Cybersecurity Talent in the UK: Where the Skills Are (and Where They Aren't)

Back to Blogs
Cybersecurity Talent in the UK
Share this Article

Cybersecurity Talent in the UK: Where the Skills Are (and Where They Aren't)

  • Publish Date: May 2026

A look at one of the most persistent skills shortages in UK technology, and what hiring leaders can do about it.

Published by The ONE Group Technical

Introduction

If you've tried to hire a cybersecurity professional in the last couple of years, you'll already know how the story goes. The roles stay open for months. The shortlists are thin. The candidates who are any good have three offers on the table, and the salary expectations keep climbing.

What the headline figures don't always capture is how uneven the picture really is. The UK's cybersecurity workforce has grown substantially, and the pipeline of junior talent is stronger than it used to be. But in the areas where real expertise matters most, including incident response, cloud security, security architecture, and governance, the shortage isn't improving. If anything, it's getting more concentrated.

This paper draws together the most recent data from the UK Government, the Department for Science, Innovation and Technology (DSIT), the Cyber Security Breaches Survey, industry research from Firebrand, ISC2, and our own experience recruiting across the technology sector. The aim is to give hiring leaders a practical, current view of where the cybersecurity skills are, where they aren't, and what to do about it when you're the one trying to fill a role.

The State of the UK Cybersecurity Workforce

The headline numbers look encouraging. According to the UK Government's 2025 Cyber Security Skills in the UK Labour Market report, approximately 143,000 people were employed in cybersecurity roles across the UK economy in 2024, a 5% increase on the year before. The sector contributes around £13.2 billion in revenue and £7.8 billion in gross value added.

So far, so positive. But the same report estimates a workforce shortfall of around 3,800 professionals, and when you look at where that gap is hiding, the picture gets more complicated.

Skills gaps versus skills shortages

These two things are often discussed as though they're the same thing. They aren't.

A skills shortage means there aren't enough people available to do the job. A skills gap means the people doing the job don't have all the skills they need. The UK has both, and the skills gap side of the problem is the one that's been stubbornly difficult to shift.

DSIT's research found that 44% of UK businesses have a basic technical cybersecurity skills gap, meaning their teams lack confidence in fundamental areas such as configuring firewalls, detecting malware, or securely removing data. Around 27% have an advanced skills gap, where teams are missing the expertise needed for penetration testing, security architecture, or forensic analysis.

These numbers have barely moved in five years. The 2021 figures were broadly similar, and despite substantial investment in training and certification, the needle has refused to shift.

The incident response problem

One area stands out as getting worse rather than better: incident response. DSIT's data shows that the proportion of businesses reporting incident response skills gaps rose from 27% in 2020 to 48% in 2024. That isn't a small shift. It means nearly half of UK businesses don't feel confident they could handle a serious breach if one landed on their desk tomorrow.

Firebrand's 2026 survey of senior UK leaders found similar patterns. Among organisations that had suffered a cyber attack in the past year, 54% cited heightened demand on internal IT and security teams as the biggest operational impact, ahead of financial loss (50%) and service disruption (46%). Around a quarter of those hit took between one and four weeks to recover fully.

The skills gap in cybersecurity isn't a training problem. It's a hiring problem, an experience problem, and a market problem. Training alone won't solve it.

Where the Skills Gaps Actually Are

The cybersecurity skills conversation often gets flattened into a single narrative: there aren't enough cyber people. In reality, the shortage is sharply concentrated in specific areas, and understanding where the pressure really sits is the first step to hiring intelligently.

Cloud security

As UK businesses have moved their infrastructure to AWS, Azure, and GCP, the demand for cloud security specialists has outpaced supply. These are professionals who understand identity and access management at scale, who can configure secure landing zones, and who can design architectures that hold up under audit. They're rare, and they're expensive, and they're increasingly being hired on retained contracts or into senior permanent roles with substantial packages.

