3. The landscape of cyber security education and training programmes: The case of England (United Kingdom)

Chapter 1 highlights the strong and growing demand for cyber security professionals. The volume of Online Job Postings (OJPs) in this field has increased substantially in Australia, Canada, New Zealand, United Kingdom and the United States as remote working has been expanding and a broader range of digital technologies has been adopted, especially since the COVID-19 pandemic. When this growing demand for cyber security professionals is not met with a sufficient supply of trained workers for the field, this results in shortages that can potentially lead to cyber security threads. Shortages are already observed today, with research by (ISC)² (2022[1]) showing that the workforce gap for the five countries included in this study is among the highest in the world, especially in the United Kingdom.

Education and training to develop the right cyber security skills are therefore crucial to tackle shortages and avoid cyber security risks. This chapter zooms in on the case of England (United Kingdom) to provide an overview of its education and training programmes in the cyber security field and related policies. As in the rest of the world, the United Kingdom’s society has become increasingly digital. Cyber security has become a priority, including the need for a skilled cyber security workforce. The number of cyber attacks is outstripping defence capabilities in the United Kingdom, and cyber security threats are growing both in number and sophistication – it is estimated that around 43% of businesses in the United Kingdom experienced a cyber security breach or attack in the last 12 months (2018-19) (CISCO, 2019[2]). Consequently, the share of job postings seeking cyber security professionals has increased considerably in the last decade in the United Kingdom, almost doubling in the last ten years (see Chapter 1). However, more than half of cyber security-related jobs in the country have been reported to be unfilled (CISCO, 2019[2]).

Cyber security skill shortages may reflect the limitations of education and training systems to provide cyber security programmes that prepare the professionals needed in the sector, as well as the absence of policies to encourage the supply of high-quality courses in this field and to promote them among young people and adults. Moreover, the current training provision may need more flexibility to respond to rapidly changing skills needs in the sector and to be accessible to a diverse group of learners. Engaging employers in the design and delivery of programmes is crucial to ensure their content is aligned with the needs of the labour market. Ensuring prospective learners understand the cyber security field and that the pathways into cyber security careers are clear and easy to access is important to attract learners from various backgrounds. Making the cyber security profession more attractive for women can help address their significant underrepresentation in the industry and simultaneously fill the workforce need. Common barriers to participating in cyber security education and training include a lack of basic digital skills for carrying out further and higher education in the field, as well as financial and non-financial barriers to engaging with learning opportunities, especially those related to STEM fields (Malcom and Feder, 2016[3]; Houston et al., 2022[4]).

This chapter provides an overview of the supply of cyber security education and training programmes in England. The chapter describes strategies and policies implemented to expand the supply of cyber security education and training and to encourage greater participation in these programmes. Special attention is given to initiatives that seek to increase the diversity of the profession and promote access for people from disadvantaged backgrounds. It also looks at strategies that encourage employers to participate in the design and delivery of learning opportunities in cyber security and initiatives to foster quality training. This chapter leverages information collected from interviews with relevant stakeholders in the cyber security sector, including training providers and different government bodies.

In England, the provision of education and training programmes for developing cyber security skills for entry-level jobs (i.e. a job that typically does not require advanced levels of education and training in the field or many years of relevant work experience) takes multiple forms. Training programmes in this field can be offered through formal and non-formal education and training. Formal education, which leads to formal qualifications such as bachelor’s degrees, includes courses and programmes offered by Further Education (FE) and Higher Education (HE) institutions. For this study, programmes at the Master’s level and above are excluded from the analysis (see Box 3.1). Non-formal education and training includes courses outside the formal education system and not leading to a formal qualification but awarding certificates in some cases or, as in bootcamps, leading to a new job outcome.

Depending on where the training takes place, cyber security education and training programmes in England can be classified into work- and classroom-based (see Figure 3.1). Within formal education, the first group includes all the programmes with significant on-the-job training. The training content is typically employer-led, and the on-the-job training is complemented by learning activities offered by a college, university or other training providers. Programmes within this group include apprenticeships.

