1. Key insights for building a skilled cyber security workforce

Cyber security breaches continue to significantly threaten governments, businesses and individuals worldwide. As economies shift to digital and online models, threats can quickly outpace traditional approaches to data security. From supply chain disruptions to ransomware attacks, cybercriminals have become increasingly sophisticated and the threat landscape more diverse. The estimated economic cost of information and technology asset security breaches in 2020 was a staggering USD 4-6 trillion, equivalent to about 4-6% of the global GDP (UNCDF, 2022[1]). The United Kingdom and the United States have experienced the most significant cyber attacks1 over the last two decades (Specops, 2021[2]).

A workforce shortage compounds these cyber security challenges. While the cyber security workforce has reached an all-time high, with an estimated 4.7 million professionals, a global shortage of 3.4 million workers is found in this field (ISC2, 2022[3]). The cyber security workforce is growing rapidly but still needs to catch up with the growing demand for workers in this sector. In the United States alone, there were more than 700 000 unfilled cyber security jobs in 2021 (Cybersecurity Ventures, 2021[4]). In fact, the labour shortage in the sector keeps growing: the global cyber security workforce gap has grown more than twice as strong as the workforce. The United Kingdom and Australia, together with France and Spain, are among the countries with the most substantial increase in the cyber security workforce gap between 2019 and 20212 (ISC2, 2022[3]).

The cyber security workforce faces a lack of diversity. Women represent only 24% of the global cyber security workforce (ISC2, 2022[3]). In the United Kingdom, women represent 36% of the cyber security workforce, and they are more likely than men to hold non-technical roles, such as compliance and risk assessment (NCSC & KPMG, 2021[5]). This gender gap not only highlights the need for greater equity in the industry but also presents a business imperative. By recruiting and retaining more women in the field, organisations can tap into a larger pool of potential talent and help to fill the shortage of skilled professionals in the industry.

Developing strategies and policies to prepare the workforce with the right cyber security skills is imperative, especially in the context of high cyber security workforce shortages. Cyber security professionals are crucial in safeguarding government and organisations’ operations, sensitive information and digital resources. Cyber security professionals with the right set of skills improve organisations’ capability to respond to threats affecting companies’ productivity, adaptability to hostile environments, and further technological and digital adoption (Andrews, Nicoletti and Timiliotis, 2018[6]). Organisations seek cyber security talents to make the workplace more productive, efficient, and effective.

Strengthening the cyber security workforce requires co-ordinated action by international institutions, governments, enterprises, civil society, and individuals to train the workforce with the fast-evolving skills needed. Joint efforts from the private and public sectors have been taken, for example, through the development of cyber security skills strategies and skills frameworks. For instance, the United Kingdom and the United States Governments have established national cyber security strategies to align all the relevant stakeholders, increase the safety and resiliency of countries and overcome cyber security challenges, including the cyber security skill gaps (Box 1.1). Similarly, governments have established national cyber security centres to facilitate collaborations and information-sharing on cyber security and improve cyber security capabilities. For instance, the Australian Cyber Security Centre (ASCS) leads the government’s efforts in strengthening national cyber security, including providing information and support to households and companies on becoming more resilient to cyber attacks and preparing the labour force with cyber security skills.

Understanding what is happening on the supply and demand side of cyber security skills is a crucial first step to tackling skill shortages in the cyber security sector. This information can help organisations and governments identify the areas where they are most vulnerable and need additional resources. The information in job postings allows to uncover trends in demand for cyber security professionals and identify the skills currently essential for creating a cyber-safe organisational environment. At the same time, studying the provision of cyber security education and training programmes provides insights into how the labour force in this field is being developed.

This report is the first of a broader project to expand the knowledge on the cyber security workforce and associated education and training provision across multiple regions and countries (see Box 1.2). Each report is divided into two parts, one focusing on the demand for cyber security professionals and one looking at the landscape of cyber security education and training programmes:

  • The demand-side analysis uses big data to study job postings for cyber security professionals, looking at the volume and content of the postings to uncover trends and detailed characteristics of employer demand. This first report analyses the demand for cyber security professionals in five countries: Australia, Canada, New Zealand, the United Kingdom and the United States.

