Cyber security skills in the UK labour market 2025 - GOV.UK

Department for Science, Innovation & Technology Print this page Ministerial foreword Kanishka Narayan MP, Parliamentary Under Secretary of State I am delighted to present the 2025 findings report on cyber security skills in the UK labour market. This report, conducted by Ipsos and Perspective Economics, provides a comprehensive analysis of the current state of our cyber security workforce and highlights both our achievements and the challenges we must address. The UK cyber sector continues to be a beacon of strength and innovation, creating thousands of high-quality jobs and driving economic growth. The government’s new Industrial Strategy highlights cyber security as a strategically important sector which is crucial for economic stability and prosperity. Our cyber security professionals are at the forefront of protecting our digital infrastructure, ensuring the safety and security of businesses and individuals alike. The sector’s resilience and dynamism are truly commendable, and I am proud of the contributions made by our talented workforce. I am particularly pleased with the strong feedback on the UK Cyber Security Council. Since its inception, the Council has played a pivotal role in shaping the future of our cyber security industry. The Cyber Career Framework and the professional standards introduced by the Council have been well-received, providing clear pathways for career progression and reassuring employers about the expertise of their candidates. This positive reception underscores the Council’s importance in fostering a skilled and competent workforce. However, we must also confront the stark reality of our diversity data. Despite the efforts of previous governments, the cyber security sector remains significantly less diverse than the wider digital sectors and the UK workforce as a whole. Only 17% of the cyber security workforce is female, and the representation of ethnic minorities in senior roles is also disappointingly low. These figures are a sobering reminder that we have much work to do to create an inclusive and representative workforce which draws upon the widest range of talented people. We also need to increase overall numbers in the sector to meet the high demand for skilled people. Organisations will be better protected and more able to grow when they have the people they need, which is why we need to attract more young people and adults into the sector. To address these issues, we are launching the TechFirst skills programme, which will be a cornerstone of our strategy to improve diversity and numbers in the cyber security sector. By 2029, we aim to see a significant increase in the representation of women, ethnic minorities, and disabled individuals in cyber security roles. The TechFirst programme will focus on providing targeted support and opportunities for underrepresented groups, ensuring that everyone has the chance to thrive in this vital industry. In conclusion, while we celebrate the successes of our cyber security sector, we must also commit to addressing its shortcomings. Together, we can build a bigger, more diverse, inclusive, and resilient workforce that reflects the rich diversity of our nation. I look forward to working with all stakeholders to achieve these ambitious goals. Thank you. Kanishka Narayan MP Parliamentary Under Secretary of State Department for Science, Innovation and Technology Summary This is a summary of research into the UK cyber security labour market, carried out by Ipsos and Perspective Economics on behalf of the Department for Science, Innovation and Technology (DSIT). The study involves: Representative surveys of cyber security sector businesses and the wider population of UK organisations (businesses, charities and public sector organisations). Qualitative research with cyber security businesses, medium/large private and public sector organisations, training providers and recruitment agents. A secondary analysis of cyber security job postings on the Lightcast labour market database and reviewing the supply of cyber security talent through sources such as the Higher Education Statistics Authority (HESA) and Jisc. This is the seventh iteration of the research, which has been carried out on an annual basis since 2018. This year we asked new questions on Artificial Intelligence (AI), outsourcing of cyber security services, awareness of the UK Cyber Security Council, and future recruitment activity levels. Mapping the workforce and the workforce gap We estimate there were approximately 143,000 individuals in the UK cyber security workforce, reflecting moderately accelerated growth driven by increasing graduate numbers. The workforce gap has stabilised in this 2025 report (3,800 individuals) after falling sharply between the 2023 (11,100 individuals) and 2024 (3,500 individuals) reports. While the supply of skills is increasing, demand has continued to slow. Supply of skills On the supply side, there was approximately 20% growth in the number of cyber security graduates between the 2021/22 and 2022/23 academic years. We therefore estimate approximately 6,000 graduates are entering the cyber security labour market each year. The number of non-UK and non-EU cyber security postgraduate students continued to rise, accounting for 67% of all cyber security postgraduate students in 2022/23, the most recent available data. In addition, we estimate approximately 2,500 additional individuals are entering the cyber recruitment pool through certification and private training providers and approximately 600 new apprenticeship starts flowing into the labour market. Demand for skills There was an average of 2,698 core cyber security job postings per month in 2024, with a median salary of £55,000. For the second year running, there was a decline in cyber security job postings, decreasing by 33% from 2023 for core cyber security roles (jobs where some aspect of cyber security is the main job function), and by 41% for all cyber security roles (roles that may not formally be labelled or commonly recognised as cyber security jobs, but still require cyber security skills). A quarter (26%) of cyber security vacancies