Cyber Skills Today for Economic Growth Tomorrow

DPA 21CN Skills Group Meeting Report, Thursday 24 April, 1330-1530, Westminster
Chaired by Lord Lucas, with Philip Virgo & Arthur Virgo, Policy Director, Digital Policy Alliance

1. SUMMARY

• The DPA Cyber Skills today for Economic Growth Tomorrow meeting discussed how employers seek changing skills to help them succeed against evolving cyber security challenges.
• Cyber security is a critical enabler of economic growth, fostering a stable environment for innovation and investment, according to the Cyber Security and Resilience Bill: policy statement that details the measures to be laid before Parliament later this year. The potential contribution to national prosperity of the cyber security sector was outlined by the McPartland review into cyber security and economic growth, including by reducing fraud.
• The event considered how organisations are already responding to cyber security challenges. Leadership understanding of threats and capabilities in recruitment & training can help justify spending on security, whether to support and improve public services or to grow securely and profitably. Skills are required also to meet increasing government requirements, such as plans to make digital standards a requirement for all schools.
• Government aims should support greater provision, perhaps through the efforts of organisations such as the Cyber Security Council whose mission is to enhance and expand the nation’s cyber skills, and Skills England to bring together partners to meet skills needs.
• At the end of the meeting those present were requested to help identify four areas for follow up and report back for review by July 10^th. Based on a mix of urgency, importance and the work being done by others and discussions with some of you, the following were suggested.
• A Vetting bottleneck is crippling recruitment to police, armed forces and critical infrastructure security roles.
• Employer-driven strategic workforce plans should include needs analysis, career paths, micro-credentials and delivery.
• Guidance on funding sources and use of social values legislation could pull through employer support for strategic workforce plans, as above. It could also help underpin investment in the skills development infrastructures at all levels, including training the trainers.
• Embedding of cyber into the mainstream sector and geographic skills programmes could be led by co-operation between Cheltenham (including the GCHQ/NCSC supply chain) and London (including the Cyber Tech, Fin Tech and City of London supply chains).

2. Introduction

• The DPA Cyber Skills today for Economic Growth Tomorrow meeting discussed how employers seek changing skills to help them succeed against evolving cyber security challenges.
• Cyber security is a critical enabler of economic growth, fostering a stable environment for innovation and investment, according to the Cyber Security and Resilience Bill: policy statement that details the measures to be laid before Parliament later this year. The potential contribution to national prosperity of the cyber security sector was outlined by the McPartland review into
  cyber security and economic growth, including by reducing fraud.
• The event considered how organisations are already responding to cyber security challenges. Leadership understanding of threats and capabilities in recruitment & training can help justify spending on security, whether to support and improve public services or to grow securely and profitably. Skills are required also to meet increasing government requirements, such as plans to make digital standards a requirement for all schools.
• Government aims should support greater provision, perhaps through the efforts of organisations such as the Cyber Security Council whose mission is to enhance and expand the nation’s cyber skills, and Skills England to bring together partners to meet skills needs.
• At the end of the meeting those present were requested to help identify four areas for follow up and report back for review by July 10^th. Based on a mix of urgency, importance and the work being done by others and discussions with some of you, the following were suggested.

3. Vetting

• A Vetting bottleneck is crippling recruitment to police, armed forces and critical infrastructure security roles.
• Topics to explore might include the use of AI to trawl the internet in support of some form of annually updated SC+ clearance linked to shared records of qualifications and experience.
• This exercise might be linked to working with the Better Hiring Institute to promote good practice among the cyber and digital industries who are currently left out of their guidance, and with Jobsaware to address recruitment fraud – from North Korean avatars infiltrating software houses, to fraudsters impersonating well know employers or recruitment agencies, including to harvest the credentials of those looking to change jobs.
• If so, it should also be linked to the need to Government digital identity policy in the controversy over the security of uk One Login and other Government issued/mandated identities.

4. Workforce plans

•  Employer-driven strategic workforce plans should include needs analysis, career paths, micro-credentials and delivery.
• Efforts towards this would be to follow up on the DPA Skills Round Table in November 2024 inputs of the missing skills plans in the Government Industrial Strategy and subsequent discussions summarised in Will Skills England be allowed to change the course of the Government’s inherited policy Titanic?
• The bulk of the global skills and training market have long been for modules which can be mixed and matched by large employers to in house training programmes, whether for first entrants or, more commonly, to upskills and/or cross train mature staff and/or recruits. This is an alien concept for those involved with public sector skills policy. The difficulty of securing the necessary change of priority will not be easy after a century of focus on filtering for academic research skills.

5. Guidance on funding

• Guidance on funding sources and use of social values legislation could pull through employer support for strategic workforce plans, as above. It could also help underpin investment in the skills development infrastructures at all levels, including training the trainers.
• This is a big exercise and the original suggestion was to begin with the work done in the past by OCN London to advise FE Colleges and others looking to provide publicly funded delivery of the programmes it accredits. This might lead into a joint exercise to engage with the relatively small number of employers (possibly under a thousand) who engage with local skills plans and take on most of those trained at public expense.

