The global cybersecurity skills crisis has seen governments around the world prioritise education and training in a bid to boost numbers. In the UK, these plans were outlined in the National Cyber Strategy set for 2022 -2030 with key milestones set for 2025. So, with a year to go, is the strategy working and has it achieved those objectives?
The answer, if one looks at the ISC2 Cybersecurity Workforce Study 2023, would appear to be no. The workforce gap in the UK is up 29 percent year-on-year and now stands at 73,439. That’s more than double the gap globally and the highest in Europe, followed by Spain (23 percent) and the Netherlands (10 percent). In contrast, France and Ireland bucked the trend and saw a fall of three and 18 percent, respectively, proving that it is possible to drive down the gap.
Under Objective 2 in Pillar 1 the strategy identifies the need to expand cyber skills “at every level”, including through a cyber security profession that inspires and equips future talent. Furthermore, it states that by 2025 it will have created “a significant increase” in the number of people with the skills they need to enter the cyber workforce as well as a “steady flow of highly-skilled people” through the education system.
Demand continuing to outstrip supply
But as the Cyber security skills in the UK labour market 2023 report shows, the education sector will only generate 7,000 new entrants while the sector loses 4,700 annually. It estimates growth at just 10 percent, which appears conservative when compared to the ISC2 report, but even then leaves an annual shortfall of 11,100 after the new intake.
The strategy aims to boost numbers through post-16 training but in 2022 the CyberFirst bursary program for university undergraduates had only trained 750 recruits of which 56 had graduated and obtained cyber roles. In addition to this the strategy laid out plans for four apprenticeship schemes and nine cyber bootcamps nationally, as well as fast tracking, graduate and intern placements for cyber in government, and a Defence Cyber Academy, although the latter is a joint initiative with the US aimed at boosting national cyber defence capabilities.
Across the pond, the Biden administration has also been taking action to address the skills shortage. The National Cyber Workforce and Education Strategy (NCWES) released in mid-2023 adopts a similar structure to the UK strategy with four pillars but all of those are focused on the workforce and its objectives are more ambitious. Pillar 1, for instance, is to equip every American with foundational cyber skills but also to enable lifelong development of those skills, raising the bar nationally. In the UK strategy, the intention to enhance and expand the nation’s cyber skills at every level is paid lip service, with very little exploration of how we will educate the layman. This is of critical importance when you consider that 50 percent of UK businesses said they have a basic cyber security skills gap in the labour market report cited above.
The UK’s strategy refers to the need to invest in people and skills but the emphasis is on the cyber ecosystem being “self-sustaining, not dependent on government interventions”. It acknowledges partnerships between government, academia and businesses are needed and, similarly, the NCWES states that federal agencies, academia and the public and private sectors all have a role to play. But it’s the NCWES that has already seen a much greater collaboration and investment from the commercial sector, with Google, Microsoft, SAP and the ISC2 all weighing in with multi-million dollar sponsored initiatives.
If you liked this content…
Pipeline versus placements
Pillar 2 looks to transform cyber education starting at kindergarten and this bears comparison to the CyberFirst initiative over here which starts in Key Stage 2 at primary school, indicating both share a focus on starting from the ground up. Yet, while admirable, this pipeline won’t be generating the numbers needed for decades.
It’s for this reason that both strategies also address the need to recruit from more diverse groups and to provide entry level opportunities to those with the aptitude but not necessarily the qualifications. The NCWES even advocates low or no-cost certifications. And when it comes to those mid and senior level vacancies, an interesting proposal put forward stateside is for fractional employment whereby those experienced individuals with in-demand skillsets are incentivised to work for a set number of hours for multiple employers.
In fairness, the UK strategy is targeted at cyber as a whole so looks beyond the workforce to address the economic growth of the sector. But it also seems to offer up fewer ideas and, despite acknowledging that the gap grew 50 percent between 2018-22, seems to have underestimated the urgency of the matter.
Its objectives clearly state that by 2025 the strategy will have achieved some very specific outcomes and its well on the way to achieving some of those, such as a more established, recognised and structured cyber security profession under the professional standards and cyber pathways created by the UK Cyber Security Council. But as to whether it has created a “significant” dent in the gap or a “steady flow” in terms of pipeline, nebulous terms at best, that’s going to be more difficult to prove.
Many will want to see more affirmative action going forward to address the gap’s rate of growth. We need to see more investment both at a grass roots level to create a baseline of cyber security knowledge among the populace and more public-private partnerships to boost training to help fill those vacancies not in five or ten years’ but today.