Title page
Contents
Summary 3
1. Introduction 10
1.1. Summary of the methodology 10
1.2. Differences from previous research on this topic 11
1.3. Interpretation of findings 12
1.4. Acknowledgements 13
2. What are cyber security skills? 14
2.1. Cyber security as a wide-ranging discipline 14
2.2. Technical cyber security skills 15
2.3. Soft and intangible skills 18
2.4. A broad categorisation and definition of cyber security skills 19
2.5. What cyber security skills are considered more or less important? 20
3. Who works in cyber security roles? 23
3.1. Size of cyber teams 23
3.2. Career pathways into cyber security roles 24
3.3. How formalised are cyber security roles? 25
3.4. Seniority of those in charge of cyber security 28
3.5. Qualifications of those in cyber security roles 28
3.6. Is there an agreed definition of a "cyber security professional"? 29
4. Current skills and skills gaps 31
4.1. Basic technical skills and knowledge 31
4.2. High-level technical skills 33
4.3. What types of organisations have greater technical skills gaps? 36
4.4. Incident response 39
4.5. Management and communication skills of those working in cyber security roles 40
4.6. Cyber security skills at the board level 42
4.7. Cyber security skills among wider staff 44
5. Recruitment 46
5.1. Recruitment activity 46
5.2. Barriers to recruitment 47
5.3. Approaches to recruitment 48
5.4. Diversity in cyber security 51
6. Training and upskilling 52
6.1. Which organisations are looking into cyber security training? 52
6.2. Barriers to finding cyber security training 54
6.3. Training undertaken 56
7. Outsourcing cyber security 60
7.1. What aspects of cyber security do organisations outsource? 60
7.2. Reasons behind outsourcing decisions 63
7.3. Choosing providers 63
7.4. Dealing with external cyber security providers 64
8. Conclusions and recommendations 67
References 73
Figure 2.1. Perceived importance of various skills areas for those working in cyber security roles 21
Figure 3.1. Percentages of those in cyber security roles within organisations (excluding external cyber security providers) who enter the role through particular routes 24
Figure 3.2. Whether the cyber security role is included in job descriptions 25
Figure 3.3. Extent to which the cyber security role could be covered when the lead individual is absent 27
Figure 3.4. Seniority of the individuals most in charge of cyber security 28
Figure 4.1. Overall confidence in performing basic cyber security tasks 32
Figure 4.2. Proportion very confident in performing basic cyber security tasks 32
Figure 4.3. Overall confidence in performing high-level cyber security tasks 34
Figure 4.4. Overall confidence in performing high-level cyber security tasks, in businesses that consider these skills to be essential 34
Figure 4.5. Basic technical skills gap by sector 37
Figure 4.6. High-level technical skills gap by sector 38
Figure 4.7. Overall confidence in dealing with a cyber security breach or attack 39
Figure 4.8. Overall confidence in communicating cyber security risks and guidance 41
Figure 4.9. Self-reported understanding of compliance requirements and wider impact of cyber security 41
Figure 4.10. Overall confidence in documenting cyber risks and planning how the organisation responds 42
Figure 4.11. Perceived understanding of cyber security and data protection among senior managers 43
Figure 4.12. Perceived understanding of cyber security among wider non-specialist staff 45
Figure 4.13. Perceived understanding of cyber security among wider non-specialist staff, in businesses that have carried out cyber security training with these staff 45
Figure 6.1. Whether sought out cyber security training in the last 12 months 53
Figure 6.2. Barriers to finding training for those in cyber security roles 54
Figure 6.3. Barriers to finding training for non-specialist staff 55
Figure 6.4. Whether undertaken cyber security training in the last 12 months 56
Figure 6.5. Whether undertaken training for cyber security staff by sector 56
Figure 6.6. Format of training undertaken 57
Figure 6.7. Effectiveness of training for those in cyber security roles 59
Figure 6.8. Effectiveness of training for employees not involved in cyber security 59
Figure 7.1. Extent to which organisations outsource cyber security 61
Figure 7.2. Specific cyber security functions that organisations outsource 62
Figure 7.3. Breakdown of the high-level cyber security functions that organisations outsource 62
Figure 7.4. Confidence in dealing with external cyber security providers 65