Whose needs are UK Cyber Skills policies intended to meet?

 The headline in the latest DSIT Cyber Security Skills report, that half of all UK businesses (739,000) have a gap with regard to basic cyber skills, has to be put in context.

90% of UK businesses have fewer than ten staff. They have no-one full time on digital, let alone cyber. Their needs are assumed to be similar to those of larger organisations. There is no evidence for this. Hence  the need for a separate exercise  to research the cybersecurity needs of the Micro-Businesses and sole traders who account for about 30% of UK private sector employment and about 17% of turnover.

That said, the DCMS/DSIT Cyber Security Skills ,  Cyber Security Sectoral Analysis and Cyber Security Breaches  reports have now been running in similar format for long enough to confirm the patterns and trends with regard to the skills needs of the supply sector and of medium to large users.

Review of the 2023 DSIT report: Cybersecurity Skills in the UK Labour Market 2023

The conclusions at the end of the 2023 DSIT Cyber Security Skills report are more interesting than the summary at the beginning. They include an implied criticism of the failure to act on the conclusions from previous reports (included as an Appendix).

I will begin with the last of the conclusions:

  • we heard positive feedback on the UK Cybersecurity Council’s Career Route Map but awareness is currently low.

“Employers said it was valuable to the roles and specialisms laid out in one place … “. While it would indeed “be beneficial to raise the profile of the Career Route Map”. That is not enough. It is important to put the Council’s Career Route Map into wider UK careers guidance context.

Last year the DfE Review of skills taxonomies recommended use of the US Occupational Information Network (OIN) with the definitions for Digital Skills expanded in line with SFIA . The OIN uses the NIST cybersecurity Framework . This is mandatary for those doing financial services business in the US and has already been mapped onto SFIA. The plans under discussion to similarly map the Cybersecurity Council career pathways on to SFIA need to be expedited if they are to acquire parity with those used by professional bodies and employers operating to global standards and/or by mainstream DfE funded careers advisors.

Meanwhile the US NSA has worked with industry to produce the Enduring Security Framework which could also be used to provide a framework for accrediting micro-modules to enable the technical skills of those for whom cyber is a part time responsibility to be quickly and cheaply upgraded.

OCNLONDON (originally set up to accredit FE courses to Ofqual standards and thus public funding) has just agreed a framework arrangement which will enable the micro-modules it accredits to be linked to the relevant SFIA modules. Part of the aim it to also make it much easier for those following long academic, apprenticeship or professional programmes to accredit their competence to do specific technical tasks and “earn while they learn”.

  • Demand for cyber security professionals continues to rise although there were signs of a slow down in the second half of 2022

That slow down appears to have continued. Cyber is not immune from the pressures as large employers freeze recruitment and training in the face of global recession. They are seeking evidence that spend on cyber reduces cost/risk, hence the growing demand for soft skills, including to win budgets, and for generalists, as technical specialisms are outsourced and/or automated.

  • New Estimates for proportions of the workforce within the cyber sector in specific roles highlight the high prevalence of generalists

 Since this is a new analysis, it is not clear whether this is actually a growth, or was always there. Outside the supplier sector it is the “norm” and most are retrained users without cyber qualifications. Hence programmes like  One Million Certified in Cybersecurity – Free (ISC)2 Certification Exams to tap the opportunity.

  • There has been a rise in roles advertised that can be undertaken remotely …

There was a sharp from 13% in 2020 to 21% in 2021 and 28% in 2022. It is too soon to see whether the recent backlash against home-based, as opposed to hybrid, working will extend to cyber.

  • Training and development present a dilemma for employers in a tight job market

This is not a new dilemma. There have been regular digital skills merry-go-rounds over the past fifty years, with peaks during the run-up to decimalisation, financial services big-bang and Y2K. I summarised past strategies for recruiting and retaining those you want to keep in a presentation to SASIG earlier this year – published here: Making sense of the UK Cybersecurity Skills market .

  • There is an upwards trend of businesses lacking confidence in their incident management skills.

“Among those businesses that do not outsource incident management, 4 in 10 (41%) are not very or not at all confident that they would be able to deal with a cyber security breach or attack compared to 27% in 2020. This may be due in part to perceptions that the threat landscape is becoming more challenging.” !!!

Meanwhile there has been no action on the recommendations the 2021 report, beginning with “The existing NCSC guidance for communicating cybersecurity risks to board members should be reviewed and, if necessary , updated …”.

  • Diversity of the workforce is consistent and widening the talent pool remains a key challenge.

 That the inclusion/exclusion of a single “outlier” changes the proportion of female workers from 37% to 17% while only 12% of cyber security undergraduates are female indicates that the gender diversity is more serious problem than ethnic and neuro-diversity, indeed some male ethnic groups are disproportionately represented in the cyber sector workforce.

The means of improving gender diversity were identified during the first Women into IT Campaign (1988- 94 when the funding ran out).  It is apparent that they remain unacceptable to most employers as well as to those responsible for Government skills policy. An example of the latter is the failure to allow employer funded/organised family care (i.e. dependent relatives as well as children) to be tax exempt.

Other highlights, albeit similar to those in the reports for previous years which I have previously reviewed, include:

  • Only half those surveyed have confidence they can handle the basic tasks laid out in cyber essentials.
  • there is a gulf between the skills needs and priorities of the cyber supply sector and those of its customers, large and small.
  • cyber is a part-time responsibility, often for a single individual, added to other roles, in over 80% of the users surveyed.
  • most users do not access or use current guidance and/or skills provision.
  • Nearly 40% of cyber suppliers have no staff with, or working towards, cyber qualifications.
  • only 7% are large enough to be capable of running internally organised/supervised apprenticeship and other skills development programmes (i.e. have more than 30 in-house cyber technicians/professionals).

My own conclusions include:  

  • There is still a lack of basic analysis as to what cyber skills are needed by who to do what and evidence as to how that will indeed reduce the risk of their employers being victimised.
  • The skills and career paths needed by the small number of suppliers who employ much of the membership of the professional bodies have been extrapolated.
  • Most supplier, let alone user, teams are too small to do in house training.
  • A surprisingly high proportion of those they employed by suppliers have no professional or other relevant qualifications/certifi
  • Few users have any in-house professionals with full time responsibility for cyber. It usually an add on for those with other roles.
  • Many users, perhaps most, want to pay for cyber security, including incident management, as a service – but only the largest can afford to do so.
  • Training providers, recruitment agencies and employers are confused and, in consequence, use definitions drafted by the committees of past practitioners

P.S. Thirty years ago I was a reviewer for the predecessor to SFIA and used to replace “must have X years experience” by “must have done a, b, c, d and e at least once”.

Twenty years ago I was involved with another framework and watched the employers walk away as the careful and detailed needs analyses offered by a leading industry training provider were replaced by meaningless NVQ speak.

Today I am merely an observer and, when asked, mentor to those trying to avoid repeating the mistakes we made.

Data Center
Data Management