  • The supply-side analysis zooms in on cyber security education and training programmes and the policies and strategies implemented to expand and diversify the cyber security workforce. Each report focuses on one case study country for this supply-side analysis. For this report, England (the United Kingdom) is the country selected.

As such, the objective of this first report is to provide a comparative analysis of the demand in the five selected countries, looking at the evolution and characteristics of the cyber security profession, and through the English study case, look in-depth into what types of education and training programmes can prepare workers for cyber security roles and the policies that can contribute to making the profession more attractive and diverse.

To analyse the demand for cyber security professionals in a timely and detailed manner, this report uses data extracted from nearly 400 million online job postings collected from the five selected countries (Australia, Canada, New Zealand, the United Kingdom and the United States). Increasingly so, research on labour market dynamics relies on real-time big data to better capture recent trends and gain insights at a more granular level than is possible with more traditional data.

In particular, this report uses this high quantity of data points to analyse the main trends in demand for cyber security professionals from January 2012 to June 2022. Moreover, it leverages the texts contained in job postings to characterise the professional profile typically requested by enterprises, including a particular focus on the skills, competencies and abilities most relevant for the cyber security profession in each country.

The types of cyber security education and training programmes available and their design differ strongly between countries, as do the policies and initiatives to make these programmes accessible and attractive. To provide insights into how education and training for cyber security roles can be developed, delivered and promoted, this report focuses on one particular country – England (the United Kingdom). The purpose of presenting a dedicated case study is to provide a detailed description of programmes, policies and initiatives that could serve as inspiration for other countries developing their cyber security education and training sector. The English case looks at the landscape of cyber security programmes, focusing on professionally-oriented formal education programmes at the undergraduate level or below and non-formal programmes (e.g. bootcamps). The case study also looks into the policies and strategies aimed at expanding the cyber security workforce in England, especially those that facilitate access to cyber security education and training programmes for newcomers in the field. The case study analysis builds on national data and literature, as well as insights gathered from interviews with various key stakeholders in the English education and training and cyber security sectors.

The demand for cyber security professionals shows a robust and increasing trend in all countries, especially during the period following the COVID-19 pandemic. Overall, the number of online job postings (OJPs) seeking cyber security professionals in the first half of 2022 was nearly five times larger than at the beginning of 2012 and twice as large than at the end of 2019 (Figure 1.2). Consequently, the share of cyber security job adverts over the total amount of online job postings has increased in all five countries. Results also show that smaller markets for cyber security professionals, such as New Zealand, have shown more robust growth than more developed markets, such as the United States, suggesting that the cyber security demand is expanding fast across countries.

The demand for cyber security professionals is heterogeneous. Among different job roles, cyber security architects and engineers (those professionals in charge of designing and modelling security solutions) stand at the core of the demand for cyber security professionals and have recorded the highest share of new online job postings (37%), as well as the fastest growth in demand between 2012 and 2022. Cyber security analysts (who provide insights to support planning, operations and maintenance of systems security) also represent a large share of OJPs in the cyber security landscape (26%), with robust growth in Australia and New Zealand.

Most of the OJPs in the cyber security job market are for jobs in main urban areas where major enterprises and government headquarters are located. In Canada, for instance, 40% of the job postings advertised between January 2012 and June 2022 were for jobs based in Toronto, followed by Ottawa accounting for only 9% of the total demand. In the United Kingdom, London accounted for 38% of job postings searching for cyber security professionals, while postings for cyber experts located in Manchester only accounted for 5% of the total OJPs. However, the geographical concentration of cyber security OJPs in those areas has recently decreased. London’s share, for instance, decreased 10 percentage points from 41% in 2012 to 31% in 2021. This trend suggests that, as the digital transformation spreads to diverse economic activities throughout different geographies, the demand for cyber security professionals is also spreading out geographically.

An analysis of enterprises’ requirements shows that a typical candidate for a cyber security job needs a bachelor’s degree and more than three years of experience. As such, data from OJPs suggest little space for younger and more inexperienced profiles to find cyber security positions. This is likely to contribute to broadening the workforce gap in the sector and policy initiatives are needed to boost the school-to-work transition of youth moving into cyber security roles.

