UK cyber-workforce lacks quality, diversity, says govt report

Feature by Chandu Gopalakrishnan

Close to 394,000 cyber security-related vacancies were announced over the past three years, but companies could fill only two-thirds of them

Close to 394,000 cyber-security-related vacancies were announced over the past three years, but companies could fill only two-thirds of them, said a UK government report. However, talent crunch and lack of diversity in the cyber-workforce are hardly surprising, say industry insiders.

The research report on the UK cyber-security labour market published by the Department for Digital, Culture, Media & Sport (DCMS) comes a day after chancellor chancellor Rishi Sunak allocated more than £5 billion of investment into Britain’s digital infrastructure.

“High proportions of UK businesses lack staff with the technical, incident response and governance skills needed to manage their cyber-security,” said the report. 

“We estimate that approximately 653,000 businesses (48 percent) have a basic skills gap. That is, the people in charge of cyber-security in those businesses lack the confidence to carry out the kinds of basic tasks laid out in the government-endorsed Cyber Essentials scheme, and are not getting support from external cyber-security providers.”

Open secret

The fact that a third of cyber-vacancies are hard to fill is concerning, but not particularly surprising, noted Ben Tuckwell, district manager - UK & Ireland at RSA Security. 

“It’s hard to find the right people to fill cyber-security job roles, there’s no two ways about it. One big piece of recruitment advice for businesses would be to look after your own, as word of mouth and recommendations go a long way. Similarly, if you provide a supportive and interesting environment to work in, then you will encourage more people to join,” he said.

Close to 65 percent of cyber-firms surveyed for the report have acknowledged facing problems with technical cyber-security skills gaps, either among existing staff or among job applicants. 

The skill gap was particularly high in threat assessment or information risk management; assurance, audits, compliance or testing; cyber-security research; implementing secure systems; and governance and management. A quarter (25 percent) of the organisations surveyed said that such skills gaps have prevented them to a great extent from achieving business goals.

Digital transformation has made security roles omnipresent in every business function and unit. “Around seven in 10 cyber-sector businesses (68 percent) have tried to recruit someone in a cyber-role within the last three years. These employers reported a third (35 percent) of their vacancies as being hard to fill,” said the report.

Right people, right skills

“One of the most significant challenges facing companies today is preparing their talent base for the shift to digital. And as digital transformation becomes a reality, organisations must equip their employees with the skills they need to deliver in this ‘new normal’ economy,” commented Steve Wainwright, managing director EMEA at Skillsoft.

“Reskilling employees to better understand and leverage new technologies, processes and ways of thinking could very well mean the difference between success and failure.”

Referring to the unfilled cyber-security-related vacancies, “In 43 percent of cases, this was because applicants lacked technical skills or knowledge. However, applicants lacking soft skills (22 percent) was also a common contributing factor. In half (51 percent) of cases, employers have found it hard to fill generalist cyber-roles,” the report explained. 

For new recruits, training that covers the full depth and breadth of the digital risks the business is facing is critical, yet often sporadic, noted Tuckwell. It is important to assess and update the programme constantly, so that the recruits are well-versed in the tools, applications and software the business uses, the possible impact be if one of these suffered an outage or breach, and the third parties and their level of access, he explained.

“The good news for learning and development teams is that there is a huge range of training courses on offer, and for the most part, they’re available online. E-learning means that wherever employees are, and whatever device they’re using, they can access the training needed to prepare them for the digital economy,” said Wainwright.

Three-fifths of cyber-firms (62 percent) have reported that they employ staff who have, or are working towards, cyber-security-related qualifications in the form of higher education, apprenticeships or other certified training. The most common technical qualification is the Certified Information Systems Security Professional (CISSP) accreditation, said the report.

Tom Van de Wiele, principal security consultant at F-Secure,              attributes the talent shortage in cyber-security to the lack of structured, university-level education in the domain. Qualifications and accreditations in cyber-security continues to be highly fragmented, the report agreed. 

Hardly diverse

The picture is dismal when it comes to gender, ethnic and neural diversity in the sector. Only 15 percent of the total cyber-roles assessed have female employees. Employees from ethnic minority backgrounds form just 16 percent of the staff, while only nine percent employees have neurodiverse conditions or learning disorders.

“Despite many individuals within cyber-security teams having autistic traits, there is a large community of neurodiverse individuals who need additional support to train and work in cyber-security. There is currently little support to develop these skills and so these individuals are often long term unemployed,” said a report  on neuro-diverse cyber-security training.

A survey among cyber-security professionals by the Chartered Institute of Information Security (CIISec) last year found that 89 percent of respondents to its survey are male, and 89 percent over 35, suggesting the sector is still very much in the hands of older men.

“It never fails to amaze me that only 15 percent of people working in STEM roles in the UK are female,” observed Dr Alison Vincent, non-executive director at Telesoft Technologies.

“Consider this alongside the fact that the tech industry is suffering from a huge skills shortage. The (ISC)2 cybersecurity workforce study revealed that in Europe, there is a skills gap of 219,000 – it’s clear women have a lot to offer and can play a huge role in closing the gap.”

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews