This article is part of our Essential Guide: Information security in 2022 – managing constant change

The UK’s cyber security sector is thriving, but our work has only just begun

The government’s Annual Cyber Sector Report painted a positive picture of the UK security industry. CIISec’s Amanda Finch thinks we can go further in developing cyber talent and opening up the sector

The media narrative around cyber often warns of a fast-growing cyber crime economy. So it was heartening to read the government’s Annual Cyber Sector Report last week. It revealed a double-digit surge in both newly created jobs and total revenue growth in the UK’s cyber security industry. Yet while it’s great to see the progress made so far, and the various initiatives the government has launched over recent months and years, there is still a long way to go.

The UK needs a diverse industry that nurtures and supports individuals throughout their careers. And it needs to work harder to professionalise the sector, to help transform cyber security from a technical to a vital strategic concern, for all organisations.

A multibillion-pound sector

The Department for Digital, Culture, Media and Sport (DCMS) report is full of positive news. Some 6,000 new jobs were created in the sector over the past year, a 13% year-on-year increase that brings the industry close to employing 53,000 full-time equivalents (FTEs). Total annual revenue is up 14% to top £10bn, while gross value added has surged by one-third over the past year to reach around £5.3bn.

More than half of the estimated 1,838 cyber security firms currently operating in the UK are also based outside of London and the South East, highlighting how the industry can be a force for societal and economic regeneration in various parts of the country.

It is fair to say the government now understands the strategic importance of cyber security to the country and its businesses. Its own report last year revealed that half of UK businesses have cyber skills gaps. It also claimed that 680,000 businesses have staff in charge of cyber security who lack the confidence to carry out basic tasks laid out in the Cyber Essentials framework.

That is why there has been a range of initiatives from Whitehall, including CyberFirst courses for 11-17-year-olds, a bursary scheme for undergraduates, new apprenticeship standards, and a range of cyber skills boot camps for those aged 19-plus. These will, hopefully, help to create a pipeline of talent to enter the workforce in the years to come.

The Chartered Institute for Information Security (CIISec) also welcomes the government’s attempts to professionalise the industry through a Cyber Security Body of Knowledge initiative which is intended as a resource to underpin education, training and professional development. And it’s great to see the UK Cyber Security Council established as a professional authority for cyber.

What CIISec is doing

CIISec complements these efforts with its own work, designed to encourage new people into the industry and offer new opportunities for those working in other fields to switch careers. The institute and board member Kevin Streater were instrumental in developing the Cyber Security Technician Standard at Level 3, recently approved by the Institute for Apprenticeships and Technical Education (IfATE).

CIISec also recently announced that it is managing the UK’s first-of-its kind CyberEPQ, designed to support cyber apprentices and offer a starting point for anyone considering a career in cyber security. This builds on CIISec’s established development programmes, offering opportunities for new graduates and career changers.

Alongside providing an introduction to cyber, CIISec aims to help those taking the EPQ to make the next steps in developing a career in security. This sees support offered through apprenticeship programmes and university options as part of the Academic Partner programme. The aim here is not only to encourage new blood into the industry, but to support practitioners throughout their careers, from entry level to retirement.

Cyber security is a sector like no other. It moves at such a pace that ongoing career development is essential to ensure that individuals can maximise their opportunities and continue to contribute long into the future.

Part of this support is underpinned by CIISec frameworks, which offer a clear explanation of what is required to fulfil a specific role at a specific level. This approach helps to provide a more coherent path for career progression by helping candidates understand what options they have available, and what skills and knowledge they need to step up to the next level. It is also useful for employers in that, even if candidates don’t have the required certifications, their capabilities can be compared against the role to assess suitability.

Opening up the industry

This is the key to professionalising the industry. On the one side, there are accredited qualifications, so employees and employers are clear about what skills candidates have. And at the same time, they have reliable frameworks to understand what skills are needed for specific roles. With this information to hand, employers have the confidence that they are hiring individuals with the right skills, while candidates know they are definitely the right person for the job.

Given the scale of skills gaps in the industry, there may be a temptation otherwise to hire the wrong people for specific roles. This way, both sides have the transparency they need – employers to identify and fill gaps effectively, and employees to plan their careers with greater confidence.

The hope is that with greater clarity around skills and requirements, the industry will be able to open up and showcase the diverse range of roles that individuals can take. From analyst to cryptographer, CISO to cloud engineer, there is a huge breadth of career opportunities – with multiple routes in and countless ways to progress and develop thereafter. The idea that an ideal cyber security career must start with a STEM (science, technology, engineering and maths) qualification and end with a CISO role is not just inaccurate, it may be exacerbating skills shortages.

In short, the industry must get better at promoting itself, showcasing the dynamic, exciting opportunities on offer for applicants, and the critical role they will play in securing the nation’s economic and social prosperity. This ultimately boils down to positioning security where it belongs, as an essential strategic function at the heart of any organisation.

Getting there will demand greater diversity, closing those persistent skills gaps and professionalising the industry. There is a long road ahead – but the signs are looking positive.

Read more on Security policy and user awareness

Data Center
Data Management