The rapid adoption of new digital technologies is reshaping the skills enterprises demand from cyber security professionals. Data for 2021 indicates that, among others, the knowledge of cyber security-related frameworks (i.e. resources for the design and implementation of security systems) and “threat assessment” skills are highly relevant for the profession. Over time, new technologies are emerging, and they are increasingly mentioned as key requirements in OJPs for cyber security professionals. For example, in the period between 2019 and 2022, the mentions of cloud computing platforms in cyber security job postings have increased 60 times compared to the period in between 2012 and 2018. Similarly, the demand for specialised software for application virtualisation increased 30 times over the same time span. The demand for technologies in the cyber security space is expected to keep changing as new digital resources, and threats, keep emerging.

On the demand side, the case study for England shows that there can be various education and training pathways into cyber security roles, with opportunities for progression (see Figure 1.3). The English further and higher education system provides multiple cyber security training programmes that lead to formal qualifications, including at the short-cycle tertiary level (or higher technical education) and bachelor’s level. Enrolment in cyber security programmes in further and higher has been on the rise, but still remains relatively limited. Learners can also develop basic cyber security skills at lower levels of education, including through cyber security modules integrated into broader programmes. These education and training opportunities include classroom-based programmes, as well as apprenticeship opportunities in cyber security at various education levels – allowing learners to develop skills on the job.

Complementing these formal cyber security qualifications, young people and adults in England can also participate in non-formal training. Such non-formal training is usually shorter and more flexible than programmes in the formal system. Bootcamps are one type of non-formal training available in the cyber security field that the Department for Education (DfE) and private training providers can offer. Particularly, the DfE offers Skills Bootcamps programmes fully funded by the government. The Skills Bootcamps are flexible courses of up to 16 weeks to build sector-specific skills and fast-track a job interview with a local employer. In 2022, 890 digital Skills Bootcamps have been offered of which 77 were in cyber security, with further expansion planned in the coming years. While bootcamps are typically too short to prepare someone without a background in information technology to become a fully skilled cyber security professional, they provide opportunities for those with some relevant experience to specialise in cyber security and for those without experience to take their first steps in a more extended cyber security training pathway. Multiple online courses are also part of the non-formal supply in the digital field. In cyber security, almost 6 000 courses were offered among the most popular e-learning platforms in the United Kingdom.3

Cyber security is a rapidly growing profession in England, but unfortunately, it suffers from a lack of diversity. Only 22% of the cyber security workforce is made up of women, dropping to 13% when looking at senior cyber security roles (DCMS, 2022[12]). According to data from the UK Government, only 18% of students enrolled in computer science courses at universities and colleges are women. The lack of gender diversity in cyber security can be attributed to various factors, such as a lack of female role models, unconscious bias during recruitment, and a general lack of awareness of the opportunities available in the industry. It is crucial to address this issue to ensure that the cyber security profession is more representative of the population it serves, and to benefit from the diverse perspectives and ideas that a more inclusive workforce can bring.

Multiple policies and strategies have been implemented in England to expand and diversify the cyber security workforce in an effort to attract young and adult learners from different backgrounds to the field. Efforts have been focused on providing clear information about cyber security education and training and careers and guidance on how to engage with the distinct learning pathways available to pursue a career in the field. Similarly, financial incentives and subsidies have been provided to increase participation in cyber security education and training, especially targeting the most disadvantaged young people and adults. In particular, multiple initiatives have been put in place to expand women’s representation in cyber security and address skill needs by providing learning experiences and information focused on overcoming gender stereotypes. The government has also played an essential role in facilitating the interaction between the education sector and the world of work so that the education and training provision is more aligned with the concrete needs of the cyber security sector both nationally and regionally. Initiatives have been implemented to encourage companies to offer cyber security apprenticeship opportunities and provide support in delivering them. Box 1.3 provides examples of interesting practices in England, which are further documented in Chapter 3.

Analysing the demand for cyber security professionals in Australia, Canada, New Zealand, the United Kingdom and the United States and the case study on cyber security education and training in England highlight opportunities to tackle shortages in the sector. These includes:

  • The cyber security profession has diverse roles, facing different demand and requiring different skill sets. The demand also differs between geographical areas. Moreover, as cyber threats rapidly evolve, the skills and technologies required to fulfil security needs constantly change. Employers, as well as education and training providers, need to have a good understanding of these different roles and their skill demands to reduce labour market mismatches. As such, solid skills intelligence needs to be produced and disseminated across the various labour market and education actors.

