Addressing the cybersecurity skills shortage has become a key priority for the UK government, which is looking to turbocharge opportunities for a new generation of talent in the industry.
This comes amid worrying figures about the state of the cybersecurity workforce, both globally and in the UK.
The Department for Science, Innovation & Technology’s (DSIT) Cyber Security Skills in the UK Labour Market 2024 report found that 44% of UK businesses have skills gaps in basic technical cybersecurity areas, while 27% have gaps in advanced skills, such as penetration testing.
These figures tie into a global trend. The 2024 ISC2 Cybersecurity Workforce Study found that there is an estimated 4.8 million shortfall of cyber professionals who are required to adequately secure organizations.
Retention is another major issue with job satisfaction levels plummeting due to stress and lack of progression opportunities.
Several UK government initiatives designed to address these issues are now starting to take effect.
UK-based organizations now have the opportunity to revolutionize their cybersecurity recruitment and retention strategies.
The Need to Embrace Entry-Level Candidates
Cybersecurity recruitment strategies have typically suffered from unreasonable expectations, creating significant barriers on new entrants.
Formal cybersecurity certifications, which are often expensive to obtain, are a common requirement for entry-level cybersecurity roles. Many of these certifications require years’ worth of experience to obtain.
Some junior and entry-level roles have been found to require a CISSP certification. This qualification demands a minimum of five years cumulative paid security experience, virtually impossible if you cannot get on the career ladder in the first place.
Such barriers have a significant impact on the cybersecurity skills shortage. The ISC2 study found that 31% of teams had no entry-level professionals.
Lisa Konomoore, Project Manager at the UK Cyber Security Council, speaking during a Council event in March, summed up this problem: “This cycle exists in needing experience to get a job, but in order to get experience, you need a job.”
In an interview with Infosecurity, the UK’s National Highways CSO Keith Price said there is now a belief that cyber cannot be an entry level job. He urged organizations to “re-balance” the security profession by recruiting, hiring and developing in-house the future generations of security professionals.
“A solid strategy would be to hire good people, and then spend the years developing them into specialists, as opposed to the current strategy of spending years hiring the unicorn or perfect candidate (that likely does not exist),” he noted.
This need goes beyond simply filling the workforce gap.
Simon Whittaker, CEO at security training firm Vertical Structure Ltd, explained during the Council event that fresh thinking is needed given the rapidly changing nature of cybersecurity, driven by technological advances like AI.
“There’s been a sea-change in our industry over the course of the last few years. We need people who are new and interesting coming into our organizations. I want to see people who haven’t been in this industry and don’t do things exactly the same way,” he commented.
Una Whelan, Global Head of Cyber Prevent at Vodafone, concurred. “The things that my graduates are teaching me are just mind-boggling – we give them a question and they come back with a technical solution that’s suddenly embedded in our security operations center,” she commented.
Experienced workers from unrelated fields who are looking to transition to cybersecurity can also bring a wealth of fresh perspectives.
Lorna Armitage, CEO at CAPSLOCK, a company that provides courses for people to reskill in cybersecurity, explained that past experiences in different sectors often result in new ideas and solutions.
“When we’re in the classroom and you give [students] a problem, you might have a hairdresser, a chef, someone who’s been a managing director – they’re coming up with solutions I’d never have thought of and I’ve been in the sector for 15 years,” she explained.
How to Change Recruitment and Retention Strategies
Most of the experts Infosecurity has spoken to or heard from have concurred that recruitment in cybersecurity should prioritize soft skills above technical experience and qualifications.
During the UK Cyber Security Council event it was noted that technical skills can be learned and will need to be updated continuously due to changing tools and technologies.
Curiosity, collaboration and the willingness to learn were highlighted as core traits for prospective cybersecurity professionals.
"I want to see people who haven’t been in this industry and don’t do things exactly the same way”
Another important trait is resilience and demonstrating the ability to respond calmly during cyber incidents.
Whittaker gave the example of a former firefighter he has on his team who exhibits this quality.