The second group of programmes are predominantly delivered in school-based settings (including online provision), although they may include some short work placements. In the cyber security field, this group encompasses Level 3 Qualifications,1 T-Levels,2 Higher Technical Qualifications (HTQ),3 and bachelor’s programmes. More details about these programme types are provided in the remainder of this section.

The diversity in cyber security education and training in terms of qualifications, levels and providers allows learners to find the most suitable training for their learning needs. For example, learners with limited background in information and communication technology (ICT) can enrol in introductory training programmes in cyber security – offered mostly at Level 3 (equivalent to ISCED 3, i.e. upper-secondary education) but also including several programmes at Level 2 (equivalent to ISCED 3)4 in the ICT field that provide students with the foundations for engaging in more field-specific training in cyber security. In some cases, cyber security courses may include modules on basic digital skills relevant for progressing into the more advanced parts of the training. For more experienced learners, higher technical qualifications and higher education degrees at Levels 4 to 6 (equivalent to ISCED Levels 5 and 6, i.e. short-cycle tertiary education and bachelor’s programmes) provide various options for developing advanced cyber security skills.

Non-formal education programmes are also part of students’ options to engage in cyber security education and training. Bootcamps, for instance, are flexible courses of up to few weeks or few months, which can be offered by public or private training providers. The Department for Education offers Skills Bootcamps which can be fully funded by the government (these bootcamps supported by the Department for Education are referred to as “Skills Bootcamps” in the remainder of the chapter). These courses provide students with knowledge and skills currently relevant to priority sectors.

Figure 3.2 shows an overview of the provision of cyber security education and training in England, including formal education and training and Skills Bootcamps (non-formal). In 2022, around 890 Skills Bootcamps in digital skills were available, of which 77 were in cyber security (Department for Education, 2022[5]). Two of the 26 apprenticeship standards in digital occupations are specifically for cyber security. Level 3 and T-level qualifications in digital all include cyber security subjects in the core. Various HTQs and Bachelor’s degrees have cyber security content or a cyber security specialisation.

Formal education and training programmes in the cyber security field include higher education programmes (HE) and further education (FE) programmes. FE includes any study after secondary education (post-16) that is not part of higher education (not taken as part of an undergraduate or graduate degree). FE programmes typically equip young people and adults with skills and qualifications that are immediately relevant for the labour market but also allow studying at higher education levels (including higher levels of FE and higher education). Especially in cyber security, FE’s role focuses on providing building blocks for more advanced programmes. Provided that learners have relevant foundational skills, they can progress throughout a cyber security training pathway, allowing them to engage with more complex issues and topics.

FE and HE institutions are essential in providing ICT education and training programmes. According to the Department for Education, there are 510 formal education and training providers in ICT, including FE colleges and HE institutions (Department for Education, 2022[9]). There are 226 different qualifications available in ICT, of which 89 are related to ‘ICT practitioners’ (i.e. a set of programmes within the ICT field providing practical knowledge, skills, capabilities and competencies on information technology, including cyber security)5 – including six that indicate having cyber security in the title. As shown in Figure 3.3, the total number of ‘ICT practitioner’ programmes offered across FE and HE providers amounts to around 2 000, of which only about 120 are in cyber security. The number of cyber security training programmes offered across institutions has slightly decreased compared to 2013-14, but enrolment went up (see next section). One possible explanation is the diversification of training. More and more formal and non-formal education institutions offer non-formal cyber security training, such as bootcamps, which may be correlated with the reduction of formal cyber security training (see below). Moreover, cyber security subjects may be included in broader fields such as computer science or network without being indicated in the programme’s title or qualification.

