Gernot Krautberger - stock.adobe
Businesses across the UK continue to suffer from a basic cyber security skills gap, with supposed security leaders at approximately 50% of organisations saying they lacked the confidence to carry out the most basic tasks as outlined in the NCSC’s Cyber Essentials programme, or lacking appropriate support from third parties.
This is according to the latest data on the security jobs market produced by the Department for Science, Innovation and Technology (DSIT).
The study, Cyber security skills in the UK labour market 2023, also revealed that about a third of organisations had a more advanced skills gap, particularly when it came to aspects of security such as forensic breach analysis, storing or transferring personal data, or detecting and removing malware. Additionally, 41% of organisations also lacked capabilities around incident response and recovery, and were not outsourcing this.
However, added the report’s authors, those figures all appear to be relatively static compared to 2022 and 2021, suggesting that even though UK organisations are clearly failing to improve their security postures, they are at least not falling backwards.
According to the evidence gathered for the report, security leaders also found it particularly challenging to engage their bosses on cyber matters, or found that their bosses acknowledged the issue but didn’t prioritise it.
Other constraints included poor resourcing and job pressure, with many security leaders bearing additional responsibilities on top of security saying they felt pulled in multiple different directions. In around 84% of cases, security leaders had absorbed cyber tasks into a pre-existing role.
More concerningly, the DSIT study found skills gaps were also common in the security sector, with 49% of cyber firms having faced problems with technical skills gaps among existing staff or job applicants, 22% having exiting employees who lacked necessary technical skills, especially in areas such as testing, governance and risk management, and secure system architecture and design.
The study found there were just over 160,000 cyber job postings in the UK in 2022, up 30% on 2021. Of these open roles, around 37% were hard for organisations to fill, down from 44% in 2021. There is currently an estimated shortfall of 11,200 people needed to meet demand, down about 3,000 from the previous survey, likely down to general economic headwinds.
“Businesses need to recognise that the talent market has become increasingly competitive. When scoping new talent for cyber, organisations need to widen their hiring vision. Companies should ensure that they are looking at both experienced technology specialists, who might have a less extensive security background, as well as people entering or re-entering the workforce who have great ‘raw’ ability,” said SailPoint EMEA senior vice-president, Steve Bradford.
“Businesses also have a vital role to play in terms of teaching and education. Companies should be investing in training programmes and mentor schemes that help to upskill their existing and new talent. They should also teach their employees new hard skills and offer technical training – this helps take pressure off talent influx.
“Finally, businesses need to remain competitive by ensuring that their compensation and salary packages are appealing, but there’s a caveat here – company culture still matters. Often the companies that pay the most need to do so to attract people into high-stress environments. You can’t hold talent hostage with combat pay – you need a positive working atmosphere, and with this you’ll be better equipped to attract and retain talent.”
In terms of the diversity of the security workforce, the figures remained broadly consistent, with 22% of cyber employees hailing from an ethnic minority background (14% in senior roles); 17% women (14% in senior roles), 12% neurodivergent (6% in senior roles), and 7% physically disabled (3% in senior roles).
The study noted that the proportion of cyber roles held by women in particular remained lower than in other digital sectors – and has also fallen back 5% year on year, although DSIT deems this “not statistically significant” – although the figure for ethnic minorities was conversely higher than in other digital industries.
Respondents to the survey tended to feel there had been progress on addressing diversity in cyber over the past few years, thanks to increasing focus on the issue from organisational leadership, and a growing awareness of the benefits of diverse teams. Yet only 40% of organisations that had recruited cyber roles since January 2021 had taken any steps at all to adapt their recruitment process to encourage diverse groups to apply, and where they did, efforts tended to skew towards entry-level jobs.
Respondents also said they felt uncertain how to go about recruiting diverse groups, and worried about the costs associated with doing so.
Cyber Career Framework starting to have an impact
For the first time, the 2023 report explored the impact of the UK Cyber Security Career Route Map – also known as the Cyber Career Framework – developed by the UK Cyber Security Council. This is a set of 16 security specialisms that are collectively based on the Knowledge Areas contained in the Cyber Body of Knowledge (CyBoK).
The Cyber Career Framework specialisms
- Cryptography and communications security;
- Cyber security audit and assurance;
- Cyber security generalist;
- Cyber security governance and risk management;
- Cyber security management;
- Cyber threat intelligence;
- Data protection and privacy;
- Digital forensics;
- Identity and access management;
- Incident response;
- Network monitoring and intrusion detection;
- Secure operations, secure system architecture and design;
- Secure system development;
- Security testing and vulnerability management.
DSIT said it found that the most prevalent specialism in the security workforce was that of cyber security generalist – 61% of cyber sector firms had people working in a generalist role, and together generalists comprise just over a quarter of the entire cyber workforce. There is a more even spread across the other specialisms.
In general, reaction to the framework was positive, with employers and recruiters feeling it was useful to have individual roles and specialisms set out as it could aid in understanding what skills sets they needed to better account for.
However the DSIT study highlighted gaps in overall awareness, with most who participated in the research never having heard of it, while in some instances, mostly in organisations outside the cyber sector, the framework was thought to be too specialist and hard to understand.
Read more about cyber security skills
- There is growing demand for offensive security testing, but it needs a multi-layered skillset that can be hard to quantify.
- Networking kingpin signs up to Greater Manchester Digital Security Hub to support centre’s work on security resilience and skills.
- Future cyber security professionals need soft skills as well as technical ones, says security educator Sudeep Subramanian.