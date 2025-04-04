Addressing the cybersecurity skills shortage has become a key priority for the UK government, which is looking to turbocharge opportunities for a new generation of talent in the industry. This comes amid worrying figures about the state of the cybersecurity workforce, both globally and in the UK. The Department for Science, Innovation & Technology’s (DSIT) Cyber Security Skills in the UK Labour Market 2024 report found that 44% of UK businesses have skills gaps in basic technical cybersecurity areas, while 27% have gaps in advanced skills, such as penetration testing. These figures tie into a global trend. The 2024 ISC2 Cybersecurity Workforce Study found that there is an estimated 4.8 million shortfall of cyber professionals who are required to adequately secure organizations. Retention is another major issue with job satisfaction levels plummeting due to stress and lack of progression opportunities. Several UK government initiatives designed to address these issues are now starting to take effect. UK-based organizations now have the opportunity to revolutionize their cybersecurity recruitment and retention strategies.

The Need to Embrace Entry-Level Candidates Cybersecurity recruitment strategies have typically suffered from unreasonable expectations, creating significant barriers on new entrants. Formal cybersecurity certifications, which are often expensive to obtain, are a common requirement for entry-level cybersecurity roles. Many of these certifications require years’ worth of experience to obtain. Some junior and entry-level roles have been found to require a CISSP certification. This qualification demands a minimum of five years cumulative paid security experience, virtually impossible if you cannot get on the career ladder in the first place. Such barriers have a significant impact on the cybersecurity skills shortage. The ISC2 study found that 31% of teams had no entry-level professionals. Lisa Konomoore, Project Manager at the UK Cyber Security Council, speaking during a Council event in March, summed up this problem: “This cycle exists in needing experience to get a job, but in order to get experience, you need a job.” In an interview with Infosecurity, the UK’s National Highways CSO Keith Price said there is now a belief that cyber cannot be an entry level job. He urged organizations to “re-balance” the security profession by recruiting, hiring and developing in-house the future generations of security professionals. “A solid strategy would be to hire good people, and then spend the years developing them into specialists, as opposed to the current strategy of spending years hiring the unicorn or perfect candidate (that likely does not exist),” he noted. This need goes beyond simply filling the workforce gap. Simon Whittaker, CEO at security training firm Vertical Structure Ltd, explained during the Council event that fresh thinking is needed given the rapidly changing nature of cybersecurity, driven by technological advances like AI. “There’s been a sea-change in our industry over the course of the last few years. We need people who are new and interesting coming into our organizations. I want to see people who haven’t been in this industry and don’t do things exactly the same way,” he commented. Una Whelan, Global Head of Cyber Prevent at Vodafone, concurred. “The things that my graduates are teaching me are just mind-boggling – we give them a question and they come back with a technical solution that’s suddenly embedded in our security operations center,” she commented. Experienced workers from unrelated fields who are looking to transition to cybersecurity can also bring a wealth of fresh perspectives. Lorna Armitage, CEO at CAPSLOCK, a company that provides courses for people to reskill in cybersecurity, explained that past experiences in different sectors often result in new ideas and solutions. “When we’re in the classroom and you give [students] a problem, you might have a hairdresser, a chef, someone who’s been a managing director – they’re coming up with solutions I’d never have thought of and I’ve been in the sector for 15 years,” she explained. How to Change Recruitment and Retention Strategies Most of the experts Infosecurity has spoken to or heard from have concurred that recruitment in cybersecurity should prioritize soft skills above technical experience and qualifications. During the UK Cyber Security Council event it was noted that technical skills can be learned and will need to be updated continuously due to changing tools and technologies. Curiosity, collaboration and the willingness to learn were highlighted as core traits for prospective cybersecurity professionals.

"I want to see people who haven’t been in this industry and don’t do things exactly the same way”