putting incredible strain on contractors who unwisely had chosen loan schemes as a vehicle for reducing their tax liability which was, in fact, blatant tax evasion.
Many outside contracting simply see the off-payroll IR35 as nothing more than,
‘time to pay your proper taxes’, like the rest of the permanent employees. But do permanent employees have to pay their own employer-related taxes? How would they feel if their income dropped by 30% and had no holiday, pension or sickness benefits?
The loss of income is substantiated by the additional taxes like Employers National Insurance which currently stands at a whopping 13.8%, a tax permanent employee employers pay on their behalf. So with these extra taxes (Apprentice Levy too), no holiday pay, no sick pay, no pension assistance, no personal development, the loss of income is quite substantial in comparison.
Is history repeating itself?
Contractors have jumped ship before when IR35 was introduced into the public sector. So is history going to repeat itself again, when many contractors ditched their public sector roles when told they were coming inside the scope of IR35, just to avoid any retrospective risk?
Yes, it’s fair to say with history not being on their side, many organisations could lose their existing Cyber Security talent as high paid Cyber professionals may effectively walkout at the end of their contracts instead of going inside IR35.
Organisations with a lot of contractors could end up suffering as key personnel and their skills become difficult to replace in the short term.
Get up to speed
It takes a couple of months to get around the environment, politics, processes and so on, so seeing many of your contractors disappear then replaced with a new set of contractors (as these ones will be moving from outside to inside at a different organisation to avoid retrospective IR35 risk) is going to take time.
Every organisation I’ve consulted at takes time to fully appreciate how they do things. This is why I always say contractors should be interviewed based not just on technical skills but how they can quickly adapt to different workplaces.
Having a large number of contractors leave puts a lot of pressure on the people working at an organisation to get things done. Whilst having natural wastage through contractors leaving at different times is easily accommodated, having a mass walkout of contractors is going to be a frightening and very risky experience for many organisations.
2. Inside IR35 Cyber skills will be difficult to recruit
Trying to attract inside IR35 Cybersecurity skills will be difficult as the transition for contractors from outside IR35 to inside IR35 isn’t a simple one.
Many will hold out for outside IR35 roles and those willing to go inside IR35 will either ask for a rate increase or simply leave and go somewhere else and become inside IR35. By doing the latter, these contractors will try to minimise retrospective risk.
Not enough contractors will go permanent or go inside IR35, so an already exasperated skills shortage just gets worse.
Cybersecurity is already difficult to recruit for because it’s just not technical know-how that’s required but an understanding of how cybersecurity affects an organisation. Sticking in the latest and greatest security tools without knowing how to do cyber threat modelling won’t necessarily protect an organisation.
Cyber Security professionals who understand this bigger picture instead of just relying on an understanding of technology, makes it doubly difficult to find these type of well-rounded Cyber Security candidates.
Cyber Security-focused recruitment agencies could end up struggling to earn enough revenue if cybersecurity recruitment gets even more difficult.
3. Contractors rates may increase
Many organisations have put their hands over their ears with others, their heads in the sand, believing contractor rates for inside IR35 rates won’t go up. These organisations who are naive to think this will not happen and contractors will toe the line are in for a shock.
Companies will end up paying more to attract cyber professionals on an inside IR35 basis. A resource costing £700 a day (including agency commission) will end up costing more than a £1000 a day (including agency commission).
Cyber Security contractors could ask for 30 to 40% more on top of their usual outside IR35 rates for going inside IR35 and clients could end up paying this for inside IR35 roles.
When push comes to shove, an organisation losing it’s outside IR35 Cyber Security contractors, can either pay the market rate (even if it becomes inflated for inside IR35 roles) or they can do the sensible thing and assess their contract roles for IR35.
Many organisations will just do the former because they see the latter of contract assessment as a bigger risk when in fact it isn’t.
Savvy Cyber Security contractors will try to make up for lost income, knowing they are in a position to pick and choose across organisations with blanket bans on PSCs.
4. Contractors rates may fall
Outside IR35 rates could fall, making it cheaper to find Cyber Security experts. This could be down to a situation (albeit temporary), where savvy organisations decide to do the due diligence for taking on contractors and do the IR35 assessments. BUT they reduce the current rates for roles that fall outside IR35 during their assessment.
Knowing all too well, there will be highly skilled Cyber Security contractors who are more than willing to accept a cut in their rate as long as they can maintain their outside IR35 status. Yes, these contractors will lose some money but it will be no way as much as going inside IR35, so they will be more willing to do this.