were advertised as remote/UK-wide last year, and the London salary premium has narrowed to £11,000 compared to the UK average (London £69,800 vs £58,800 across the regions). Demand for entry-level candidates with less than one year of experience has fallen from 25% in 2022, to 22% in 2023, to 17% in 2024. Almost two-thirds of core cyber security job postings (63%) required mid-level experience (2-6 years). Within the cyber security sector, roughly half (52%) of all recruitment continued to be from the existing cyber security recruitment pool, rather than career starters (15%) or those converting from non-cyber roles (28%). Diversity in cyber security The cyber security sector workforce remained less diverse compared to the wider digital sectors and the UK workforce as a whole. Only 17% of the cyber security workforce was female compared to 30% of the digital workforce and 48% of the UK workforce. Less than 1 in 10 (8%) were disabled compared to 17% of the UK workforce. This issue is more prevalent in the senior cyber security workforce (6 or more years of experience), being less diverse in terms of gender, disability and ethnicity than the wider cyber security workforce. While 19% of the cyber security workforce are from ethnic minorities, higher than the UK workforce average of 15%, only 8% are in senior roles. Since the 2020 report there has been an increase in the proportion of neurodivergent staff reported by employers, from 9% in 2020 to 16% in the 2025 report, though this may also be attributed to improvements in the identification and reporting of neurodiverse conditions. The gender gap for postgraduate cyber courses also continues to improve year-on-year, with the proportion of female students rising from 21% in academic year 2020/21 to 24% in 2021/22 and 27% in 2022/23, the most recent available data. Skills gaps and shortages Skill gaps[footnote 1] in basic cyber security and incident response have persisted: Nearly half (49%) of businesses had a basic skills gap, struggling with essential tasks including setting up firewalls, managing personal data securely and detecting malware. Charities were more likely to have a basic skills gap (59%), while public sector organisations were much less likely (14%). Around 3 in 10 businesses (30%) and charities (29%) had gaps in advanced skills including forensic analysis, interpreting malicious code, and penetration testing. As with basic skills, the gap was lower among public sector organisations (21%). A significant proportion of public sector organisations (58%), businesses (31%), and charities (24%) outsourced some elements of their cyber security. In a new question asked this year to those who outsourced services, 40% of charities, 23% of businesses and 13% of public sector organisations lacked confidence in assessing whether external providers were offering value for money. In the qualitative research, we heard that the outsourcing marketplace was confusing and fragmented, with some organisations seeking guidance on best practices for selecting providers. In the cyber security sector, technical skills gaps among employees have increased year-on-year, with 28% of cyber security businesses reporting a gap compared to 18% in the 2021 report. The most commonly reported skills gaps were in areas like audit and assurance, digital forensics, and cryptography New for this year, we explored AI in cyber security (see also Chapter 7 in the Cyber Security Sectoral Analysis 2025). Just over half (53%) of cyber security businesses said staff were using AI in their day-to-day work and around two-thirds (65%) expected their need for AI skills among employees to increase over the next 12 months. In the qualitative research, employers expressed concern about current and future shortages of AI-related skills in cyber security. 1. Introduction 1.1 About this research The Department for Science, Innovation and Technology (DSIT) commissioned Ipsos and Perspective Economics to conduct the latest in an annual series of studies (since 2018) to improve its understanding of the UK cyber security labour market and skills needs. The research covers UK private sector businesses – both those that form the UK’s cyber sector, providing cyber security products and services, as well as wider private sector businesses (with 1 or more employees) managing their own cyber security – as well as charities and public sector organisations. It also collected data from cyber security training providers and recruitment agents. This 2025 report, in line with previous years, covers the data on: the size and composition of the cyber security workforce staff turnover (within the cyber sector) awareness and perceptions of the work of the UK Cyber Security Council – including the Cyber Career Framework and the Standard for Professional Competence & Commitment diversity within cyber security, with quantitative data specifically for the cyber sector demand for cyber security skills, based on an analysis of online cyber security job vacancies the supply of cyber security skills, based on secondary data covering Higher Education pathways, apprenticeship programmes, and professional retraining and upskilling initiatives cyber security skills gaps and skills shortages within and outside the cyber sector the use of outsourcing to fill cyber security skills gaps the cyber security workforce gap, i.e., the net annual shortfall in the number of cyber security professionals entering the labour market This research was conducted alongside a sister study, also for DSIT, which focused specifically on the UK’s cyber security sector, covering sector growth and investment – the Cyber Security Sectoral Analysis 2025. 