UK faces significant cyber talent shortfall

The UK’s cyber security sector faces a significant shortfall in the number of skilled professionals joining the industry every year, according to new statistics compiled for the Department for Digital, Culture, Media and Sport (DCMS) by pollsters Ipsos Mori.

The report found that with a total security workforce of somewhere between 98,000 and 171,000 – for argument’s sake, DCMS’s report assumes the mid-point of 134,500 – and demand for cyber security professionals growing by 9% in 2020, the workforce needs to increase by 12,000 a year to meet expected demand. But between 4,000 and 7,000 individuals leave the sector each year, so this figure can be assumed to be more like 17,500.

However, the data reveals there are only about 7,500 new recruits entering a career in cyber every year – 4,000 university graduates and postgraduates, 2,500 people undertaking career conversion or retraining (not necessarily ballet dancers), and 1,000 coming out of apprenticeships, leading to an extrapolated shortfall of 10,000 people every year.

In the report, Understanding the cyber security recruitment pool, DCMS said this highlighted the need to rapidly address the security skills shortage to mitigate issues such as loss of talent and experience, challenges in staff retention and productivity, and people quitting having burned out.

It also warned that left untreated, the extent of the shortfall will worsen as demand for security talent continues to exceed supply by every metric, a situation that shows no sign of changing.

The report found that employers were struggling to fill security roles, particularly specialist ones for those with some experience, but at the same time training providers and recruiters seem to think the level of demand for security training and jobs is high, which may imply a lack of suitable candidates in the recruitment pool.

Some of the stakeholders who responded to the poll did indeed feel there was an insufficient quantity of candidates – while others said there was too much emphasis on trying to find the perfect fit for the role, which left entry-level applicants, many of them with strong transferable skills around leadership and project management, languishing simply because they do not necessarily have all the needed technical skills yet.

Other barriers to entry noted in the report include poor awareness among the general public of security, unsuitable recruitment methods turning people off, and a lack of education and information on security careers. There was also a noted lack of diversity in multiple areas, including gender, ethnicity and neurodiversity – all under-represented groups.

However, despite recognising these challenges, those who responded to the study felt the future of the recruitment pool was positive and that interventions, such as the National Cyber Security Centre’s CyberFirst schemes, were working. People tended to agree that the increase in digital employment more generally was making IT training more accessible, and that this would ultimately broaden the pool both in terms of numbers and diversity.

Respondents felt that continuing successful education interventions, and reskilling, will eventually bring a wider range of people into cyber, and also noted that the pandemic and its forced emphasis on remote working could help improve the working environment for many.

Examining the outlook for cyber recruitment, Amanda Finch, CEO of CIISec, said: “Cyber security recruitment is in need of an overhaul, with communication between recruiters and organisations currently poor. The fact is, challenges in recruitment come from all sides – from organisations being unclear or over-demanding and recruiters not understanding the roles, to a lack of confidence or skills from applicants.

“Rather than pointing the finger, we need a collaborative approach to addressing these issues. One example is unrealistic and intimidating job descriptions which over-exaggerate the skills and experience needed for a role. Considering that women only apply for roles they are 100% qualified for, while men will apply if they meet 60% of the qualifications, this approach may be alienating women and other minority groups.”

Finch added: “Communicating the fundamentals of a position – who the organisation wants to hire, what skillset is actually needed, what training applicants can receive – is crucial, as is providing accurate job descriptions. It is also vital to give HR and recruitment staff a greater voice.

“This could be through welcoming them to speak at cyber security events, sit on panels or join webinars. This way, HR and recruiters can join the conversation, and make sure the whole organisation understands exactly what it needs.”