5. Using permanent staff to fix the shortfall won’t work
Permanent staff will probably not be able to fill any shortfall left by contractors jumping ship. It’s already just as difficult to recruit in the permanent space as it is in the contract space, so with the IR35 impact, it’s going to be doubly difficult.
Headcount will go up in real terms as previously contractors didn’t tend to appear as headcount and were mainly classed as ‘revenue-enhancing’.
Permanent to Temporary?
Permanent staff choose permanent work because they want the certainty permanent work brings with it. Assuming there’s going to be a market of permanent workers ready to jump ship and join the inside IR35 revolution as temporary workers may end up being false dawn, simply because permanent workers don’t want temporary work, they just want permanent work.
They don’t have the contractor mindset of dealing with the uncertain world of temporary employment and if money really was that important, surely they would have jumped into contracting by now. I’ve spoken with a few friends who have permanent jobs and none of them is interested in becoming an inside IR35 contractor, even with it paying substantially more than what they earn.
3 months’ notice?
Permanent staff may not be available immediately, most permanent contracts have longer notice periods typically around 3 months. So in a scenario where a large proportion of contractors have left leading because of a blanket ban on PSCS, creating a decimation of a complete departments workforce, there’s no easy fix by reaching out to permanent staff and recruiting.
The three months’ notice doesn’t factor in the interviewing time, selection process and procedures, easily adding on a couple of months.
Permanent staff may not be able to hit the ground running as quickly as a contractor, simply because the contractor is used to doing this and permanent staff generally have a settling in period.
This could be critical in the cyberspace, as, without effective utilisation of resources, the security posture of an organisation could suffer.
Contractors are used to having to hit the ground running, with day 1 being the start of a business and immersing yourself into the organisation’s cybersecurity. A contractor is used to 100% utilisation, whilst permanent staff have a lower utilisation as personal development, supervision requirements, appraisals etc take up time.
I have found as a contractor, that I don’t get bogged down in the way permanent staff do, with the politics, including of how things are done to how to work towards promotions and so on.
6. Loss of Cyber Security services
Consider a situation where half an organisation’s Security Operations Centre (SOC) are contractors and decide to jump ship, how will this impact organisation?
Who’s going do the SOC analysis?
Who’s going to do the threat intelligence?
How will the red and the blue teams be impacted?
Will incident management still be effective?
How could this affect SecOps?
I’ve consulted at many organisation where the contractor mix to permanent employee ratio has been higher in favour of contractors. The contractors bring in specialist skills in an ever-changing Cybersecurity environment, making it difficult to recruit these skills in the permanent workspace.
With this in mind, if some of the Cyber Security contractors of a team left because of IR35 there would be an effect on the overall security posture of any organisation where this happens.
Worse still, if all the contractors left at the same time, the effects of leaving could have a devastating effect not just in the interim but for many months.
There’s no quick fix in trying to re-establish full operation capacity in such scenarios and it needs to be flagged up as a risk, so there is some form of mitigation available should it happen if there is suitable mitigation available.
7. Projects could run at risk
Projects relying on Cybersecurity skills will be put at risk if there isn’t enough security resource to manage security expectations. Organisations will have to decide on adhering to delivery schedules and therefore running at risk is a worthwhile strategy moving forward.
They may elect to use existing staff to provide some security oversight but without the appropriate skills and experience, this could be a tricky strategy. Instead of using a Cloud Security Architect to advise on security, a DevOps engineer is used instead.
8. Loss of flexibility in Cyber Security workforce
Contractors provide flexibility in the workforce as they can be hired when special skills are need for a project and then discarded when the project finishes. This flexibility allows many organisations to keep projects on track and within financial controls.
Permanent staff can’t provide the same level of flexibility in the short term that contractors and temporary staff can. Permanent staff can’t be hired for short term assignments and then discarded when the assignment ends, as this will introduce a whole host of legal implications in unfair dismissal.
9. Loss of industry expertise
Contractors tend to have more experience, as they generally tend to work across many organisations in the same sector over a number of years. So whilst a permanent member of staff may have worked at the Royal Bank of Scotland doing Cyber Security for five years.
A contractor may have done Cyber Security at Lloyds Bank, Barclays Bank, Santander, UBS, Credit Suisse as well as disrupters like Monzo, Revolut in the same five year period. Picking up a whole wealth of knowledge of how the Cyber Security elements of banking are evolving amongst the different competitors.
Losing someone with this level of Cyber Security industry experience is going to be painful.