1.2 Summary of the methodology This section contains a brief outline of the research methodology. Further methodological detail can be found in the accompanying technical report. The methodology consisted of 4 strands: Quantitative surveys – Ipsos conducted representative telephone surveys with 4 audiences: UK private sector businesses (outside the cyber sector), public sector organisations, registered charities, and cyber sector businesses (i.e., those providing cyber security products or services). Fieldwork was conducted between 31 July and 18 October 2024. There was also a short recall survey, which took place between 18 and 29 November 2024, to fill in gaps in the information collected in the main fieldwork. The data for the private sector, public sector and charities has been weighted to be representative of these populations, while the data for the cyber sector is considered representative of that sector, since the entire sector was sampled. Qualitative interviews – Ipsos conducted 45 in-depth interviews relevant to this labour market research, including 24 with cyber sector businesses (other than training providers), 11 with cyber leads in medium and large businesses private sector businesses and public sector organisations, 4 with recruitment agents and 6 with cyber security training providers. The interviews explored the challenges organisations faced in addressing skills gaps and shortages, approaches to recruitment, workplace diversity, and factors impacting the development of skills in the cyber security workforce. This fieldwork took place between 16 September and 26 November 2024. Job vacancies analysis – Perspective Economics analysed cyber security job postings on the Lightcast labour market database, providing details on the number, type and location of job vacancies across the UK. This analysis also covered remuneration, descriptions of job roles and the skills, qualifications and experience being sought by employers. We primarily focused on vacancies across the 2024 calendar year (i.e., January to December 2024). Supply side analysis – Perspective Economics replicated the methodology used in the previous report to estimate the size of the cyber security recruitment pool. This used the latest published data on graduate enrolments from the Higher Education Statistics Authority (HESA) and Jisc, the HESA Graduate Outcomes survey 2022/23, the latest Department for Education apprenticeship data for England, and wider data on professional retraining and upskilling initiatives. This strand also produced further statistics on the demographic characteristics, educational and occupational backgrounds, and salaries of this pool of labour, as well as outflows from the pool. 1.3 Interpretation of the data Years of data covered Throughout this report, when referring to changes over time, we typically reference the publication year (i.e., 2025 for this latest report). However, it is important to note that the primary quantitative and qualitative data was collected in the previous calendar year (i.e., 2024). This is explicitly mentioned in each figure and chart title. To be consistent with previous reports, line charts based on survey data use the report publication year in the x axis, rather than the fieldwork year. Furthermore, due to the use of multiple methodologies, the report references data from various time periods, summarised below: quantitative survey data collected between July and November 2024 qualitative data collected between September and November 2024 job vacancies data from January to December 2024 2022/23 data on graduate enrolments from HESA and Jisc the HESA Graduate Outcomes survey 2022/23 (covering graduates from the 2021/22 academic year, approximately 18 months after their graduation) Department for Education apprenticeship data for England (covering the 2023/24 academic year). Charting of survey results Where figures in charts do not add to 100%, this is typically due to rounding of percentages that come from weighted data, because the questions allowed more than one response, or because not all responses have been charted for the sake of visual clarity. Subgroup analysis for businesses We have undertaken subgroup analysis on the quantitative survey data for businesses, to show how findings differ by business size and sector. There were too few public sector organisations and charities sampled to split out results for these organisations by subgroup. For businesses, the analysis by size split the population into micro businesses (1 to 9 employees), small businesses (10 to 49 employees), medium businesses (50 to 249 employees) and large businesses (250 employees or more). In our sector subgroup analysis, we grouped similar sectors together by SIC 2007 code for higher sample sizes. The groupings are the same ones used in DSIT’s Cyber Security Breaches Survey series. Ultimately, there were relatively few major sector differences to report on, but this is the full list of sector groupings that we looked at in the subgroup analysis: administration and real estate (SIC L and N) construction (SIC F) education (including academies) (SIC P) entertainment, service or membership organisations (SIC R and S) finance and insurance (SIC K) food and hospitality (SIC I) health, social care and social work (including NHS organisations) (SIC Q) information and communication (SIC J) professional, scientific or technical (SIC M) retail and wholesale (including vehicle sales and repairs) (SIC G) transport and storage (SIC H) utilities and production (including manufacturing) (SIC B, C, D and E) Typically, we compared each sector to the average private sector business. The education sector and health, social care and social work sector include a large mix of private and public sector organisations. We therefore analysed these sectors using a merged sample of private and public sector organisations, specially weighted to represent a merged population profile. The quantitative survey found few noteworthy or consistent regional subgroup differences. Therefore, we have typically not commented on these across the report. We do, however, have a far more substantial geographic analysis as part of strand 3, the secondary analysis of job vacancies (covered in Chapter 4). Statistical significance testing (for subgroups and changes over time) The survey results are subject to margins of error, which vary with the size of the sample and the percentage figure concerned. We carry out statistical significance tests, which signify whether differences across the results are likely to be real differences in the population, or likely to have occurred by chance. In this report, where we highlight any subgroup differences by