The UK Government is undertaking the latest in an annual survey of UK businesses, public sector organisations and charities to help understand the UK cyber security labour market. The research will examine how organisations approach employing and training cyber security professionals, and understand the issues they face during this process.
The research will continue to inform government policy on the cyber security labour market. Ipsos MORI has been commissioned to carry out the survey fieldwork. This is taking place online and by telephone from July 2021 to October 2021.
The UK Government says in a statement on its website: "Taking part is totally confidential and anonymous for all individuals and organisations. The survey is not technical and participants do not need any specific IT knowledge. Ipsos MORI would like to speak to businesses, public sector organisations and charities even if they have not had any cyber security recruitment or training issues. This is to help ensure the findings are representative of all organisations."
Businesses and public sector organisations across the UK have been selected at random from the government’s Inter-Departmental Business Register. Charities have been selected from the UK’s three charity regulator databases: the Charity Commission in England and Wales, the Office of the Scottish Charity Regulator, and the Charity Commission for Northern Ireland. Cyber sector businesses have been selected from a list compiled from various commercial business databases.
Ipsos MORI is inviting the senior person within these organisations, with the most knowledge or responsibility when it comes to cyber security to take part. In some organisations this might be a specific individual or Head of Department, while in other organisations it might be the business owner or one of the charity trustees. In cyber sector businesses, this will be a senior individual with oversight of the organisation’s recruitment and training needs.
Last year's survey
The previous year's survey found that a high proportion of UK businesses continue to lack staff with the technical skills, incident response skills and governance skills needed to manage their cyber security. It was estimated that approximately 680,000 businesses (50%) have a basic skills gap. That is, the people in charge of cyber security in those businesses lack the confidence to carry out the kinds of basic tasks laid out in the government-endorsed Cyber Essentials scheme, and are not getting support from external cyber security providers. The most common of those skills gaps are in storing or transferring personal data, setting up configured firewalls, and detecting and removing malware.
The survey also found that approximately 449,000 businesses (33%) have more advanced skills gaps, most commonly in areas such as penetration testing, forensic analysis and security architecture. A third (32%) have a skills gap when it comes to incident response (and do not outsource this). In qualitative interviews with these businesses, there was a sense that cyber security skills were poorly understood and undervalued, both among management boards and within IT teams. It was, therefore, very important for cyber leads to have the skills to be able to influence behaviour and culture within their organisations, and to discuss cyber security in terms of business risk with senior managers.
Outside the cyber sector, the more basic skills needs reflect the career pathways of those who end up working in cyber roles, with 86 per cent having transitioned from a previous non-cyber role, the survey found. By contrast, in the cyber sector, half the workforce (49%) have previously worked in a cyber role elsewhere. Nevertheless, skills gaps, both technical and non-technical, are also common in the cyber sector.
Almost half (47%) of cyber firms have faced problems with technical cyber security skills gaps, either among existing staff or among job applicants. A total of 13 per cent say that job applicants having these skills gaps has prevented them from achieving business goals to a great extent.
Technical skills gaps were most commonly cited in the following three areas: incident management, investigation and digital forensics (41% of the firms identifying any technical skills gaps), assurance, audits, compliance and testing (37%) and cyber security research (36%).
Around one in five cyber firms (18%) also say that job applicants lacking non-technical skills, such as communication, leadership or management skills, have prevented them from meeting their business goals. Around a quarter (23%) say this about their existing employees.
Read the full survey here.