Cyber security training at Levels 2 and 3 in FE is typically an introduction to the cyber security field.6 Level 2 courses tend to be generalist in ICT or digital skills. but they include some elements of cyber security in the core content more focused on cyber awareness and cyber security and e-safety. However, some Level 2 courses dedicated to cyber security foundations exist. At Level 2 cyber awareness courses provide the learner with an introduction to cyber security covering areas such as computer systems and the impact of cyber security, information technology for business and the internet of everything, impact of cyber security in the business environment. Since 2020, the number of Level 2 courses in digital skills has increased, expanding students’ chances to engage with cyber security foundational training at an earlier stage (Department for Education, 2022[9]). Figure 3.4 shows a relatively large and growing number of learners in ICT practitioners programmes at that level. Level 3 courses are a common starting point for students to engage with cyber security training within the FE sector. There are a range of quals covering networking and cyber security in a more in depth and focussed way, offering the opportunity to cover areas such as applying networking and cyber security projects, and looking at issues around cloud based solutions, security solutions and surveillance software. These courses are subject-based qualifications equivalent to Advanced level qualifications (A-levels), generally taken after students finish their General Certificate of Secondary Education (GCSE). These courses provide young people and adults with the capabilities needed to be successful in the labour market or go on to study at a higher FE level or the HE level, for example, to pursue a degree at a university in a cyber security-related field.

Table 3.2 shows a sample of the FE programmes for students at Levels 2 and 3. Most Level 2 and 3 programmes offer an “introduction”, “principles”, or “essentials” of cyber security, indicating that learners will develop foundational knowledge in the field. There are also a considerable number of Level 2 and 3 qualification courses that include cyber security as a module (e.g. computer science) (DCMS, 2019[7]), since programmes at these levels are typically meant to be broader and less specialised.

Introductory cyber security skills are also developed within T-level programmes. T-levels are two-year, career-focused qualifications and one of a number of post-16 education options in England, alongside A-levels and apprenticeships. T-level students spend 80% of the course in their learning environment, gaining the skills that employers need. The other 20% is a meaningful industry placement, where they put these skills into action (Department for Education, 2023[10]). T-levels are available at selected colleges, schools and other providers across England. The courses are usually developed in collaboration with employers and education providers, so the content meets the needs of industry and prepares students for entry into skilled employment or further learning (including apprenticeships or programmes in further or higher education). T-levels are relatively new in the English education system. In 2023, there are over 20 T-level subjects and more being rolled-out in future years. There are three Digital T-levels available “digital business services”, “digital production, design and development”, and “digital support services”. The digital support services T Level includes technical aspects of internet security, digital environment and cloud environments and security testing software as part of the core content. Career options upon completion might include becoming an infrastructure technician or a role in IT security support (HM Government, 2022[11]).

Higher technical education allows learners to develop cyber security skills at more advanced levels (Levels 4 and 5, equivalent to ISCED 5). As shown above, enrolment in Level 4 and 5 ICT programmes in FE is relatively low. In 2020, the DfE approved the higher technical education reform to improve the quality and labour-responsiveness of higher technical education (Department for Education, 2020[12]). As a result, in September 2022, the first cycle of new or existing Level 4 and 5 qualifications, meeting occupational standards for the digital sector, was approved by the Institute of Apprenticeships and Technical Education and launched as Higher Technical Qualifications (HTQs).

According to the Institute for Apprenticeships and Technical Education (IfATE), there are 31 HTQs in the digital field, of which 12 are offered in cyber security or include a cyber security specialisation (IfATE, 2022[13]). Table 3.3 shows a sample of HTQs in cyber security provided in England in the academic year 2022-23. The core content of the courses is more advanced and field-specific than the programmes at Levels 2 and 3. The courses cover computer forensics, networking and software systems, applied cryptography and information security management. Alongside these new HTQs, a range of other Level 4 and 5 qualifications exist, including some with a cyber security specialisation.

Higher technical education is delivered by FE and HE providers. In addition, Institutes of Technology (IoTs) play an important role in providing higher technical education and training across a range of STEM occupations and industries. IoTs are a collaboration between FE providers, HE institutions and employers. They specialise in delivering employer-led training programmes, reacting quickly to an area’s current and evolving technical skills needs. Among 15 specialisms, IoTs offer courses in digital and IT fields, including cyber security. Although most of the training programmes provided by IoTs are at Levels 4 and 5 (including HTQs), some of them also include courses at lower levels (T-levels and Levels 2 and 3) covering most of the FE training building blocks for the cyber security profession (see Table 3.4).