business size or sector, or any other variable, these are statistically significant differences (at the 95% level of confidence) – unless the commentary states otherwise. Similarly, where we indicate that findings have changed since the previous studies, this is indicating a statistically significant change over time unless otherwise stated. Specifically, this report contains several workforce-level estimates compiled from cyber sector survey data. They estimate the percentage of the cyber sector workforce with certain traits (e.g., the proportion of the cyber sector workforce that is female), unlike most of the reported data for the cyber sector, which represents the percentage of cyber sector businesses. We do not expect to find statistically significant differences over time in these estimates given sample size limitations. Instead we focus on broad trends and patterns in the data when analysing workforce-level estimates. Interpretation of the qualitative data The qualitative findings offer more nuanced insights and case studies into how organisations address their cyber security skills needs, and why they take certain approaches. The findings reported here represent common themes emerging across multiple interviews. Where we pull out an example, insight or quote from one organisation, this is typically to illustrate findings that emerged more broadly across multiple interviews. As with any qualitative findings, these examples are not intended to be statistically representative of the wider population of UK organisations. 1.4 Acknowledgements Ipsos and Perspective Economics would like to thank colleagues at DSIT for their project management, support and guidance throughout the study, as well as Professor Steven Furnell for his contributions to the research design. This research was also endorsed by the National Cyber Security Centre (NCSC), the UK Cyber Security Council (UKCSC), the UK Cyber Cluster Collaboration (UKC3), techUK, teiss and the Security Awareness Special Interest Group (SASIG). 2. Mapping the workforce This chapter estimates the size of the UK cyber security workforce across the whole economy (accounting for inflows and outflows since the previous year), findings that were previously featured in Chapters 2, 8 and 9 of the reports from earlier waves. Within the cyber sector specifically, we include survey data on the typical size of cyber teams, staff turnover, and cyber teams coverage of the specialisms outlined in the UK Cyber Security Council’s Cyber Career Framework. Both the Council’s Cyber Career Framework and their Standard for Professional Competence & Commitment (UK CSC SPCC) were also topics for discussion in these qualitative interviews. Businesses, cyber leads and training providers provided broad feedback on the utility of these initiatives, which built on last year’s discussion of the Cyber Career Framework. The current picture There are approximately 143,000 individuals in the cyber security workforce. The longer-term trend suggests that the growth of the cyber workforce has moderately accelerated in recent years (from 2% growth in 2022 to 5% growth in 2024). This has been driven by increasing numbers of graduates entering the recruitment pool. Within the cyber sector specifically, the dominance of small cyber teams prevailed, with the typical (median) cyber business having 3 to 4 employees working in cyber roles. Staff turnover remained similar to previous years, with 12% of sector employees leaving their roles. What’s new since the 2024 report? Both the Cyber Career Framework and associated professional standards were explored last year, although this year’s study generated new insights on each initiative. Participants welcomed the Career Framework’s potential to contribute to a shared understanding of cyber roles. However, they highlighted that understanding would always be challenging to achieve in a landscape of inconsistent and evolving terminology. Participants felt the professional standards provided clear progression pathways and reassurance for employers, but might inadvertently limit flexibility in careers, by emphasising specialisation early on. There were also uncertainties around duplication of existing qualifications, and how the standards would be implemented in practice. 2.1 Size of the cyber security workforce The cyber security workforce estimate takes into account the number of individuals working in a cyber security related role in both the cyber security sector[footnote 2] and the wider labour market. It is calculated from several constituent parts, which include: The previous year’s workforce estimate (at approximately 136,800 individuals). An estimate of inflows, compiled from the Higher Education Statistics Authority (HESA) Graduate Outcomes survey, Department for Education data on apprenticeships, and wider data on retraining and upskilling pathways (from multiple sources) – these 3 aspects are covered in detail in Chapter 5. This year, the estimate has been supplemented with additional information from the Office for National Statistics (ONS) Annual Population Survey. An outflows estimate, informed by the annual survey estimates of staff turnover in the cyber sector. Each year’s workforce estimate has a lag relative to the year this report is published. Therefore, this year’s estimate covers the cyber security workforce at the end of 2024, while the last report covers figures for 2023. At the end of 2023 we estimated that there were approximately 136,800 individuals in the cyber security workforce. We assume an inflow figure (new people to the industry) of approximately 11,700 individuals. This includes 9,100 new entrants – 6,000 new graduates, 600 new apprentices, and 2,500 individuals coming through retraining or upskilling pathways (each covered in Chapter 5) – and a further 2,600 moving into cyber security roles from aligned professions (see the next subsection). We assume an outflow figure of approximately 5,500, based on up to 4% of cyber security employees leaving the sector in a given year due to retirement or exit. In the previous report, we estimated an outflow rate of 3.5%. The updated figure reflects a small increase this year in the survey