The UK’s cyber security sector faces a significant shortfall in the number of skilled professionals joining the industry every year, according to new statistics compiled for the Department for Digital, Culture, Media, and Sport (DCMS) by pollsters Ipsos Mori. The report found that with a total security workforce of somewhere between 98,000 and 171,000 – for argument’s sake, DCMS’s report assumes the mid-point of 134,500 – and demand for cyber security professionals growing by 9% in 2020, the workforce needs to increase by 12,000 a year to meet expected demand. But between 4,000 and 7,000 individuals leave the sector each year, so this figure can be assumed to be more like 17,500.
However, the data reveals only about 7,500 recruits are entering a career in cyber every year – 4,000 university graduates and postgraduates, 2,500 people undertaking career conversion or retraining (not necessarily ballet dancers), and 1,000 coming out of apprenticeships, leading to an extrapolated shortfall of 10,000 people every year. In the report, Understanding the cyber security recruitment pool, DCMS highlighted the need to rapidly address the security skills shortage to mitigate issues such as loss of talent and experience, staff retention and productivity challenges, and people quitting having burned out.
It also warned that, left untreated, the shortfall will worsen as demand for security talent exceeds supply by every metric. This situation shows no sign of change. The report found that employers struggled to fill security roles, particularly specialist ones for those with some experience. Still, at the same time, training providers and recruiters seem to think the demand for security training and jobs are high, which may imply a lack of suitable candidates in the recruitment pool.
Some of the stakeholders who responded to the poll did indeed feel there was an insufficient quantity of candidates – while others said there was too much emphasis on trying to find the perfect fit for the role, which left entry-level applicants, many of them with strong transferable skills around leadership and project management, languishing simply because they do not necessarily have all the needed technical skills yet. Other barriers to entry noted in the report include poor awareness among the general public of security, unsuitable recruitment methods turning people off, and a lack of education and information on security careers. There was also a notable lack of diversity in multiple areas, including gender, ethnicity, and neurodiversity – all under-represented groups.
However, despite recognizing these challenges, those who responded to the study felt the future of the recruitment pool was positive and that interventions, such as the National Cyber Security Centre’s CyberFirst schemes, were working. People tended to agree that the increase in digital employment generally made IT training more accessible. This would ultimately broaden the pool both in terms of numbers and diversity. Respondents felt that continuing successful education interventions and reskilling would eventually bring a broader range of people into cyber. The pandemic and its forced emphasis on remote working could help improve the working environment for many.
Examining the outlook for cyber recruitment, Amanda Finch, CEO of CIISec, said: “Cyber security recruitment needs an overhaul, with communication between recruiters and organizations currently poor. Challenges in recruitment come from all sides – from organizations being unclear or over-demanding and recruiters not understanding the roles to a lack of confidence or skills from applicants.
“Rather than pointing the finger, we need a collaborative approach to addressing these issues. One example is unrealistic and intimidating job descriptions that exaggerate the skills and experience needed for a role. Considering that women only apply for roles they are 100% qualified for, while men will apply if they meet 60% of the qualifications, this approach may alienate women and other minority groups.”
Finch added: “Communicating the fundamentals of a position – who the organization wants to hire, what skillset is needed, what training applicants can receive – is crucial, as is providing accurate job descriptions. Giving HR and recruitment staff a more excellent voice is also vital. “This could be through welcoming them to speak at cyber security events, sit on panels or join webinars. This way, HR and recruiters can join the conversation and make sure the whole organization understands exactly what it needs.”