At the higher education (undergraduate) level, students can opt for a technical or non-technical route into cyber security. Within the technical route, which is the focus of this study, there are two broad options at the undergraduate or bachelor’s level: cyber security programmes (e.g. cyber security, cybernetics, digital forensics, etc.) or other programmes with a cyber security specialisation. The latter include, for example, programmes in computer science with cyber security specialisation (e.g. ‘Computer science with cyber security’), and other STEM programmes with a cyber security focus – the most common ones being mathematics or engineering (e.g. Engineering with cyber security) (DCMS, 2019[7]). Non-technical courses can offer a module or specialisation in cyber security, such as Management, Business Studies or Psychology in cyber security- these are outside the scope of this report.

Programmes vary in the extent to which the content is field-specific, providing a variety of options for students with different preferences, needs and backgrounds. Some programmes have a modular approach, covering a wide range of ICT-related topics and competencies in the first year to build the foundations for more specific (and advanced) cyber security subjects later on. At the University of Royal Halloway, for instance, students can undertake courses on generalist ICT subjects, including ‘software design’, ‘machine fundamentals’ and ‘operating systems’ during the first year, allowing them to develop the fundaments required for more specialised subjects covered during the second year. Some other programmes are heavily focused on cyber security from the start and cover more specialised cyber security subjects in the following years. For instance, at the University of Warwick, students can undertake foundational courses in the cyber security field, such as security and information risk management, during the first year already, and more advanced courses, such as ‘cyber security incident management’ and ‘data science and complexity in the cyber context’, during the last two years of study.

The cyber security field in higher education is a relatively new discipline (DCMS, 2019[7]). However, it is attracting more students every year. The number of undergraduate programmes in cyber security (96) compared to computer science (694) is low, as is the number of students enrolled in this field (see Table 3.5 and Figure 3.5). However, among all ICT fields, cyber security has the highest student growth rate. During 2020-21, 5 900 students pursued a cyber security higher education degree, 30% more than the previous academic year (see Figure 3.5).

Apprenticeship is another option to prepare for entry-level cyber security jobs. Apprenticeships combine practical training on the job with off-the-job training, allowing apprentices to gain job-specific skills while working alongside experienced staff from the sector in addition to the more theoretical aspects of cyber security. Students can participate in apprenticeships at various levels – depending on their previous experience, their knowledge in the field, and -in some cases- their prior qualifications. There are three cyber security apprenticeship qualifications approved: Cyber security technician at Level 3 (intermediate), cyber security technologist at Level 4 (advanced) and cyber security technical professional at Level 6 (degree level).

FE providers and HE institutions provide the off-the-job component of the apprenticeship. Academic entrance requirements to apprenticeships are broadly similar to those of classroom-based FE or HE programmes, with typically additional criteria added by employers as part of the recruitment process. Table 3.6 shows some examples of apprenticeship postings in the cyber security field. Based on these examples, employers seek candidates with technical aptitude and good all-around skills, such as attention to detail, communication, problem-solving and work ethic, among others.

While apprenticeships in the cyber security field are available at different levels of qualification, most apprentices participate in higher programmes (Level 4 and above). Enrolment in apprenticeships increased strongly in the last five years (see Figure 3.6). In 2020-21, 4, 100 and 360 learners completed intermediate, advanced and higher apprenticeships, respectively, in this field. Additionally, the number of students in higher apprenticeships in cyber security has increased substantially compared to 2016-17 (by 2.5 times, see Figure 3.6). Nonetheless, the absolute numbers remain relatively low – especially at the intermediate-level. According to the University and College Admission Service (UCAS) portal, in November 2022, 37 cyber security apprenticeship positions were posted, of which only three were offered at an intermediate level.7

In addition to formal education and training, young people and adults in England can participate in cyber security training outside the formal education system. These non-formal courses do not lead to a formal qualification, although a certificate can be awarded in some cases. Bootcamps are one particular form of non-formal training in England, mostly offered by independent training providers but also by universities and further education colleges.