data for the proportion of staff being dismissed, made redundant or retiring (see the end of Section 2.2). This suggests an estimated cyber security workforce of 143,000 individuals as of end of 2024 (+5% from last year’s estimate). This represents a moderate acceleration in the growth of the workforce (having grown by 3% from 2022 to 2023, and 2% from 2021 to 2022). However, this comes alongside a tightening of the labour market, with advertised demand for cyber roles having fallen from 2022 to 2024 (covered further in Chapter 4). Comparison to Standard Occupational Code (SOC) data Both the HESA Graduate Outcomes survey and the ONS Annual Population Survey provide data on the number of people in IT-related or cyber security roles, which we use to inform our workforce estimate. The latest Graduate Outcomes survey (covering graduates from the 2021/22 academic year, approximately 15 months after graduation) shows that the volume of graduates moving into IT roles has increased from 30,800 to 34,630 (+12%) since last year’s report. In addition, the volume of graduates moving specifically into cyber security professional roles (mapped to SOC 2135) has increased from 1,470 to 1,780 (+21%) over the same period. The full tabulated data for these figures is provided in Annex A. The Annual Population Survey[footnote 3] provides its own estimate of the number of people working in cyber security professional roles (again mapped to SOC 2135). The most recent estimate covers the period of October 2023 to September 2024, and records that 69,900 individuals were working in these roles. On its own, this Annual Population Survey figure is likely to significantly underestimate the size of the cyber security workforce. Individuals working in cyber security-related roles may be coded into another area, such as programming or consultancy, even if their role mainly encompasses cyber security. This helps to explain the disparity between our overall estimate of 143,000 in the cyber security workforce, and the 69,900 individuals identifying as cyber security professionals. However, the trend data for this figure can be used to refine our annual inflows estimate for the cyber security workforce.[footnote 4] The figure for October 2022 to September 2023 was 58,200. This suggests an increase of 11,700 cyber security professionals from the October 2022-September 2023 period to the October 2023-September 2024 period. We have therefore adjusted our own conservative estimate of 9,100 new entrants from Higher Education, apprenticeships, and retraining or upskilling pathways (covered in Chapter 5). It is feasible that a further 2,600 people moved into cyber security roles from aligned professions (since the combined total of 9,100 and 2,600 is 11,700, matching the increase in cyber security professionals over the last 12 months as set out in the Annual Population Survey). 2.2 Composition of cyber teams within the cyber sector This section specifically focuses on survey data for the cyber sector. In previous years, we also surveyed the wider business population, as well as charities and public sector organisations on the size of their cyber teams. This question was not asked this year to reduce the survey length and burden on respondents, and due to these statistics suggesting limited change across waves. However, it may be included again in future years. Size of cyber teams within the cyber sector The latest Cyber Security Sectoral Analysis highlights that 56% of cyber businesses were micro in size, employing less than 10 people. As such, it is expected that most cyber team sizes across the sector will be at the smaller end. This year, around a quarter (23%) had 1 employee in the cyber role. The typical (median) cyber business had 3 to 4 employees in these roles. The mean was 7 employees. The overall composition, shown in Figure 2.1, was similar to last year. The typical size of cyber teams has become leaner when reflecting over a longer period. The median was 3 to 4 employees in the last 2 waves, compared to 5 to 9 in the 2023 and 2022 studies. This aligns with the wider data in this study showing a tightening of the cyber security jobs market over successive waves (see Section 4.1). Figure 2.1: Percentage of UK cyber sector businesses by the number of people working in cyber roles (fieldwork year 2024) Base: 204 cyber sector businesses (i.e., excluding 5 from the full sample that did not provide this information) Supplementary data on cyber sector recruitment expectations In this year’s quantitative survey, there was a new question asking if cyber sector employers expected the number of people they had working in cyber security roles to change over the next 12 months. Two-thirds (67%) expected to grow their workforce, while just under a third (30%) expected no change. Very few (3%) had intentions to downsize their workforce. Specialisms of cyber teams within the cyber sector We asked cyber businesses whether they had staff working in any of the 15 specialisms outlined in the Cyber Career Framework. The top two specialisms were cyber security governance and risk management (42%) and cyber security management (37%). At the other end, digital forensics (8%) and cryptography and communications security (9%) were the least mentioned. Figure 2.2: Percentage of UK cyber sector businesses that employ people in cyber roles covering each of the following Cyber Career Framework specialisms (fieldwork year 2024) Change to table view Cyber security governance and risk management 42% Cyber security management 37% Cyber security audit and assurance 32% Security testing 32% Vulnerability management 29% Secure system architecture and design 25% Data protection and privacy 22% Secure system development 21% Cyber threat intelligence 20% Incident response 20% Identity and access management 19% Secure operations 16% Network monitoring and intrusion detection 15% Cryptography and communications security 9% Digital forensics 8% Another area 16% Don’t know 3% Base: 209 cyber sector businesses The survey was amended this year to exclude the “cyber security generalist” response (in line with changes to the Cyber Career Framework). Instead, cyber businesses were asked