Why does the UK have the worst cybersecurity workforce gap in Europe? asks Jamal Elmellas, Chief Operating Officer for Focus-on-Security, a cybersecurity recruitment agency.
Delve a little deeper into the ISC2 Cybersecurity Workforce Study 2023 which measures the chasm that is the cybersecurity skills gap and there’s a rather astonishing statistic. It turns out the UK has experienced the most growth in the cybersecurity gap in the whole of Europe. Here, the gap increased 29 per cent over the course of the past year with the deficit now standing at 73,439. To put that into some kind of perspective, that’s more than double rate that the gap is growing worldwide, which stands at 12.6pc year-on-year, and compares to 11pc in the Netherlands, less than 1pc in Germany where the gap has remained largely static, and its actually in decline in France and Ireland, where the gap shrunk by 3pc and 18pc, respectively.
So, what’s going on? It’s not that the cybersecurity workforce isn’t expanding. The same report found that the number of jobs grew 8pc, swelling the ranks with 367,300 new positions, which is above that experienced in Europe at 7pc (equivalent to 1.3m jobs) and only slightly less than that experienced worldwide at 9pc (equivalent to 5.5m jobs). Nor are these figures the result of the economic downturn or cost cutting measures as the ISC2 points out the figures reflect the personnel required and the number of qualified applicants so is unaffected by such factors. But there is clearly more demand in the UK which is rapidly outstripping supply.
Pipeline problems
Part of the problem here is we simply don’t have enough personnel coming through the pipeline. The Cyber security skills in the UK labour market report 2023 found that the number of core cyber job postings has leapt 33pc to over 71,000 (that’s nearly 6,000 per month) over the course of the past two years but only 4,360 graduates entered the market. But it’s also true that most vacancies aren’t for beginners, with 59pc requesting between two to six years’ experience. The State of Cybersecurity 2023 report from ISACA reported similar findings, with 71pc reporting unfilled positions where non-entry level jobs outnumbered entry level jobs by two to one. This emphasis on experience then leads to positions remaining open for longer so it could be the way we are approaching the recruitment problem that is fuelling these numbers.
The top reasons given for being unable to fill posts was difficulty finding talent (41pc) in the ISC2 report although change is happening. We’re now starting to see less of a reliance on university degrees, for instance, which ISACA welcomes as it has long championed the need to remove degree mandates. It found employers are looking for soft skills such as effective communication (58pc), critical thinking (54pc) and problem solving (49pc) as well as tenacity through self-study to help them select candidates. And 51pc of those questioned by ISC2 said they are changing their hiring criteria to recruit from non-security backgrounds.
Poor workforce planning
Also of note in the ISC2 survey was that almost a quarter (24%) of respondents said leadership was guilty of misaligning staff resource, so that there was too much in one area and a shortage in another. This indicates poor workforce planning and if that’s not in place, the business can find it has misjudged its need for resource going forward as the business expands, leaving it short on the right resource in the right areas. Crucially, attending to this may even help to significantly reduce the workforce gap. If a team can share scarce skillsets between them, this can reduce the number of headcount required, with close to 60pc saying worker shortages could be mitigated by filling key skills gaps.
In fact, there is a big distinction to be made between the workforce gap and the skills gap, as the ISC2 explain. The former describes the number of people needed in the sector for businesses to function securely but the latter provides us with some indication of the skills needed now and into the future. Cloud security has been top of the list for the last five years for instance, revealing that we still aren’t getting that skillset through the pipeline and looking forward we can expect the likes of GenerativeAI to create further shifts in demand.
Lack of leadership
But right now, the UK is heading towards a cybersecurity workforce crisis, particularly when we consider that the National Cyber Strategy revealed in 2022 to specifically tackle the issue by 2030, does not seem to be on track. Some of the milestones set out for 2025 included “a significant increase” in the number of people with the skills they need to enter the cyber workforce as well as a “steady flow of highly-skilled people” through the education system. There seems to be very little evidence of either based on the reports cited above.
Failing to take action, however, could have real repercussions for the resilience of the business and the UK as a whole. Over half of businesses worldwide describe themselves as at moderate or extreme risk of cyber attack due to the shortages, according to ISC2. The impacts of this are already being felt with 50% complaining of not having enough time for proper risk assessment and management, 45pc of oversights in process and procedure, and 38pc of misconfigured systems and the slow patching of critical systems.
Going forward, UK businesses are going to have their work cut out dealing with the shortages. They’ll have to become more open to candidates from non-security backgrounds, develop ways of assessing their aptitude for the job at hand, and seek to use tooling to empower these staff rather than the other way round ie looking for staff that can work with specific toolsets. They’ll need to be more diligent in their workforce planning and put career development plans in place that nurture the talent they have to boost retention rates. It won’t be an easy undertaking but with shortages going up nearly a third year-on-year and showing no signs of abating the sector is going to have to recruit creatively.