Incident response and digital forensics

As DSIT's numbers show, this is where the gap is widening fastest. Experienced incident responders who can actually run a live breach investigation are in short supply, and the 82% of businesses that outsource their incident response work are doing so for a reason. The qualitative research in the DSIT report captured it neatly: even qualified IT security people don't get enough practice to be confident in a real incident.

Governance, risk, and compliance (GRC)

GRC sits at the junction of regulation, business strategy, and technical controls. It's one of the areas where the shortage is most visible, because the work requires people who can translate frameworks like ISO 27001, NIST CSF, and the EU NIS2 directive into practical control sets that actually make sense in your business. Firebrand's research found that 50% of senior leaders flagged skills shortages in risk controls and information security.

AI and emerging threats

This is the area growing fastest, and the one where the talent pool is thinnest. Over three-quarters of UK leaders surveyed by Firebrand believe AI is increasing cyber risk for their organisation, but very few have the specialist skills in-house to respond. The intersection of AI engineering and security expertise is one of the most in-demand, hardest-to-fill combinations in the UK technology market right now.

Security architecture

Senior security architects, the people who design secure systems from the ground up, are in perennial short supply. They're typically individuals with 10+ years of experience, a strong engineering background, and the ability to communicate with both engineers and executives. There aren't enough of them, and the ones who exist rarely stay on the market for long.

What This Means for Hiring

Understanding where the gaps are is only useful if it changes how you go about filling them. Here are the patterns we see repeatedly in our work with clients hiring cybersecurity talent.

The job-posting gap

According to research cited in the Cyber Security Breaches Survey and follow-up analysis, there were around 160,000 cybersecurity job postings across the UK over a 12-month period. Employers reported that more than a third of those vacancies were hard to fill. That's a lot of time and budget tied up in roles that stay open.

The businesses that do best in this market tend to share a handful of characteristics. They move quickly once they've decided they want someone. They're realistic about what skills can be trained and what can't. They pay properly for scarce expertise. And they invest in the process rather than hoping the right CV will walk through the door.

The salary pressure

Robert Half's research found that 44% of UK employers believe cybersecurity experts will only be attracted through higher pay. That's a blunt statement, but it's not wrong. Entry-level analyst salaries now typically start between £30,000 and £35,000. Experienced senior analysts and architects can command well over six figures. CISOs and senior security leaders in London or the South East can exceed £200,000 for the right role.

If you're benchmarking your packages against data that's more than 12 months old, you're almost certainly undercutting the market. The pace of salary movement in cybersecurity has been one of the fastest in UK technology recruitment over the past three years.

The diversity problem

One of the more concerning trends in recent data is that the cybersecurity workforce is becoming less diverse, not more. The proportion of women in the UK cyber sector has fallen from around 23.8% in December 2021 to 17.5% in early 2024, with only 14% of senior roles held by women. This matters for two reasons. The first is the obvious one: fairness. The second is practical. If you're competing for talent in a market with a structural shortage, cutting off half the population from your pipeline isn't a strategy that works.

In a candidate-short market, the businesses that widen their talent pool through better hiring practices, clearer job descriptions, and more inclusive processes consistently outperform those that don't.

The retention question

Hiring is only half the problem. Keeping experienced cybersecurity professionals is just as important, and in many cases harder. The strain on security teams is real: a third of Firebrand's respondents reported increased pressure on internal IT and security teams after a breach, which leads directly to attrition, burnout, and the loss of institutional knowledge.

Retention strategies that work tend to combine competitive pay with something more. Genuine investment in training, clear progression pathways, protected time for research and learning, and the autonomy to actually do the job properly. The businesses that see the lowest turnover are the ones that treat their security teams as strategic capability rather than back-office overhead.

How to Hire in This Market

There's no silver bullet for the cybersecurity skills shortage. But there are things that work, and things that don't, and it's worth being clear about which is which.