to assign their employees based on the cyber activities they spend most time on. This means the findings are not directly comparable to previous years. It may also explain the relatively high proportion answering with “another role” – this may represent staff considered to be generalists. Although direct comparisons are not possible, the pattern of responses across the specialisms can be compared. The top 3 specialisms match last year’s survey, as do the bottom 2. By contrast, network monitoring and intrusion detection was ranked lower than in the previous 2 waves, when it ranked in the middle of the list (ranked 7 out of 15 in 2023, and 8 out of 15 in 2024, compared to 12 out of 15 this year – when excluding the previous cyber security generalist category). Staff turnover across the cyber sector We estimate that 12% of cyber sector employees left their posts in the 18 months prior to the survey (i.e., since around January 2023). This includes 7% who left of their own volition, with 2% being dismissed, and 1% each leaving for retirement and redundancy. This pattern is similar to last year. These are bare minimum estimates. The size of the total workforce in our calculations assumes, for simplicity, that all these staff were in post 18 months ago (i.e., they did not join and leave within the last 18 months, which is possible). The turnover rate has been similar across the last 3 waves (11% in each case). In the qualitative research, we found that salary remained a crucial factor influencing staff turnover. Some participants noted that sales staff and junior staff were particularly likely to be attracted by higher pay and better career progression opportunities. Employees with specialist technical skills, such as penetration testing, were regarded as harder to retain because of high market demand for their skills. On the other hand, the more recent slowdown in demand for cyber security professionals was felt to have been a stabilising factor for retention. “We’ve got a fairly stable team. I think that is to do with the market, because the market slowed down quite a lot in the last year. A lot of the big tech companies have been reducing headcount in cyber, as well as normal technology functions. There’s not a huge amount of attrition. It comes in cycles, so I’d expect it to change again at some point.” Large non-cyber (private sector) business Retention strategies continued to focus on training and career progression opportunities. Some cyber security businesses also saw flexible working conditions and remote working options as a way to retain staff. 2.3 The Cyber Career Framework As noted in the chapter introduction, the qualitative interviews explored perceptions of the UK Cyber Security Council’s Cyber Career Framework (covered here) and their SPCC (covered in Section 2.4). As added context for these findings, and new for this year, we also covered awareness of the Council in the cyber sector survey. This showed a high level of awareness that has built up since the Council was created in 2021, with 69% of cyber sector businesses having heard of it. Similar to previous years, we found a mixed awareness of the Council’s Cyber Career Framework in qualitative interviews. Nevertheless, feedback on the framework (which we showed to participants during the interview) was generally positive. Consistent with previous years, employers, training providers and recruiters viewed the framework as a helpful introduction to the cyber security industry, particularly for entry-level roles and individuals reskilling in cyber security. Participants highlighted the framework’s value in informing career choices and guiding employers in professional development pathways. “If you’re getting into the area or exploring getting into the area, I think it’s incredibly useful. It’s a great starting point.” Large business outside the cyber sector However, some participants felt the framework was less relevant for more experienced professionals, whose experience might span across multiple specialisms. This year, we also asked participants what impact the framework could have on developing a shared understanding of cyber security roles, for example by standardising job titles. This was welcomed in principle, and some participants praised the framework for clearly explaining different roles. However, some highlighted how challenging it would be to achieve this shared understanding, given that the terminology used in cyber security was already inconsistent, overlapping and evolving. “Cyber is terrible for acronyms and terminology, and ‘let’s give that a new name’. It’s the same thing, but let’s give it a new name. There might be 10 people doing the same job and they’ve all got a different title.” Training provider Participants emphasised the need for the framework to therefore incorporate evolving roles, as well as rapidly developing technologies such as artificial intelligence (AI), to ensure its continued relevance. “I imagine in the future we’ll have more people [in cyber security] who work specifically within AI. And perhaps right now we just call them all data scientists and hope for the best. Developing the framework might just be expanding into those areas and having additional titles for those roles, but I couldn’t guess how that might develop.” Micro cyber sector business 2.4 Professional Standards The UK Cyber Security Council’s introduction of a professional standard within its cyber specialisms generated mixed views across the qualitative interviews, largely echoing last year’s response. Positive feedback centred on the potential for professional standards to reassure employers about candidate experience, particularly for more junior applicants. “I think any chartership is good, because it provides a standard there that, if you know someone is qualified or chartered to that level, you know that they should have that level of expertise.” Recruitment agent The tiered structure of the professional standards was appreciated for providing clear progression pathways (there are Chartered, Principal, Practitioner and Associate levels). However, participants had concerns about potential barriers for entry-level applicants if standards were