A significant proportion of UK businesses lack staff with the skills and capability to carry out technical, incident response and governance skills when managing their cyber security.
This is according to a new damning report being released by the Department for Digital, Culture, Media and Sport (DCMS), which also found that it is not common for businesses to invest in training for staff in cyber roles, with just 24% having done so.
Last year the government also warned that less than half of FTSE 350 board had a dedicated cyber security budget. According to this latest report, it appears that companies across the UK are both struggling to recruit for cyber skills and for those already in cyber teams to find valuable training to boost skills internally.
It notes that there is a high level of fragmentation in the market for cyber security qualifications.
The key findings are as follows.
The report estimates that:
Approximately 653,000 businesses (48%) have a basic skills gap. That is, the people in charge of cyber security in those businesses lack the confidence to carry out the kinds of basic tasks laid out in the government-endorsed Cyber Essentials scheme, and are not getting support from external cyber security providers. The most common of these skills gaps are in setting up configured firewalls, storing or transferring personal data, and detecting and removing malware
Approximately 408,000 businesses (30%) have more advanced skills gaps, in areas such as penetration testing, forensic analysis and security architecture
A quarter (27%) have a skills gap when it comes to incident response (and do not outsource this)
Qualifications and training
As noted above, cyber security workforce has many different qualifications and accreditation, but that it is not common for businesses to invest in training for staff in cyber roles. The researchers’ qualitative interviews with heads of cyber teams highlighted challenges around identifying good quality courses and other accredited training for those in cyber roles:
The fast evolving nature of cyber security means that university syllabuses constantly need refreshing. There was a desire for longer work placements to be integrated into degree courses
There was a sense that the quality of vendor-specific accredited training could vary greatly. Cyber firms often needed to spend considerable time researching the available training options
The importance of implementation skills – being able to implement technical knowledge in a business context – was frequently mentioned. Interviewees often felt that the current set of qualifications (both academic and technical) did not emphasise this element enough
Recruitment and skills shortages
The report notes that around 7 in 10 cyber sector businesses have tried to recruit someone in a cyber role within the last three years. These employers reported a third (35%) of their vacancies as being ‘hard to fill’.
The report goes on to state:
In 43 per cent of cases, this was because applicants lacked technical skills or knowledge. However, applicants lacking soft skills (22%) was also a common contributing factor
In half (51%) of cases, employers have found it hard to fill generalist cyber roles
Hard-to-fill vacancies are most commonly for senior level staff (with 3 to 5 years of experience) and principal level staff (with 6 to 9 years of experience)
The most common roles in demand are security engineers (18%), security analysts (13%), security architects (10%), security managers (9%) and security consultants (8%). The sectors most in demand of cyber talent are the finance and insurance, information and communications, and professional services sectors.
High salary demands were consistently raised as a challenge to researchers and high wage differentials by sector and between London and the rest of the UK exacerbated this.
Unsurprisingly, the cyber sector workforce is not diverse, according to the report. On gender diversity, it falls behind other digital sectors. The report notes that relatively few firms have adapted their recruitment processes or carried out any specific activities to encourage applications form diverse groups. The findings show:
15% of the workforce are female (vs 28% of the wider digital sector)
16% come from ethnic minority backgrounds (vs 17% of teh digital sector)
However, the researchers still found that there are “pockets of scepticism” - some interviewees felt it was overemphasised or no worse than in other digital sectors. Not only this, but a more diverse workforce was rarely viewed as a way to tackle skills laps and shortages in cyber roles.
The findings in this report are perhaps unsurprising, but still stark nonetheless. The cyber security skills gap has long been a challenge in the UK. The report is worth reading in full, particularly the recommendations section. DCMS has been advised that the entire programme of government activity on cyber security skills should be joined up under a cohesive brand and that employers should have clarity over how different initiatives relate to one another.