The UK Government’s Cyber Security Skills in the UK Labour Market 2023 report shows a staggering 50% of all UK businesses have a basic cybersecurity skills gap.
This shows little improvement from the 2022 report, which found that 51% of businesses lacked these basic skills.
Meanwhile, the 2023 report found that 33% have an advanced cybersecurity skills gap. The UK Government acknowledged that these figures are similar to 2022 and 2021.
Meanwhile, there is an estimated shortfall of 11,200 people to meet the demand of the cyber workforce. This is down from 14,100 in 2022, which the government said is largely due to slower growth of the sector.
"The UK Cyber Security labor market has been fairly stagnant for the last decade or so,” Brian Higgins, security specialist at Comparitech.com, told Infosecurity.
One of the main reasons for this, according to Higgins, is the “stranglehold” certification bodies have been allowed to apply since many of the predominant, mainstream roles have developed over time.
The required certifications for certain roles, like CISMP and CISSP, are costly are require a lot of time and effort, he noted.
“The socio-economic barriers these requirements have imposed on the current or indeed next generation of cybersecurity professionals will no doubt see the figures published by [UK Government departments] replicated for some considerable years to come,” he said.
Read more: It’s Time to Think Creatively to Combat Skills Shortages
Meanwhile, Javvad Malik, lead security awareness advocate at KnowBe4, told Infosecurity, “One of the underlying issues is the ability or desire of employers to take on board people by creating a safe and inclusive environment in which they can learn and thrive.”
However, he acknowledged that this requires significant investment by hiring organizations, which most of the time they do not have the resources to do.
If companies were to take the approach Malik described, this would help people new to the industry as well as those from minorities and underrepresented groups.
Diversity in Cybersecurity
The Government report highlighted that only 17% of the cyber sector workforce is female, which is down from 22% in 2022, but similar to 2021 and 2020. Additionally, only 14% of senior roles are filled by women.
This statistic was particularly worrying for diversity advocate, Lisa Ventura, founder of Cyber Security Unity.
“There could be any number of reasons for this, but I suspect a big one is that women just don't feel welcome in the industry or feel that it is for them. If they do join cybersecurity, women are also much more likely to be subjected to bullying and abuse by their male counterparts, and many women leave the industry as a result,” she said.
Commenting on cyber’s diversity issue, Jamie Akhtar, CEO and co-founder of CyberSmart said, “There is untapped potential here to widen the recruitment pool.” This is a sentiment also acknowledged in the report.
Amanda Finch, CEO of The Chartered Institute of Information Security (CIISec), claimed: “There’s no shortage of talent – the issue is locating and correctly supporting it. If the industry doesn’t act on this, then others will, and we may see that talent go elsewhere – potentially even to the bad guys. Security must act quickly and resolutely to ensure this isn’t the case, and instead help the industry reach its full potential.”
CIISec offers the UK’s first and only Extended Project Qualification (EPQ) in cybersecurity, giving students from age 14 and up the best possible opportunity to kick-start their cybersecurity career.
Undercurrents
Akhtar noted that while the persistent security skills gap highlighted in the 2023 report are worrying there are also some “undercurrents” that require more focus.
He highlighted the figure of 41% of businesses reporting a lack of confidence in the area surrounding incident response; something that he said is trending upwards. “This suggests incident response may need particular attention.”
The report noted that incident response is one of the top areas covered by external providers. Of the 33% of businesses that outsource any aspect of cybersecurity, 82% utilized an external cybersecurity provider to deal with incident response and recovery.
Read more: UK Heading for “Catastrophic” Digital Skills Shortage
“We found in the qualitative research that even if incident response is outsourced, it may still be a concern for organizations,” the report stated.
One unnamed public sector organization surveyed in the report commented: “There is a low level of understanding of what to do with incident response. I've even found with qualified IT security people, because they don’t have to do incident response very often, sometimes when they need to do a basic one, they need help."
National Cyber Strategy
The government said that through the £2.6 billion National Cyber Strategy it is working to increase the number and diversity of skilled people in the cybersecurity profession.
“The National Cyber Strategy was launched in December 2021 with five core pillars underpinning it, and while plugging the cyber skills gap is covered under pillar one (UK Cyber Ecosystem) there is still much to be done to ensure a greater flow of cybersecurity professionals into our industry,” noted Ventura.
Dan Middleton, Vice President UK&I, Veeam said, “By building an ecosystem of security partners around them, they can create a bespoke strategy that accounts for everything their business needs – whether that’s one or two key areas of protection, or a full security service – as well as benefiting from cutting edge technologies.”
Finally, Akhtar told Infosecurity, “The strategy is a step in the right direction but continued effort from government, industry and the education sector is vital. Consistent monitoring, like this annual report, will help maintain focus on the issue."