  • As numerous cyber security career options are available in various industries, this requires supporting students to navigate them. Effective career guidance enables people to develop informed, critical perspectives about the relationship between education and employment in the sector. This is especially relevant for newcomers in the field who may find it hard to understand the entry requirements and the competencies needed.

  • Raising awareness of cyber security careers should start early to create a pipeline of talent and break possible misconceptions and stereotypes about the sector. Particular efforts are needed to diversify the workforce. Career guidance is crucial, as are programmes targeting underrepresented groups that incorporate particular efforts to tackle barriers commonly faced.

  • Making cyber security education and training more attractive and accessible for women can help address their significant underrepresentation in the industry and simultaneously fill the workforce needed. Role models in industry and policy making can contribute to breaking gender stereotypes and broaden perspectives and aspirations of girls and women.

  • Cyber security training should be available at various levels, consistent with the multiple existing roles. Formal and non-formal programmes can complement each other. Moreover, clear progression pathways between the programmes should exist.

  • The demand for cyber security professionals is no longer concentrated in a few hubs, and increasingly employers outside of these usual hubs are hiring cyber security professionals. Young people and adults should have easy access to cyber security education and training – irrespective of where they live. Online training programmes are valuable in this regard.

  • Developing cyber security technical skills demands strong foundations in digital skills. This requires that young people and adults, especially the most disadvantaged, should have opportunities to develop essential digital skills before engaging in any cyber security-specific training.

  • Skill requirements in cyber security evolve rapidly, and formal education may struggle to provide individuals with the sector-specific skills required in a changing labour market. Skill-based recruitment (which promotes hiring workers based on skills instead of degree requirements) can reduce entry barriers for younger and less experienced individuals while closing the workforce gap in the sector.

  • Employer engagement in the design of cyber security programmes is crucial to ensure that they reflect the needs of the labour market. In order to expand provision and respond to cyber security skills needs beyond the technology sector, stronger links between the education sector and firms in non-technological industries such as financial services and advanced manufacturing should be developed – including with small and medium-sized enterprises.

  • Apprenticeship can be a valuable training form in this sector, especially when apprenticeship standards are co-designed with employers and the quality of work-based learning is guaranteed. Apprenticeships can be delivered at various levels, aligned with the diversity in cyber security roles.

  • Short non-formal programmes that are designed with employers have the ability to respond quickly to changing skill needs in the cyber security sector. However, such short programmes might not be sufficient to develop the required knowledge and skills for specific roles. As such, to improve the relevancy of education, these programmes should be better linked to the cyber security roles they target and should exist at various levels to provide clear career pathways.

  • Bringing employers from different sectors and other relevant stakeholders together is key for developing cyber security skills strategies, as it helps to identify common challenges and opportunities and strengthen collaboration between the private sector, education and training providers, governments and social actors. Cyber security skills strategies can set a roadmap to design comprehensive cyber security workforce development policies beyond policies targeting only the education and training system.

  • Information on teacher shortages by sector is typically not readily available. To enhance cyber security training provision, comprehensive data on teachers should be collected regularly and systematically to understand teachers’ shortages in the field.

  • Ensuring a high quality of cyber security education and training is imperative to generate a skilled workforce and improve organisations’ cyber security capabilities. Certification mechanisms for education and training programmes or providers can help students and employers recognise quality approved institutions/programmes and strong graduates in the cyber security field.

Box 1.3 highlights interesting practices put in place in England aimed at expanding and diversifying the cyber security workforce.

References

[6] Andrews, D., G. Nicoletti and C. Timiliotis (2018), “Digital technology diffusion: A matter of capabilities, incentives or both?”, OECD Economics Department Working Papers, No. 1476, OECD Publishing, Paris, https://doi.org/10.1787/7c542c16-en.

[4] Cybersecurity Ventures (2021), Cybersecurity Jobs Report: 3.5 Million Openings In 2025, https://cybersecurityventures.com/jobs/.

[12] DCMS (2022), Cyber security skills in the UK labour market 2022, https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/1072767/Cyber_security_skills_in_the_UK_labour_market_2022_-_findings_report.pdf.

