A 2022 report from the Department of Culture, Media and Sport (DCMS) has found a shortfall of approximately 14,100 cyber security personnel in the UK, indicating that the country is currently experiencing a significant skills shortage in the cyber security industry.

The cyber security skills in the UK labour market report found that the cyber security workforce shortfall is comprised of two elements: a skills gap (those responsible for cyber security lacking the appropriate skills) and a skills shortage (a lack of people available to fill positions in cyber security).

39% of UK companies experienced at least one cyber attack in the last twelve months, according to the UK Government’s Cyber Security Breaches Survey 2022, meaning that cyber security skills are increasingly vital to organisations of all sizes, and in every sector. The work of cyber security experts protects businesses, charities and essential public infrastructure including healthcare, energy and transport, from the threat of destabilising cyber attacks and data breaches.

Anthony Green, CTO of cyber security firm, FoxTech, discusses the reasons behind the skills shortage, and how the cyber industry can take a leading role in nurturing new talent.

What’s behind the skills shortage?

Anthony comments:

“Cyber security is a relatively new profession, and at the moment there just aren’t enough people with the right skills to fill the number of new roles that are being advertised. Within cyber security there are different types of roles. Compliance roles deal with policies, processes and risk assessments, while technical roles encompass penetration testing (ethical hacking), vulnerability scanning, fixing security holes, and the building of secure systems. It is the technical cyber security skills that are most lacking in the current UK market.

“Part of the reason for this is that individuals and teams responsible for cyber security in private organisations are often also responsible for all IT functions. Many come from non-technical backgrounds, such as general management, legal or human resources teams. Cyber security is not necessarily their taught skill, or their top priority. Because the cyber security landscape evolves quickly, any technical cyber skills they do have can rapidly fall behind, meaning they need to undertake further training before becoming a suitable applicant for a cyber-specific role.”

Diversity in cyber security

“Another problem the cyber security industry faces, is the stereotype that these jobs are only for ‘geeky men’. The DCMS report did show evidence that the sector has become more diverse over the last three years both in terms of gender (22% of cyber professionals are women, vs. 15% in 2020) and ethnicity (25% are from ethnic minority backgrounds, vs. 16% in 2020). However, the historic lack of diversity in the industry, and present untapped potential in a number of recruitment pools has certainly contributed to the current workforce shortage.”

What can be done to nurture cyber talent and help more people enter the cyber security workforce?

“If we’re going to expand the UK’s cyber workforce, it’s vital to build awareness that this career is open to anyone, and to nurture all those with the right core skills from a young age.

“A long-term strategy is to start in schools, increasing cyber skills in the STEM curriculum and making sure that technically-minded young people of all backgrounds, genders and ethnicities are made aware of the huge opportunities for a career within the industry.

“Cyber security firms can also become an agent for change by offering more apprenticeship opportunities to train emerging talent. Currently only 2 in 10 (19%) have any apprentices among their staff. IT and risk professionals interested in specialising into a cyber role can look at the UK Cyber Security Council’s careers route map, which cyber professionals recognise as a great tool for supporting a career transition.”

What skills are cyber security recruiters looking for?

The DCMS’s report asked employers what attributes they were looking for among candidates. The results indicated that the core desirable skills included an aptitude for fast learning, self-learning, problem solving and communication skills.

Employers also reported that they were not concerned about applicants having cyber security qualifications or relevant university degrees – in fact, self-taught programming skills were viewed favourably.

Anthony discusses:

“Alongside technical skills, the cyber industry is increasingly focussed on creating security systems that take human behaviour into account. If security controls create high levels of frustration and disruption to productivity, users will find a way to circumvent them. So, the industry needs people who are able to understand the human factors within security, and forecast human behaviour.”

Developing and testing skills

There are a number of places where anyone interested in technical cyber roles can go to build and test their skills in a legitimate setting:

• Try Hack Me and Hack The Box are excellent free tools that offer cyber security training in a gamified setting
• Many large companies worldwide have ‘Bug Bounty’ schemes, where they reward hackers with cash prizes for finding and reporting vulnerabilities in their systems. These schemes are publicised on the website hackerone.com
• Take part in the Pwn2Own hacking contest. Held twice a year, it has become one of the most well-known security contests in the world

Taking part in any of these schemes is a great way to demonstrate abilities in independent learning and problem solving to cyber recruiters and employers.

Building a career in cyber security

“The results of this year’s DCMS report confirm that there are a huge number of opportunities for careers within cyber security, which is really exciting for anyone looking to enter the industry,” says Anthony.

“My advice to anyone interested in cyber security career would be to get in contact with cyber security firms to discuss placement opportunities, do some research using the UK Cyber Security Council’s careers route map, and start building your skills using online training tools – you don’t know until you try!”