Bootcamps are intensive skill development programmes that cover topics highly relevant to a specific sector, such as cyber security (Learn21, 2022[14]). These short courses can take a few weeks or a few months to complete and aim to provide training as a starting point for an absolute beginner or custom advanced learning for candidates through a selection process. Bootcamps are job-oriented and give the opportunity to build sector-specific skills and, in some cases, fast-track to an interview or progress in their current role. In England, cyber security bootcamps are offered by public and private training providers covering a wide range of topics at several difficulty levels. They can be fully funded by the government after meeting eligibility requirements (e.g. Department for Education Skills Bootcamps) or can be fully or partially covered by learners.

The Department for Education Skills Bootcamps (in the remainder of the chapter referred to as Skills Bootcamps) are free, flexible courses of up to 16 weeks at Levels 3-5, available in England, giving people the opportunity to build up sector-specific skills and fast-track to a job interview with a local employer once the training is completed (Department for Education, 2022[15]). The courses are open to adults aged 19+ who have the right to work in the United Kingdom, live in England and meet residency requirements. Some Skills Bootcamps have additional eligibility criteria. They are available in several subjects and sectors, including (as of January 2023) digital, technical, construction, logistics, and green skills, with the scope to expand into a wider range of sectors. Skills Bootcamps are designed for adults who want to upskill quickly to work in specific sectors (e.g. cyber security or construction) or for those who wish to gain in-demand skills applicable to multiple areas (e.g. digital skills). Skills Bootcamps are co-designed with employers, providers, and local authorities to respond to skills shortages, and course subjects vary according to needs in each local area. In 2021-22, 16 120 people participated in Skills Bootcamps, with further expansion of learner numbers planned in the coming years covering multiple subjects.

Skills Bootcamps in the digital field are delivered both online and in-person in a range of subjects, including digital marketing, software engineering, cloud services engineering, coding, social media and digital leadership and cyber security (Department for Education, 2021[16]). Further expansion is planned for digital Skills Bootcamps.

Within cyber security Skills Bootcamps, a range of subjects is covered, including ‘cyber technician’, ‘cyber security’, ‘cyber technologist’, ‘cyber security operations and technology’, ‘networking and cyber security’. This type of training aims to promote an understanding of the core principles and knowledge involved in providing a secured business, responding to cyber incidents, reducing the risk of data breaches or managing cyber threats (see some examples in Table 3.7). Cyber security Skills Bootcamps are available across the country, with the largest numbers being offered in the North-west (e.g. Chester) and West Midlands (e.g. Birmingham) and South-west (e.g. Cheltenham) (See Figure 3.7).

Beyond bootcamps, the non-formal education and training sector includes a wide range of low-cost or free online modules and courses that individuals can undertake in their own time. Whilst these modules may not always contain a direct certification, they provide interesting and accessible opportunities for skills development and could facilitate access to further training.

Universities and FE colleges have also expanded their portfolio of non-formal training programmes providing online or blended courses through their website (e.g. University of Manchester) or joining existing platforms (e.g. the University of London in Coursera), especially for courses on digital skills. The list of online courses on digital skills offered through online platforms is long, and a comprehensive overview of those courses falls outside the scope of this study. Nonetheless, Box 3.2 provides some insights based on information from the most popular e-learning platforms in the United Kingdom.

Further, many dedicated cyber security training organisations have been set up in the England in recent years to help grow the cyber security recruitment pool through non-formal training. For example, Immersive Labs provides an interactive training platform for cyber security skills, with hands-on gamified labs that enable new and experienced individuals to learn new capabilities (Immersivelabs, 2022[17]). Another example is CAPSLOCK, which offers a cyber academy model for re-training individuals in a new cyber security career. With an Income Share Agreement, individuals only have to repay their tuition costs once they earn over GBP 27 000 per annum. This model requires a 16-week full-time or 26-week part-time programme. In 2021, CAPSLOCK intended to reskill 200 adults into cyber security (CAPSLOCK, 2022[18]).