10. Loss of specialist skills
Contractors tend to be more specialist. I’ve worked at places where permanent security people have had to focus on general security, that is Business As Usual (BAU) across the organisation whilst I’ve been brought in for specifics were my security expertise in containerization, CI/CD pipelines, APIs and Microservices.
Real outside IR35 contractors have been brought in by organisations to fulfil projects where specialist skills aren’t available, therefore losing these skills could be risky.
As a contractor, I move around more than my permanent contemporaries, so they have very little opportunity to pick up new cyber skills or how the industry is moving.
Permanent staff will tend to learn new skills and technologies from training as part of the personal development, whilst contractors learn in the field.
How would an organisation cope if it’s specialist Cyber Security contractors simply jumped ship when they are told they have to go on the payroll to stay?
Would this leave an organisation in the lurch and more vulnerable?
There’s no loyalty with most contractors and it’s all about the bottom line, that is how much can they make without having to pay more tax than they themselves deem fair.
This may not align with what others believe but it’s important to respect the views of the contractor when decisions are made, as it’s not always a simple answer.
Permanent employees may have some loyalty but contractors may simply feel hacked off they will end up losing out. I think anyone who loses a large chunk of their income is going to feel somewhat dispirited.
Contractors could be making plans right now, to leave imminently. Unlike permanent staff who have longer notice periods contractors ones are generally shorter and could be difficult to enforce.
Competitors could benefit from contractors leaving
Worried about retrospective risk, contractors may simply jump to a competitor. It’s better to go inside ir35 than where they are working, as the retrospective risk is minimised on their previous time working there.
Permanent staff take time
Bringing in permanent staff to replace contractors who have jumped ship because of IR35 isn’t easy. The permanent staff could have long notice periods where they are currently working so waiting 3 months for new recruits when half your people have left, is going to make things difficult.
Contractors generally hit the ground running whilst permanent have a more induction way of working.
11. Here today, gone tomorrow
Contractors who do reluctantly go inside IR35 will only do so temporarily and as soon as an outside IR35 opportunity comes their way, they will hand their notice and leave.
Worse still, contractors will tend to have shorter notice periods than permanent employees. Trying to enforce that notice isn’t going to be easy either, as many contractors have plenty of experience in dealing with termination clauses and how to reduce them without falling foul of any breach clauses.
I’ve seen contractors who’ve really wanted to leave, leave within days instead of waiting the average four week notice period. With their prospective clients unable to do much and even if they could, keeping an unhappy contractor on the books isn’t productive and is more of a security risk than a benefit.
12. Double Jeopardy
Contractors could end up jumping ship twice:
- first when they leave at the end of their contract rather than go inside IR35 and run the risk of retrospective IR35;
- then again when they go inside IR35 (if they have to due to limited outside IR35 opportunities) at another organisation, as they will continue to look for the first opportunity to go back outside IR35.
I’ve spoken with many of my contracting friends who all will accept inside IR35 roles at another organisation other than their own if they have to, should the outside IR35 market shrink. But they all have said as soon as the market corrects itself, they will jump back into outside IR35 work.
As an organisation who suffers the first round of contractors leaving and then manages to hire a new set of inside IR35 contractors, then a few months later see these same contractors jump ship, will end up having to deal with the disruption this causes not just once but twice.
There is very little loyalty with contractors, they are only interested in their shareholder’s interest and they are the predominant shareholders.
13. Costs increase if consultancies are used to make up the shortfall
Many organisations may decide to use the big consultancies to provide the expertise should they start to lose too many contractors but this approach involves a considerable increase in cost.
I’ve seen rate cards from some consultancies charging three times as much as a Cyber Security contractor per day, with some charging even more.
Having worked with many consultancies over the years, you end up generally getting their best people when the deal is pitched and their average people to actually do the work. So the inflated rates paid means there’s really no value for money as you would get with a specialist contractor resource.
More importantly, the consultancy resource is only a permanent resource of the consultancy at most, whose interest lies with the consultancy in finding more ways of generating new business. Whilst the contractor resource will just end doing what’s required to ensure the Cyber Security posture doesn’t pose any known risks.
No consultancy contractors
Some blanket IR35 bans of PSCs have also stated their suppliers can’t use contractors who operate PSCs, so these consultancies are going to have their own recruitment issues. They will lose their flexibility to provide Cyber Security resources on demand.
Small consultancies go bust
Small consultancies which provide a mix of permanent and contract staff could end up going bust because their contracting staff leave, as they are forced to put them inside IR35 by their customers.