6. Embedding of cyber into the mainstream

• Embedding of cyber into the mainstream sector and geographic skills programmes could be led by co-operation between Cheltenham (including the GCHQ/NCSC supply chain) and London (including the Cyber Tech, Fin Tech and City of London supply chains).
• Forty years ago, the digital industries punched above their weight when it came to influencing skills programmes and got used to thinking they were special and doing things differently to other industries.
• The Digital and Cyber Industries still do things differently. This is now, however, a weakness when it comes to obtaining board level understanding and support, let alone influencing mainstream skills policy at a time when AI is transforming bot threat and response.
• The suggested objective is to identify and engage with the relatively small number of employers who recruit in sufficient volume to know the mix of talent, skills and experience they want. They would then be invited to help transform the supply of those with the currently relevant cyber and AI skills they want by driving the switch to using libraries of accredited micro-modules. This will entail identifying what is already available and its quality/relevance and then organising the processes to fill gaps and ensure a flow of new modules to keep abreast of change, from needs analysis and delivery to specifying the modules their recruitment processes.
• The DCMS Cyber workforce analyses that about two dozen organisation employ over half the professional workforce and do rather more than half of all training. They include GCHQ/NCSC, MoD, BAe, BT, Vodafone, KPMG, Deloitte, PWC, Accenture. AWS, IBM, CGI, Microsoft and Google/Mandiant. If compliance and counter-fraud are included then Barclay, NatWest, HSBC, Lloyds and some of their collective supplies can be added. Many are supporters of the STEM operations of Governors for Schools the Careers and Enterprise Company and/or co-operate with Good Schools Guide team on careers events.
• They might be encouraged to sign up to common job/role descriptions liked to suitable personality qualities/profiles statements (as opposed to ubiquitous advertisements looking for unicorns) and statements akin to: “When we are looking at job applications from young people, or from people coming in from other careers – which we welcome, because we need good people wherever they are from and gain from a diversity of prior experience, the candidate having completed course/module X will always be a strong plus.”
• The issue is to bait the hook for the employers, bearing in mind that most efforts to date by the cyber professional bodies (including via the Cybersecurity Council) have failed to get beyond cyber professionals talking to each other. It may well be that this is best done by also addressing vetting and recruitment processes in the same exercise.

7. AI/Cyber Micro-Accreditation

A draft proposal for Employer Led AI/Cyber Micro-Accreditation Needs Analysis was subsequently provided, with thanks to Mike Weston-Burt.

Co-Creating Our Future Workforce: A Comprehensive, Employer-Led Skills Needs Analysis for Cyber, Web3 & AI

• The UK faces a rapidly evolving tech landscape, but current education and job classifications are lagging behind. Many graduates hold degrees that do not match real workplace needs, while employers report shortages of people with the exact technical and practical skills required for emerging fields. To address this, we propose a national pilot in which leading employers from all sectors directly define the skills and capabilities they need in cybersecurity, Web3 and AI roles.
• The pilot will gather employer input through surveys, structured interviews, and collaborative workshops to create practical tools like sector-specific skills maps, detailed job-role profiles, and demand forecasts. This employer-driven framework will enable training providers and government planners to align curricula and reskilling programs with validated industry needs. If successful, the pilot can be scaled up nationally to keep the UK’s workforce agile in fast-changing technologies.
• To secure the UK’s position as a global leader and ensure your organizations thrive, we require a workforce equipped with practical skills directly aligned with your needs. Traditional academic classifications often fail to capture the nuanced skill sets required on the ground, leading to talent gaps and inefficient training.
• We propose a transformative solution: a comprehensive skills needs analysis driven directly by employers to define the precise competencies critical for success in Cyber, Web3, and AI. By collaboratively identifying these skills, we can:
  * shape highly relevant training and educational programs,
  * develop a robust talent pipeline,
  * future-proof our industries and boost the UK’s economic competitiveness, &
  * provide clear pathways for individuals looking to upskill or reskill.

The Proposed Pilot Framework, engaging leading employers across all sectors, will assemble a diverse working group of organizations interested in emerging technologies. Data collection will include:
* structured surveys,
* one-to-one interviews,
* sector workshops or focus groups, &
* analysis of job postings and market data.

Outputs will be clear deliverables like sector-specific skills maps, detailed job-role profiles, demand forecasts, and training recommendations. These findings will inform policy and curriculum changes.

• In conclusion, this proposal calls for a bold, employer-centred pilot to define the UK’s skills needs in cybersecurity, Web3, and AI. By engaging businesses nationwide and gathering input, the pilot promises practical benefits: more relevant education programmes, better planned reskilling, and a workforce equipped for the technologies of today and tomorrow. It would move the UK toward a new model of skills development, ensuring our economy and citizens thrive in the digital age.