to become mandatory, suggesting that this may inadvertently limit career flexibility by requiring early specialisation. Mirroring last year’s findings, participants raised concerns about potential duplication with existing qualifications, such as CREST and other vendor certifications, as well as how the standards would be kept up to date. Some said they wanted to see how the standards are implemented in practice. They wanted to know about the assessment criteria, how much they would cost, how they related to existing certifications and whether they would be mandated in any way. “This is something the industry doesn’t necessarily need, and the concern is that it’s going to impose a regime of keeping the thing up to date and therefore generate an industry of providers. I cannot imagine it’s going to roll out without cost, which is just another thing you have to sign up to do, in addition to CREST and all the rest of it.” Large cyber sector business Finally, participants noted that the value of the professional standards would depend upon how widely they were adopted and how much customer demand there was for them. This would determine how willing employers would be to invest in them for their employees. 3. Diversity in cyber security This chapter explores diversity within the cyber security workforce, covering gender, age, state school backgrounds, ethnicity, disability, and neurodiversity.[footnote 5] It includes workforce diversity estimates from the quantitative survey, secondary data covering diversity in the Higher Education recruitment pool, and qualitative findings. The secondary data was previously covered in Chapter 9 in the reports from earlier waves. As in previous years, survey questions on diversity were only asked of cyber sector businesses and not the wider business population. This is because cyber sector businesses are the primary recruiters and employers of cyber-related positions – Chapter 2 highlights how the UK cyber sector workforce (67,299 employees) makes up the largest proportion of the overall cyber security workforce (approximately 143,000 individuals already in cyber roles, and in the wider recruitment pool). Moreover, most private sector businesses have employees undertaking cyber roles informally. Therefore, including these businesses would give an inaccurate view of diversity in the cyber professional workforce. The qualitative findings do nevertheless include the perspectives of non-cyber businesses, recruitment agents and training providers. Future waves of this study will aim to expand our understanding of diversity trends by reviewing Annual Population Survey data for SOC 2135 (the code for cyber security professionals), which may be broken down by demographic variables such as gender. The current picture In terms of gender and disability, the UK cyber sector workforce continued to be less diverse than the wider digital sectors, and the UK workforce as a whole. The senior workforce in the cyber sector, with 6 or more years of experience, also continued to be less diverse than the overall cyber sector workforce. The qualitative interviews suggest that many of the same barriers that hindered diversity remained in place. This included a perceived non-diverse talent pool at the entry level, the cost of degrees and other technical qualifications putting off new entrants. There was also an ongoing perception of the types of people working in cyber security roles being predominantly white men. As in previous years, recruitment agents often played an important role in educating employers on how to achieve diversity when hiring. What’s new since the 2024 report? This year’s results do suggest some positive trends. The proportion of neurodivergent staff reported by employers has risen almost every year since the 2020 report – although this may reflect greater awareness and identification of neurodiversity, rather than an increase in hiring of neurodivergent individuals. In addition, the gender gap in postgraduate cyber security courses has shown continuous, incremental improvement. In the 2020/21 academic year, 21% of cyber security postgraduates were female, rising to 24% in 2021/22, in 27% in 2022/23 (HESA, see Chapter 5). New survey data for this year suggests that the most common actions cyber sector employers took to improve diversity in their recruitment were hiring through non-degree routes (63%), and running events in schools or colleges (41%). It was relatively rare for hiring cyber sector businesses to have set diversity quotas (8%) or hired through government-backed diversity schemes (7%). 3.1 Estimates of diversity in the cyber sector As can be seen from Figure 3.1, when it came to gender and disability, the UK cyber sector workforce continued to be less diverse than the wider digital sectors, and the UK workforce as a whole. The statistics for the cyber sector workforce were more in line with wider digital sectors for ethnicity, and in this area the cyber sector once again outperformed the whole UK workforce. The senior workforce – defined as those who have 6 or more years of experience – was slightly less diverse across all groupings. These patterns all match those seen in previous years.[footnote 6] Figure 3.1: Percentage of the UK cyber sector workforce estimated to belong to each of the following diversity groups (fieldwork year 2024) Bases: 192 cyber sector businesses for whole cyber sector workforce estimates, 187 for senior workforce estimates (in each case excluding those that were not able to answer or refused these questions.) </sub>N.B. gender, ethnicity and disability comparison data for the whole UK workforce and digital sectors comes from DSIT Economic Estimates. We use the April 2023 to March 2024 data.