As the implementation of relevant laws and policies drive the large expansion of the data security industry, the incremental market is bound to grow with the increasing new demand. Hays, a leading global professional recruiting group, suggests that challenges and opportunities coexist, and China’s data security sector will benefit from the regulation in the long run with the forming of a more sustainable development environment for the industry. In the short term, however, there is a tremendous gap between the demand and supply for talents in the data security industry.
In July 2021, China’s Ministry of Industry and Information Technology released a three-year draft action plan for the high-quality growth of the cybersecurity sector (2021-2023). According to the draft plan, the scale of the cybersecurity industry is expected to exceed RMB 250 billion by 2023, with a compound annual growth rate of over 15 percent. The cybersecurity investment in key industries such as telecommunications should account for 10 percent of the total investment in digitalisation.
On 1 September, China’s Data Security Law officially took effect, which marks another major legislative milestone in maintaining information and digital security since the ratification of the Cybersecurity Law in 2017. At the same time, China’s Personal Information Protection Law (PIPL) is expected to come into force on 1 November 2021. The PIPL will work together with the Data Security Law and the Cybersecurity Law to form the legal framework of data governance and become an important cornerstone for ensuring digital security and the development of the digital economy.
Data Security Law: short-term impact vs long-term development of the industry
When it comes to the impact of the legislation on the data security industry, Jessica Wang, Managing Director of Hays China believes that the 2017 Cybersecurity Law could act as an overall framework for data security, while the Data Security Law and the PIPL would provide enterprise entities with detailed guidance and corresponding punishment measures in terms of the usage, storage, transfer, and destruction of information and data. This will help enterprises clarify their obligations and responsibilities. Meanwhile, the latter two laws can help phase out enterprises that mishandle or illegally collect and use data. Therefore, these three laws will eventually promote the long-term and sustainable development of the data security industry.
For some industries like the internet, finance, and consumer goods, data collection and data use are obviously key to core business which usually requires high frequency and extensive use of data to make strategic decisions. Thus, the legislation on the security of data collection and data use determines the foundation for the long-term growth of enterprises in these fields.
Jessica notes that usually multinational corporates have considerable experience in compliance, especially with regulations for data security. For example, the General Data Protection Regulation (GDPR) has been put into effect in Europe since 2016 which businesses operating in the region are already quite familiar with, which makes it easier for MNCs in China to adapt to the changing regulatory environment. On the contrary, it is of great significance for domestic enterprises to improve the awareness of relevant laws and regulations of data security and make strategic plans on recruiting talents, whether they operate domestically or plan to expand into overseas markets in the future.
In addition, more enterprises have attached greater importance to data security issues due to the further systematisation of government monitoring and regulations. As a result, service providers in data security see huge growth potential; businesses including cloud services, network security, threat detection, and response may become the infrastructure to the economy. We may see continuing rise of new companies and expansion of subdivisions in data security.
The huge growth potential in the data security industry is not only beneficial to talents but also reflects the current talent shortage in this field.
Talent shortage: a long-term issue
At the 2021 Cybersecurity Talent and Innovative Development Summit and the 6th China Information Security Talent Training and Employment Seminar, industry leaders agreed that the transformation of the digital industry requires reconstruction and upgrade of organisations and skills. It is necessary to establish an internet security talent pool with balanced and comprehensive capabilities.
According to the latest number, each year there are only 20,000 graduates major in cybersecurity, and the cybersecurity talent shortage in China is about half a million to one million. “The estimate is in fact quite conservative. After the implementation of relevant laws and regulations, the explosive growth of the data security industry will highlight the pressure of recruiting talents for both corporates and service providers.” Jessica said.
According to the 2021 Hays Asia Salary Guide, the annual salary of junior level staff in cybersecurity ranges from RMB 300,000 and 800,000, and it is likely to rise by around 30 percent. Despite this, the talent shortage cannot be solved easily in the short term. “The current situation is that there is a talent shortage of all levels of positions, and the demand for talents is greater than ever,” Jessica added.
With the acceleration of digitalisation in various industries, many other sectors related to cybersecurity face talent shortages involving financial technology, biopharmaceuticals, and traveling apart from the internet sub-sectors such as software providers, cybersecurity, cloud services, and social media.
Jessica addressed the middle and high-level positions of this field such as data protection officer (DPO) are usually provided with considerable pay, with annual salary usually ranging from RMB 800,000 to one million while large internet tycoons may even offer RMB two to three million. However, qualified candidates are rare to find. On the one hand, suitable candidates are required to have work experience for over a decade, which only a few can meet the requirement in the domestic talent pool. On the other hand, it also needs all-rounders who are possessed of strong technical skills and are familiar with laws and regulations. In this sense, the sector is now under a circumstance with “many job vacancies but only a few candidates”.
In addition, Hays notices that a group of candidates are making a “mid-life career switch” to data security from other IT professions, i.e., programming or software engineering. Nevertheless, this practice is not enough to address the talent gap. Jessica emphasises that China is now urging universities and technical schools to train data protection and information security-related talents which now many universities have set up relevant majors to make up for the talent gap.
Candidates expect to improve comprehensively as employers call for all-rounders
Despite the talent shortage, the data security industry also is suffering from the unmet demand for comprehensive capabilities. The continuous progress of digital technology and the digital transformation of the real economy cannot develop without professional and innovative talents who master digital technology and can scientifically analyse and deal with data.
The demand for candidates’ capability changes with the gradual improvement in the requirement of the government and enterprises for data security. According to Jessica, in general, the most competitive candidates in this field are those who graduate from top domestic universities with relevant degrees, while capable of learning new and complex things quickly. Besides, companies mostly favour all-rounders who understand laws and regulations, corporate governance, and risk assessment with a solid foundation in technology and the potential for continuous growth at the same time.
Responding to the concern of overheating of the data security sector, Jessica believes that nowadays data security is quite like programming decades ago, in which programming has already become an indispensable part of the infrastructure for the economy, and so will data security be. We may expect more diverse positions to thrive in the field and demand for talent acquisition will remain active in quite a long time.
For companies urging for candidates, Hays suggests corporates should build independent salary systems and standards based on market conditions for relevant positions and clarify the importance of data security at the level of corporate governance, which will eventually helpattract suitable talents.