As described above, various pathways in FE, HE and non-formal education can lead to an entry-level job in the cyber security field. These can be classified into two types of cyber security training pathways that learners can take depending on their prior experience and education. The first group, referred to as the ‘entry point to cyber security training’, is usually undertaken by individuals with no experience and knowledge of either cyber security or any related field (e.g. computer science). This group contains all the formal and non-formal courses on cyber security or computer sciences (including general digital skills) that contain modules on cyber security, including Level 3 FE courses, intermediate apprenticeships and most bootcamps. The programmes that require no previous education and experience usually lead to generalist IT roles with cyber security tasks or responsibilities or to cyber security apprenticeships or traineeships (see Table 3.9). This indicates that cyber security education and training programmes generally require some initial ICT/cyber security knowledge or expertise. Initial cyber security training, such as a Level 3 programme or certain cyber security bootcamps, may be insufficient for an entry-level cyber security role.

The second group can be referred to as ‘training pathways to advance in cyber security career’ and includes all the cyber security education and training programmes that require some previous knowledge and experience in cyber security and computer science. Courses in this group allow students to consolidate their cyber security knowledge or specialise in more specific subtopics within this field. This includes higher technical qualifications and similar training (Level 4/5), bachelor’s degrees, masters or PhD programmes, and advanced and degree apprenticeships. This group can also include bootcamps that provide more specialised advanced training.

Cyber security education and training programs are available for learners of all ages and with varying ICT skills and experience levels. Looking at the “ICT practitioners” field, which includes cyber security courses, much of the FE enrolment is concentrated among 19 to 24-year-olds (42% in 2020-21). Most of the learners from that age group are enrolled in programmes at Level 3, where this age group accounted for 80% of the total enrolment in 2020-21. As described above, these Level 3 programmes are more specialised than those offered at lower levels. Furthermore, young learners are more likely to engage with advanced ICT training in FE at Levels 4/5 and 6/7 than their older counterparts – although the absolute numbers remain very low. Among those who participate in more advanced FE ‘ICT practitioners’ training, 62% are young students (out of 130 learners).

Compared to 2015-16, the number of young learners participating in FE ICT training programmes has increased by 15%, which may reflect the efforts of the UK Government to attract more young people into digital and cyber security careers (DCMS, 2018[23]). Since 2016, the DCMS, jointly with the National Cyber Security Centre (NCSC), has put in place initiatives for strengthening the national curriculum for 4-16 years old to provide young people with the initial building blocks required for more technical careers, developing broader digital skills that are increasingly vital to engaging and working in cyber security (DCMS, 2018[23]).

The vast majority of adults aged 25 or older are in FE training programmes offered at Level 1 and Level 2: in 2020-21, 8 820 adults aged 25 or older participated in ‘ICT practitioner’ courses, of which 65% in Level 1 and 2 training programmes (see Figure 3.8). Most courses offered at Levels 1 and 2 focus mainly on foundations in ICT – which can be essential for greater ownership of learning in higher-level courses. For example, Pearson Education Ltd., an independent training provider, offers an Introductory Information Technology course (Level 1), completion of which is a requirement for the Level 3 cyber security course offered by the same provider.

Enrolment in higher education undergraduate programmes in cyber security-related fields is more concentrated among older cohorts, possibly indicating the need for previous experience, knowledge or a specific level of ICT skills in the field. More than 9 500 students aged 25 or older enrolled in information technology programmes (which include cyber security), accounting for 67% of the entire enrolment in this field. This contrasts with what can be observed in other computing programmes, where the share of learners aged 25 or older in total enrolment equals 15% on average (see Figure 3.9). Programmes such as ‘computer science’ (57%) and ‘software engineering’ (52%) have a significantly higher proportion of young people (below 25) than information technology programmes (32%).