</sub> Figure 3.2 shows how the data for the whole cyber sector workforce has changed over time. It suggests a rise in the neurodivergent proportion of the workforce in the 6 years since this statistic was first measured (from 9% in the 2020 study, to 16% in this latest study). However, it is important to note that this could simply reflect an increasing awareness of neurodiversity across employers, leading to greater identification, rather than a genuine increase in the number of neurodivergent employees. In the qualitative research, some participants felt there was now a greater awareness of neurodiversity, with some employers reporting that they had specifically taken steps to accommodate the needs of neurodivergent people in the workplace. Figure 3.2: Percentage of the whole UK cyber sector workforce estimated to be neurodivergent (fieldwork years 2019 to 2024, equivalent to report publication years 2020 to 2025) Bases:c.200 cyber sector businesses each year. For consistency with previous reports, the x axis refers to the report publication year, which is one year on from the fieldwork year. Within the senior workforce, the proportion from ethnic minorities has slightly fallen over a 5-year period (the senior workforce statistics were first measured in the 2021 study), as Figure 3.3 highlights. Figure 3.3: Percentage of the senior UK cyber sector workforce estimated to be from ethnic minorities (fieldwork year 2019 to 2024, equivalent to report publication years 2020 to 2025) Bases: c.200 cyber sector businesses each year. For consistency with previous reports, the x axis refers to the report publication year, which is one year on from the fieldwork year 3.2 Higher Education student demographic profiles This section provides the breakdown of graduates in cyber security and computer science courses for the latest available academic year (2022/23), in terms of gender identity, ethnicity, age, and entry from state schools. This is taken from HESA and Jisc secondary data. Overall, the pipeline of new entrants into the cyber security labour market has not substantially changed from last year, with the exception of sustained improvement in female participation in postgraduate cyber security courses. Female participation in cyber security courses remained low in absolute terms, with only 14% of undergraduate and 27% of postgraduate students identifying as female. These female participation levels were, once again, significantly lower than for broader computer science courses (20% and 35% respectively, for undergraduate and postgraduate computer science courses). Nevertheless, the postgraduate figure for cyber security courses showed continued improvement, increasing from 21% female in 2020/21, and 24% in 2021/22, to 27% in 2022/23. At least 17% of cyber security students and 14% of computer science students were from ethnic minority backgrounds, showing a slight decrease of 2% from the previous year. However, it should be noted that there was an increase in students with undisclosed ethnicity across both sets of courses, which may impact the results. Cyber security courses continued to attract enrolment from a wide range of age groups, with 72% of undergraduates aged 18-24 and 27% aged 25 or older. This diversity was more pronounced at postgraduate level, where 69% of students were 25 or above. These figures were similar to previous years. As in previous years, mature students (aged 30+) showed a stronger preference than other age groups for part-time study (52% took this option, vs. 24% of those aged 25-29, 23% of those aged 21-24 and 4% of those between 18-20 years old). At least 73% of UK-domiciled cyber security students came from state schools, consistent with the 72% for computer science students. This was broadly in line with previous years. These figures are likely to underestimate the true proportions, as the students with unknown schooling backgrounds in the dataset (accounting for 25% of the dataset) were most likely to have been state-educated. A small proportion of both cyber security students (2%) and computer science students (4%) came from privately funded schools.[footnote 7] The full tabulated data for this section is provided in Annex B. 3.3 Diversity in recruitment processes A new survey question for this year covered what cyber sector employers had done, if anything, to encourage job applications from diverse groups. This was asked to the 51% of cyber sector businesses that had undertaken recruitment in the 18 months prior to the survey. As Figure 3.4 shows, the majority of these employers said they had hired through non-degree routes (63%). Another relatively common action, undertaken by around 4 in 10 employers when hiring, involved running events in schools or colleges (41%). Comparatively few businesses had diversified their senior leadership team (16%), set quotas (8%) or hired through government-backed diversity schemes (7%), which were the least commonly mentioned options. The lack of emphasis specifically on diversity among senior leadership teams may help to explain why diversity continued to be lower among this group, compared to the whole cyber sector workforce (as covered in Section 3.1). Figure 3.4: Actions taken to encourage job applications from diverse groups in the UK cyber sector (fieldwork year 2024) Change to table view Hired through non-degree routes 63% Run talks or events in schools colleges or universities 41% Attended networking events or career fairs specifically for diverse groups 32% Worked with recruitment agencies to find more diverse candidates 31% Worked with any third sector organisations to find more diverse cadidates 20% Diversified our senior leadership team 16% Set diversity quotas for recruitment 8% Hired through a government-backed scheme to promote diversity 7% Base: 107 cyber sector businesses that had any job vacancies since January 2023 3.4 Qualitative insights on diversity In the qualitative research, there was widespread agreement that the cyber security workforce continued to be male dominated. Perceptions of ethnic diversity were more mixed. While some participants thought there had been improvements in diversity over time, others contrasted with this view by saying there had been little change in their experience. “It’s very pale, male and stale still. We’ve got two females, one ethnic minority, so we’re miles below where we should be.” Large cyber sector business Participants continued to raise many of the same barriers to improving diversity that had been raised in previous years. Some thought that employers were not attracting enough diverse entry-level candidates. The talent pool remained a key iss