Clar Rosso, CC, CEO of ISC2, sat down with Dr. Claudia Natanson MBE, Chair of the Board of Trustees of the UK Cyber Security Council, to discuss the state of the UK cyber workforce. Clar’s background in education and learning was complemented by Claudia’s technical expertise and experience as a serial CISO, for an insightful discussion with practical advice for employers, professionals and those looking to get into cyber.
ISC2 is an international membership organisation for cyber security professionals with a community of over 600,000 worldwide. The organisation is working to bring more people into cyber security by offering one million free exams and courseware for its entry level Certified in Cybersecurity (CC) certification, half of which are dedicated to underrepresented communities and population groups.
ISC2 produces the annual Cybersecurity Workforce Study (https://www.isc2.org/research) to quantify the skills and personnel gap in cyber security, understand the diversity of the field and provide insight into workplace pressures, leadership, management and hiring practices in the field.
Key findings
While the study was international, with 14,865 respondents from18 key economies across six continents, Clar shared with us some highlights from the UK.
The headline figure is that the UK needs a further 73,000 cyber security workers to fill the gap that currently exists between supply and demand. The study suggests the supply side to be growing at 8% year on year, with demand growing by 11%. As Clar succinctly put it, “gaps put organisations at risk”, and this was confirmed by the data. Only 1% of respondents said they had “No Risk” because of the gap compared with a combined 57% that have an extreme or moderate risk.
Clar was clear to highlight the difference between a skills shortage and a staff shortage- while 67% of respondents reported not having enough cyber security staff, 93% identified at least some skills gap. This means that even organisations able to fill roles are missing out key cyber skills and are struggling to expand multiskilling within the current workforce. Skills in particular demand were around cloud (35%), AI/ML (32%) and Zero Trust (29%) were highlighted as being a particular problem in the UK as well as globally.
It wasn’t all bad news, with 83% of respondents agreeing that there are more alternative pathways into cyber now than there used to be, which most respondents agreed was a good thing. Further, 59% of respondents were familiar with the UK Cyber Security Council’s professional titles, and 48% are considering or have decided to pursue a professional title. “We are delighted to see growing recognition for professional registration titles in cyber security and look forward to welcoming many of them into our community of cyber security registered professionals,” commented Annmarie Dann, Director of Professional Standards at the UK Cyber Security Council.
New Pathways
The news of improved pathways into cyber is welcome, but the employers need to support people coming through these unconventional routes if they are going to hire and retain the best talent.
Claudia highlighted the need for a “safe haven” - giving people the chance to make mistakes and learn from them without it putting their employment or reputation at risk.
Clar encouraged HR teams and hiring managers to think about the skills genuinely needed for the job, and to consult with cyber security teams when crafting job descriptions. She noted an example of a disconnect, with the study showing that hiring managers are looking most for Zero Trust, not the cloud skills that are seen as actually most needed.
We asked our Careers & Learning Working Group for any further advice to employers when it comes to supporting and retaining those who enter through unconventional pathways.
Kieran Rowley, Director of the Immersive Labs Cyber Million programme, agreed that skills are crucial, “it’s vital for organizations to shift their focus to a skills-first paradigm. By prioritizing measurable real-world capabilities and aptitude through realistic cyber drills, we can make the industry more accessible to more people”.
Steve Penny, Director at the SANS Institute, recommends that “Tailored training programmes should be designed to meet individuals' unique needs from unconventional backgrounds... covering foundational cybersecurity concepts while addressing any knowledge gaps... including the soft skills required to understand the field.” He emphasised the need for “mentorship and coaching” alongside “further certifications, workshops, or conference attendance”.
Diversity and Inclusion
Clar reflected on the progress in diversity so far. ISC2’s One Million Certified in Cybersecurity initiative has seen good uptake from various underrepresented groups, but gender equality is still lagging and there is no silver bullet.
She noted that there is a difference between diversity and inclusion – diversity is demographic, inclusion is culture, the latter of which may be part of deterring women, especially where organisations are not pursuing both aspects in unison. Those that do are found to have smaller skills and people gaps.
Claudia offered her “cheat sheet” on diversity, that “you get inspired by what you see”. Clar added that “part of the solution is cross-industry collaboration, ensuring we are all pulling in the same direction on DEI”.
Our Outreach & Diversity Working Group provided their thoughts. Trevor Louis, Senior Security Consultant at CGI and ISC2 DEI volunteer, urged that DEI programmes “need continuous improvement and buy-in from senior management.” Colin Gillingham, Associate Director at NCC Group, encouraged companies to report on the DEI details. Both affirmed Claudia’s cheat sheets, with Trevor advising to “highlight diverse role models”. Both encouraged firms to help with outreach to young people in schools and youth programmes.
Cyber Leadership
Valuing cyber leadership was also highlighted, with both Claudia and Clar urging firms to include their CISOs as true members of the c-suite rather than a siloed add-on. ISC2’s study revealed that many professionals remain concerned that leadership in their organizations does not listen to cybersecurity guidance, which creates additional risk.
The same way boards and leadership are now aware of finance and compliance, Clar urges them to take cyber threats seriously. For leaders coming up against this trend, there are CISO-specific executive leadership programmes available to build those soft skills, along with a variety of broader continuous education opportunities for certified professionals. These not only keep individuals on top of emerging technologies and threats, but can grow and advance their skills and leadership capabilities.
Getting into Cyber
Claudia summed up the cyber security career best, stating “it is continuous learning”. Anyone considering the career path should enjoy and be able to learn, both independently and with guidance.
When asked for practical advice to get into cyber, hands-on experience was emphasised by both Clar and Claudia, as well as Council volunteers we consulted. For those already in work, Clar suggested “go talk to the security team” and asking to get involved in their projects – there's a skills gap and a staff shortage, they’re likely to snap up the help.
Mark Clegg ChCSP offered another option for those already in work recommending “Potential security professionals should consider volunteering to be the security champions for their current business unit”.
For those early in their career, Scott Nicholson ChCSP, Co-CEO of Bridewell, advises that “degree apprenticeships are proving a great way to gain the required skills and experience to qualify and secure for roles in Cyber Security”.
Simmi Chauhan, CISO of OpenBet, notes the wealth of free resources for potential cyber professionals, suggesting “creating your own cloud account and walking through YouTube learning videos or free AWS or Microsoft learning”.
Dave Daly ChCSP, Principal Consultant, highlights core skills- “Investing in basic IT and networking technical skills will be extremely valuable in all areas of cyber security”.
Clar again highlighted the value of the free One Million Certified in Cybersecurity initiative - it can be a chance to try out technical skills before committing to a career path, while entry-level qualifications set up valuable career and qualification pathways based on foundational knowledge and competence, essential for bringing the next generation into cybersecurity jobs.