14. Cyber Security recruitment standards could be lowered
Many organisations may lower the bar in the quest to fill Cyber Security vacancies leading to many chancers dipping their toes in the market. People who are technically capable but have no idea of how Cyber Security fits into the bigger picture.
This will lead to considerable risk for organisations as taking on less experienced individuals introduces its own set of problems. Security isn’t something that can be lowered in importance, as the risks outweigh any other benefits.
15. Cyber Security’s importance demoted
Maybe if it becomes too difficult and expensive to hire Cyber Security professionals, then organisations may just decide to cut back on recruiting in this area. They may just see it as not a big enough risk to carry on without the required Cyber Security skills. This may set a dangerous precedence in the organisation as a whole when it comes to Cybersecurity.
I’ve seen this happen before where during an interview for a cybersecurity role, it’s quickly become apparent to me, the recruiting organisation didn’t think highly enough of security and had probably suffered a security incident or a breach.
Now they have decided to recruit to fix the mess they’ve been left with. I tend to avoid these organisations and prefer proactive organisations instead of reactive ones.
Some organisations may decide to use existing resources within teams to provide security oversight. Because these organisations attach very little value to security overall, to them it’s just another part of their delivery.
“Cyber Security isn’t rocket science, one of our engineers will do it, they can easily spin up a few security tools and do DevSecOps”.
The DevSecOps silver bullet will not be the magic that stops all security issues in their tracks either, it’s just a small facet of overall Cyber Security posture and when done in conjunction with other Cyber Security elements, the overall Cyber Security posture is increased.
Getting the delivery and design people to do Cyber Security, means they end up marking their own homework with a severe bias towards the delivery part. So instead of holding up delivery because of a security issue, they simply let it slide. They won’t want to upset their colleagues and look like the blocker holding up delivery.
WHY is more important than YES
Organisations need a WHY person and not the YES person when it comes to Cyber Security. The YES person will accept every design, technical and architectural decision without question.
If there’s a design where a design decision has been made that goes against security best practice, the WHY person will need to know why this has been done? A YES person will more likely accept it as they won’t want to hold up delivery.
I tend to have plenty of WHY conversations like this:
Me: “Why do we have personally identifiable data in a non-production environment?”
Team: “Data Scientists need it for modelling”
Me: “Ok, so it’s corporately sensitive data therefore it’s secret data too?”
Me: “Why do we need this secret data in a non-production environment, where’s the business justification?”
Team: “We need it, the business needs it, the data scientists need it to do their work”
Me: “Can you provide me with the business justification please?”
Team: “Ok, we can use pseudonymised and anonymised data instead”
This is something I see a lot of in Cyber Security, where assumptions are primarily being used to make security decisions by people who don’t understand the implications of those decisions.
A good Cyber Security person needs to be impartial and not overly concerned about their viewpoint being considered blocking. I find in projects where security is engaged early on, delivery can flow without too many issues, enhancing delivery
I always believe loyalty isn’t about how hard you work or how long you have worked somewhere, it’s about how well you protect the interests of who you work for.
I spend my time making sure I’m doing as much as I can to protect the reputation of whoever I’m working for. Instead of delivering projects on time and within the budget that has the potential to cause severe reputation damage and loss.
16. Recruitment agencies will lose
Recruitment agencies aren’t particularly happy with the latest draft of the IR35 legislation, whereby they become liable for any IR35 taxes if the client can’t pay.
There’s also the pressing issue of losing out on contractors that go through their books if they decide to leave in droves and refuse to work inside IR35. It won’t be as simple as finding someone else to replace them, as there may equally be other contractors who don’t want to fill the vacant inside IR35 roles by going inside IR35 themselves.
Recruitment will get tougher
The competition will increase to recruit as everyone else will be in the same boat and will be looking for candidates to take on inside IR35 roles.
Many contractors may elect to seek outside IR35 opportunities only, or realise much later there may not be enough outside IR35 opportunities and spend a lot of time on the ‘bench’ not working.
Finally, when they realise they need a job, any job even if it’s inside IR35, they will succumb to inside IR35 opportunities begrudgingly.
This enlightenment could take months to happen, all the while the potential to earn a commission for the recruiter disappears.
Best Cyber Security Staffing firm choices? There are many cyber security staffing firms and deciding which one to choose depends on what they really know about Cyber security as most will be full of sales talk.
How to find recruiting firms specializing in security? Many of the job boards posting cyber security roles will also list recruiting firms specializing in security.