“Nothing phases him,” Whittaker said.
It was also emphasized that there is a need for both managers and employees to work together on career development post-recruitment.
Investing in and encouraging such development will ultimately help boost retention and make the organization more appealing to prospective candidates.
Colin Gillingham, Associate Director at cybersecurity firm NCC Group, said: “We’re always looking at what can that person do now. We probably don’t look at their potential – what they are capable of in the future. Also, whether they see it as a job or as a passion.”
This includes the development of leadership skills from early on, such as communication and presenting. Whittaker explained that he encourages his team to regularly attend and speak at events to help build up and maintain such skills, regardless of their seniority level.
UK Government Programs Aim to Support Cyber Jobs
In recent years, the UK government has embarked on a number of initiatives designed to provide clearer career opportunities and pathways in cybersecurity.
There is a major opportunity for UK-based organizations to leverage these programs to adapt their recruitment and retention approaches in a way that reduces barriers and retains high standards.
NCSC’s CyberFirst Program
The National Cyber Security Centre (NCSC)’s CyberFirst scheme is designed to encourage children and young adults to consider a career in cybersecurity.
At a Step into Cyber 2025 event organized by the University of Nottingham and supported by the UK government, NCSC representatives promoted CyberFirst career opportunities to attending students.
Those on the scheme can receive significant financial support while studying. The program is partnered with 178 organizations, providing work experience placements, graduate roles and other development opportunities.
One CyberFirst student, now in the final year of their studies, spoke at Step into Cyber about the benefits of the scheme, having gained internship opportunities at companies such as Microsoft. He now has a provisional cybersecurity job offer at IBM.
Partnering with the CyberFirst scheme is a way organizations can identify talent early.
Additionally, CyberFirst graduates will have demonstrated significant commitment to pursuing a cybersecurity career and gained real-world experience in the industry.
As a result, hiring a candidate from the CyberFirst program could be a good indicator that a prospective candidate has a lot of the key traits organizations should be looking for.
The NCSC representatives added that 87% of CyberFirst graduates have landed a cybersecurity role.
UK Cybersecurity Council Professional Standards
The government funded UK Cyber Security Council, launched as an independent body in 2021, has been charged with boosting professional standards and career prospects for those working in cybersecurity.
One aspect of this is the creation of professional standards across different cybersecurity specialisms, similar to the approach used in other professions such as accountancy and law.
This is designed to demonstrate individuals’ competency in the sector as they progress through their careers and provide a clear progression path.
There are three levels of competency for these specialisms – Practitioner, Principal and Chartered.
To achieve Chartered status, cyber professionals must demonstrate a range of abilities above and beyond technical knowledge. This includes effective management and leadership skills and demonstrating a high level of integrity, morals and ethical values.
The chartership program was rolled out to four specialisms in 2024 – architecture and design, governance and risk management, audit and assurance, and cybersecurity testing.
Professional titles will be extended to cybersecurity management, incident response, operations and system development in 2025.
Organizations should encourage and support employee membership of the schemes which can help hone the cyber skills of new recruits to support business needs. The program also offers career development support for the future, increasing the likelihood of retaining staff for longer.
In addition, the Council has recently introduced an ‘Associate’ professional title. This is an entry-level standard, designed to be realistically achievable for individuals who have just completed their education and are looking for their first role in cybersecurity.
Unlike the other professional titles, this is non-specialism specific, allowing Associates to decide on a specialization later on.
Similarly to the NCSC CyberFirst program, organizations can identify young people who have the passion and soft skills they should look for by looking at those who have the Associate title.
Conclusion
It is clear that organizations need a change of approach to make sure they are adequately staffed to tackle rising cyber-threats.
This must involve opening up the sector to a new generation of talent and removing the barriers that are often in place for young people and career changers seeking their first role in cybersecurity.
It is not about lowering standards – instead the focus should be on identifying the traits needed to pursue a successful career in cybersecurity. There must also be a pathway to harness those traits for the benefit of the organization and the employee.