The UK’s cyber security sector workforce falls behind other sectors of the IT industry on both gender and ethnic diversity measures, and very few businesses have bothered to adapt their recruitment processes or carried out any specific activities to encourage diverse applications.
This is according to a report published by the Department for Digital, Culture, Media and Sport (DCMS), which also highlighted a widespread and ongoing skills crisis around security.
In the Cyber security skills in the UK labour market 2020 report, DCMS revealed that just 15% of security professionals are women, compared with 28% in the wider industry, and just 16% come from a minority ethic background, compared with 17% more widely.
The report also highlighted that just 9% of security professionals are neurodivergent, although meaningful and reliable comparison of this measure against the wider industry is not yet possible – DCMS nevertheless said it found a concerning lack of awareness of neurodiversity in the sector.
The research process highlighted a number of barriers and challenges to increasing the diversity of Britain’s cyber security workforce. DCMS said that while diversity was seen as more important, there remain pockets of scepticism, with some interviewees claiming the topic was overemphasised, or no worse than in other digital sectors, and therefore not a problem.
Many respondents also said they did not view a diverse workforce as a means to help tackle the skills shortage in security, focusing instead on non-specific benefits.
Beyond measures of diversity, DCMS found deep-rooted problems around the lack of security professionals with appropriate technical, incident response and governance skills.
The report estimated that 48% of all UK businesses have a basic security skills gap, meaning that if they even have a responsible person at all, they lack the confidence to meet the fairly basic Cyber Essentials requirements, and nor are they getting support from their suppliers or managed service providers. The most common areas found lacking were around firewalls, data storage and transfer, and fighting malware.
Approximately 30% of businesses had more advanced skills gaps in areas such as penetration testing, forensic analysis and security architecture, and 27% had gaps when it came to incident response.
However, even more concerning was that this trend continued into the security sector itself, among both job applicants and existing employees, with two-thirds of cyber security firms saying they had faced problems with skills gaps, notably around threat assessment and risk management; assurance, audit, compliance or testing; research; systems implementation; and governance and management.
A third of security firms said applicants for jobs frequently lacked non-technical skills such as communication, leadership and management, and a slightly smaller number said their existing employees lacked these skills.
Just under 70% of cyber security firms had tried to recruit someone in a cyber role in the past three years, and 35% of these vacancies had been hard to fill, mostly due to lack of technical or soft skills. The most dificult-to-fill vacancies tended to be the most high-level ones.
“It’s hard to find the right people to fill cyber security roles, there’s no two ways about it”
Ben Tuckwell, RSA
In-demand skills included network engineering, risk management and technical controls, operating systems and virtualisation, and cryptography and programming.
Recruiters revealed that other challenges they faced included inappropriately high salary demands, particularly with regard to high differentials between London and the rest of the UK, and people over-egging the pudding when it came to their expertise and experience. Others said they found it hard to align the job descriptions they were writing to current qualifications, and complained that existing role frameworks don’t map very well to qualifications.
“Skills gaps and skills shortages continue to affect a large number of organisations. There needs to be more investment in technical skills and training, within the cyber sector and the wider economy,” wrote the report’s authors.
“Schools, universities and training providers need to give young people and training recipients a holistic skillset, covering the relevant technical skills and soft skills that employers demand, and the ability to implement those skills in a business context.”
DCMS conceded the security jobs market was a challenge to navigate, and suggested employers, recruitment agents and job applicants could benefit from more guidance in this regard.
RSA’s UK and Ireland district manager, Ben Tuckwell, said he was not surprised by DCMS’s findings. “It’s hard to find the right people to fill cyber security roles, there’s no two ways about it,” he said.
“One big piece of recruitment advice for businesses would be to look after your own, as word of mouth and recommendations go a long way. Similarly, if you provide a supportive and interesting environment to work in, then you will encourage more people to join,” he said.
“Recruiting cyber skills is only half the battle – the other half is retaining staff and making sure new recruits are effective in their roles,” he added. “For the former, businesses should look for technologies that can help keep existing security teams interested and engaged, as well as operating more proactively, rather than, for example, constantly responding to security alerts. For new recruits, training that covers the full depth and breadth of the digital risks the business is facing is critical, yet often sporadic.”
The shortage of skilled security professionals is creating an active recruitment market, with over 80% of CISOs saying they would consider a new role if approached.
