Research from the Center for Cyber Safety and Education found that more than half of UK companies do not have enough IT security staff to deal with cyber attacks and only 6% were willing to recruit a university graduate.
It found that 66% of UK companies do not have enough information security personnel to meet their security needs, which, it argues, is impacting economic security.
Its Global Information Security Workforce Study found that the world faces a workforce shortage of 1.8 million information security workers by 2022, and warned companies must look to millennials to fill the gap.
However, the report claimed that employers are "closing the door on millennials", refusing to hire and train inexperienced recruits.
Almost half (47%) of UK respondents said that the main reason for the skills shortage was that it was difficult to find the qualified personnel they required, and 46% reported that the shortfall was having a significant impact on their customers.
Only 12% of the cyber security workforce is under age of 35, which shows the dwindling pipeline of talent entering the industry at a younger age, the report said.
It also found that SMEs could be suffering from being priced out of the cyber security talent market, as three quarters of UK security professionals earn over £47,000 a year and 39% earn annual salaries of over £87,000.
The study explained that the skills shortage is inflating salaries as more businesses compete for scarce talented resource.
Adrian Davis, managing director, at (ISC)², one of the sponsors of the report, said, “A continuing industry refusal to hire people without previous experience, and a failure to hire university graduates means Britain is approaching a security skills ‘cliff edge’ due to the perfect storm of an ageing cyber workforce going into retirement and long-term failure to recruit from the younger generation.
"We need to see more emphasis on recruiting millennials and on training talent in-house rather than companies expecting to buy it off-the-shelf. There is a need to nurture the talent that is already in this country and recruit from the fresh pool of talent that is graduating from university.”
Of the 19,000 cyber security professionals surveyed worldwide, 1,000 were based in the UK, and included personnel across banks, multinationals and government bodies.
The report said that 22% of UK respondents currently expect their companies to take more than eight days to repair the damage if their systems or data were compromised by hackers, which is longer than the legally required window for publicly reporting breaches.
The EU General Data Protection Regulation will impose a mandatory 48-hour window for disclosing data breaches in May 2018.
Richard Horne, cyber security partner at PwC, said, "Supporting and developing the next generation of cyber security talent is essential to the future of the industry.
"We believe it's important to help our graduates experience the many different paths a career in this field could follow by offering a rotation programme around our teams, ranging from threat intelligence and incident detection and response to security transformation programmes and legal and regulatory compliance.
“Cyber security roles can often be seen as purely technical but today's well-rounded cyber security expert has a diverse skillset, with not only technical knowledge but also wider business skills like creativity, organisation, relationship-building and communication."
Lucy Chaplin, manager at KPMG’s financial services technology risk consulting, said, “Industry is experiencing a talent shortfall because employers are too focused on recruiting people with existing cybersecurity experience, which is like complaining that there’s a shortage of pilots but refusing to hire anyone who is not already an experienced pilot.
"We find that hiring and training inexperienced people pays off in better retention rates and a more diverse workforce.”