Be specific about what you need

Generic cybersecurity job descriptions are one of the biggest self-inflicted wounds in this market. When you list 15 different tools, five frameworks, and 10 years of experience for a mid-level role, you either get no applications or you get applications from people who are stretching the truth. Neither outcome is useful.

The most effective briefs focus on what the role actually needs to do. What are the two or three things this person must be able to do on day one? What can be learned on the job? What's a nice-to-have that won't break the deal? Clarity on those three questions changes the quality of your shortlist more than any other single factor.

Distinguish between skills that can be trained and skills that can't

Technical certifications (CISSP, CISM, OSCP, and the rest) are learnable. So are specific tools and platforms. What's harder to train is judgement: knowing when a system is behaving oddly, knowing when an incident is serious, knowing how to communicate with non-technical stakeholders under pressure. These are the skills that take years of real-world experience to develop, and they're what you should really be screening for in senior hires.

For junior and mid-level roles, the opposite is true. Hire for aptitude, curiosity, and fundamentals. Train the specific tooling.

Take passive candidates seriously

The best cybersecurity professionals are almost always in a job already. They aren't on the job boards, and they aren't necessarily responding to generic approaches on LinkedIn. Reaching them takes time, patience, and a credible proposition. This is where specialist recruitment partners earn their keep: not by sending CVs, but by having the relationships and the context to have a real conversation with someone who isn't actively looking.

Move quickly when you find the right person

In a candidate-short market, slow hiring processes are the single biggest killer of good hires. If you're taking four weeks between first interview and offer, the best candidates will be gone. Tighten your process, make your decisions faster, and empower your hiring managers to move when they find someone they want.

Don't underestimate contract and interim

For businesses that need specialist cybersecurity capability immediately, contract and interim hires can be a quicker route to the right expertise than trying to build it permanently. Robert Half's research found that 36% of UK employers are turning to contract professionals to fill urgent technology positions. The rates are higher, but the speed and flexibility are worth it for the right situation.

How We Can Help

The ONE Group's technology division recruits across the full cybersecurity function: from security analysts and SOC teams through to architects, penetration testers, GRC specialists, and CISOs. We work with businesses across the UK, and our networks extend internationally where clients need us to reach further.

What we offer clients hiring in this space:

  • Specialist market knowledge. Our consultants focus exclusively on technology recruitment. We know the market, we know the salary pressures, and we know the difference between a good CV and a good hire.
  • Access to passive candidates. Most of the best cybersecurity professionals aren't actively looking. We've spent years building the relationships that let us have credible conversations with them.
  • Consultative support. Salary benchmarking, market mapping, role framing, and advice on what's realistic versus what isn't. We'd rather give you honest feedback than send you a shortlist that doesn't fit.
  • Permanent and contract. We recruit across both markets, and we can help you work out which approach fits your situation best.
  • National and international reach. While our offices are based across the East of England and the East Midlands, we recruit across the UK and overseas. If you're hiring somewhere we haven't been mentioned, the conversation is still worth having.

If any of the themes in this paper sound familiar, we'd welcome the chance to talk. Whether you're trying to fill a specific role, reviewing your approach to cybersecurity hiring more broadly, or just want a second opinion on the market, our specialists are here to help.

Contact us at theonegroup.co.uk | 01733 234000 | hello@theonegroup.co.uk

Sources

  • Department for Science, Innovation and Technology, Cyber Security Skills in the UK Labour Market 2025 (covering the 2024 calendar year)
  • Department for Science, Innovation and Technology and Home Office, Cyber Security Breaches Survey 2025
  • Firebrand Training, Closing the UK Cybersecurity Skills Gap in 2026
  • ISC2, Cybersecurity Workforce Study 2025
  • Robert Half, UK Salary Guide and Recruitment Trends 2025
  • Office for National Statistics, Annual Population Survey
  • Pinsent Masons, analysis of the UK cyber security skills gap
  • Computer Weekly, analysis of UK cyber skills data
  • Infosecurity Magazine, ongoing coverage of UK cybersecurity workforce research