[8] DCMS (2018), National Cyber Security Skills Strategy: increasing the UK’s cyber security capability, https://www.gov.uk/government/publications/cyber-security-skills-strategy/initial-national-cyber-security-skills-strategy-increasing-the-uks-cyber-security-capability-a-call-for-views.

[15] Department for Education (2022), Skills for life, skill bootcamps, https://skillsforlife.campaign.gov.uk/courses/skills-bootcamps/.

[13] Find Apprenticeships (2022), Cyber security apprenticeship, https://www.findapprenticeships.co.uk/cyber-security-apprenticeships/.

[3] ISC2 (2022), ISC2 cybersecurity workforce study, https://www.isc2.org//-/media/ISC2/Research/2022-WorkForce-Study/ISC2-Cybersecurity-Workforce-Study.ashx.

[17] NCSC (2023), NCSC certification, https://www.ncsc.gov.uk/section/products-services/ncsc-certification.

[14] NCSC (2022), CyberFirst overview, https://www.ncsc.gov.uk/cyberfirst/overview.

[5] NCSC & KPMG (2021), Decrypting diversity: Diversity and inclusion in cyber security, https://www.ncsc.gov.uk/files/KPMG-and-the-NCSC-Decrypting-Diversity-2021-report.pdf.

[7] Neto, I., M. Obiso and M. Baayen (2022), How tailored national cybersecurity strategies enable safe, inclusive and sustainable digital development, https://blogs.worldbank.org/digital-development/how-tailored-national-cybersecurity-strategies-enable-safe-inclusive-and.

[10] NIST (2022), National Initiative for cybersecurity Education (NICE), https://www.nist.gov/itl/applied-cybersecurity/nice/nice-framework-resource-center.

[11] Public Safety (2018), National Cyber Security Strategy - Canada’s vision for security and prosperity in the digital age, https://www.publicsafety.gc.ca/cnt/rsrcs/pblctns/ntnl-cbr-scrt-strtg/ntnl-cbr-scrt-strtg-en.pdf.

[2] Specops (2021), The countries experiencing the most ‘significant’ cyber-attacks, https://specopssoft.com/blog/countries-experiencing-significant-cyber-attacks/.

[9] The White House (2019), Executive Order on America’s Cybersecurity Workforce, https://trumpwhitehouse.archives.gov/presidential-actions/executive-order-americas-cybersecurity-workforce/.

[16] UK Cyber Security Council (2022), Cyber security career pathways. Routes into and through the profession, https://www.ukcybersecuritycouncil.org.uk/careers-and-learning/cyber-career-framework/.

[1] UNCDF (2022), The role of cyber security and data security in the digital economy, https://static1.squarespace.com/static/5f2d7a54b7f75718fa4d2eef/t/62082f066a25c62651a9ae40/1644703527175/EN-UNCDF-Brief-CyberSecurity-2022.pdf.

Notes

← 1. Significant cyber attacks refer to any cyber attacks on a country’s government agencies, defence and high tech companies, or economic crimes equating to loss of more than 1 million USD.

← 2. Among 16 countries for which the cyber security workforce gap was estimated.

← 3. Courses available at the moment of the search in September 2022 in Coursera, EdX, LinkedIn Learning, Udemy, FutureLearn and Skillshare.

Disclaimers

This work is published under the responsibility of the Secretary-General of the OECD. The opinions expressed and arguments employed herein do not necessarily reflect the official views of the Member countries of the OECD.

This document, as well as any data and map included herein, are without prejudice to the status of or sovereignty over any territory, to the delimitation of international frontiers and boundaries and to the name of any territory, city or area.

The statistical data for Israel are supplied by and under the responsibility of the relevant Israeli authorities. The use of such data by the OECD is without prejudice to the status of the Golan Heights, East Jerusalem and Israeli settlements in the West Bank under the terms of international law.

Photo credits: Cover © vs148/Shutterstock.com.

Corrigenda to publications may be found on line at: www.oecd.org/about/publishing/corrigenda.htm.

© OECD 2023

The use of this work, whether digital or print, is governed by the Terms and Conditions to be found at https://www.oecd.org/termsandconditions.