The state of UK cyber security skills in 2022

Published on: 26 May 2022

If you're looking for a varied, exciting sector to work in that offers plentiful opportunities for promotion and high salaries, cyber security continues to be a hugely in-demand career throughout the UK. 

With there still being a significant skills gap in this, there's never been a better time for professionals to get into this industry, or look for a new role, as companies continue to compete for the best talent.

Indeed, a new report from the Department for Digital, Media, Culture and Sport has sought to shed light on the current situation in the country with its latest cyber security skills report, published in May.

Based on both surveys and direct interviews with cyber security firms, recruiters and wider UK businesses across multiple sectors, the report aims to give a comprehensive picture of the state of the UK's cyber security labour market. So what are some of the key findings from the 2022 edition?

Half of firms lack cyber security skills

A major takeaway from the report is that many firms continue to have difficulty attracting the right level of talent. It estimated more than half of businesses in the UK (51 per cent) report a basic skills gap in this area, equating to some 697,000 companies. This is defined as people in charge of cyber security who are not confident in their ability to carry out basic activities such as setting up configured firewalls, storing or transferring personal data, and detecting and removing malware.

Meanwhile, some 451,000 businesses (33%) have more advanced skills gaps, with areas such as penetration testing, forensic analysis and security architecture particularly lacking. As such, there may be great opportunities for professionals who have these skills to find a new role that suits them.

The report also noted that one reason for the continued skills gap, which remains relatively unchanged over the past four years, is that management boards outside the cyber sector lack an understanding of cyber security. It said: "In particular, the interviews highlight a
potential knowledge deficit among C-suite decision makers tasked with overseeing cyber security."

The most in-demand roles

When it comes to the type of roles businesses are looking to fulfil, the most popular job titles in 2021 were:

  • Security engineers (35 per cent)
  • Security analysts (18 per cent)
  • Security managers (14 per cent)
  • Security architects (11 per cent)
  • Security consultants (nine per cent)

The most in-demand high-level technical skills were said to include information security, network security and an understanding of ISO 27001. Meanwhile, more specialist skills that appeared frequently in job listings included network engineering, risk management and technical controls, operating systems and virtualisation, cryptography, and programming.

Overall, 53 per cent of cyber security businesses looked to recruit in the previous 18 months, with 44 per cent of these vacancies reportedly being hard to fill. This was up from 35 per cent in 2020 and 37 per cent last year.

Businesses are also keen to take on more entry-level staff, which is indicative of a growing need to fill skills gaps and expand the knowledge base within the sector. In 2022, 18 per cent of the workforce were new graduates or apprentices, compared with 12 per cent in 2020.

Looking beyond qualifications

While the research indicated that many employers regard cyber security certifications as valuable or even essential - especially in more technical areas such as security testing, where qualifications such as Certified Ethical Hacker and CREST are held in especially high regard - there remains a level of scepticism around qualifications. This may indicate why four out of ten firms in the cyber sector do not have staff with relevant cyber security qualifications.

One issue is that certifications do a poor job of indicating the attributes that are truly in demand from employers, such as an aptitude for fast learning and self-learning, problem solving and communication skills.

This may also explain why many firms are looking beyond traditional backgrounds when searching for staff. Among businesses not directly in the cyber sector, 85 per cent of private sector cyber security roles have been filled by people who have transitioned into this position from a previous non-cyber role. 

Even within the cyber sector, nearly half of professionals (46 per cent) joined from a non-cyber role, indicating the opportunities for those looking to switch careers into this field.

Efforts to boost diversity continue

The report also noted progress has been made towards increasing diversity in the cyber sector. While professionals are still more likely to be white and male, the figures for women and ethic minorities have improved.

In 2020, 15 per cent of the UK cyber security workforce was female, while 16 per cent came from ethic minority backgrounds. In this year's report, the figures were 22 per cent and 25 per cent respectively. 

However, there is clearly still more work to do. Interviews found that while diversity has become a high-profile issue in recent years, there remain some stereotypes about cyber professionals that need to be overcome if firms are to take advantage of a relatively untapped pool of candidates with transferable skills to transition into cyber security roles.    

The report added: "These findings highlight an ongoing need for industry-wide initiatives to build diversity in the recruitment pool, encourage employers to cast their nets more widely and ensure they use best-practice recruitment approaches, particularly when recruiting senior roles."