Bootcamps, in general, are designed particularly for individuals looking to upskill or reskill, including in cyber security. According to consulted stakeholders, the age profile of learners in these programmes is very diverse. Moreover, there is also large diversity in the occupational status of learners and their level of expertise. For instance, in cyber security Skills Bootcamp programmes provided by Generation, an independent training provider, most students are unemployed or with no experience in the cyber security sector but willing to acquire sector-relevant skills and participate in the recruitment process (Generation, 2022[24]). Conversely, SANS, an independent training provider, offers an “Upskill in cyber” bootcamp, a commercially delivered bootcamp in cyber security, to learners who are new to cyber security but have the knowledge and skills necessary for a practitioner in key areas of computer, information and software security (SANS, 2022[25])

Women and ethnic minorities are underrepresented in ICT education and training programmes, with cyber security programmes likely having a similar distribution as the broader ICT field. In FE, the proportion of females in the ICT field is only 21% (see Figure 3.10). ICT has the lowest share of female learners compared to other STEM fields. The share of Black and Asian learners in this field is 16% and 19%, respectively (see Panel B of Figure 3.10), which is relatively low compared to FE in general (18 and 23%, respectively, in 2021/22). Consulted stakeholders confirmed that cyber security education predominantly enrols white and male learners. This reflects the persistence of stereotypes and sociocultural factors that undermine cyber security roles among both girls (IET, 2018[26]) and young people of colour in the United Kingdom (Royal Society, 2020[27]), in addition to inequities that are perpetuated in the workplace through sizeable pay gaps between women and men in STEM jobs and across racial and ethnic groups (Fry, Kennedy and Funk, 2021[28]). It highlights the need to break stereotypes and tackle entry barriers (e.g. financial constraints).

The lack of diversity in cyber security education and training enrolment is similar to what is observed in the related occupations in the labour market, especially for gender. The cyber security workforce in England is mostly male: in 2021, 78% of cyber security professionals were men. There is evidence that overall cyber security sector diversity has improved (both in terms of gender and ethnicity); however, it remains behind overall digital sector in this regard (DCMS, 2022[29]). The cyber security profession is becoming more diverse in multiple dimensions. The proportion of women, ethnic minorities and people from a low socio-economic background in the cyber security workforce has increased in recent years (See Box 3.3), mainly due to policies and strategies implemented by the UK Government. For instance, In 2021, the government mandated the creation of the UK Cyber Security council, an institution that has been focused in identifying and promoting best practices and policies to increase outreach and diversity in the cyber security profession (UK Cyber Security Council, 2023[30]).

Enrolment in ICT fields in higher education echoes what is found in FE. Figure 3.12 shows the percentage of students who identify as female or as a particular race/ethnicity in the computer science field, which includes cyber security. The share of females participating in computer science (18% in 2020-21) is low compared to other fields (57% across all fields in 2020-21). Although the participation of female learners in the field has improved slightly in the last five years (1.3 percentage points more than in 2015-16), computer science is still male dominated. Racial/ethnic minorities account for 24% of total enrolment in computer science, in line with what is observed in other fields. The share of Asian learners is higher in computing programmes than on average across all programmes in HE institutions. Compared to the 2015-16 academic year, the percentage of racial/ethnic minorities has gone up, which may reflect the affirmative action policies implemented in the last years in higher education to expand diversity in computer science (Office for Students, 2022[34]). However, the lack of racial/ethnic diversity in FE and HE remains a challenge not only in the cyber security field but in the entire education system (Oxford University, 2019[35]).

The lack of diversity in the field – particularly for gender – may reflect stereotypes embedded among young people at early ages. Such stereotypes and misconceptions about cyber security careers affect career expectations and, thus, career choice, which may perpetuate current figures in terms of gender diversity in the cyber security profession. Across OECD countries, 15-year-old old boys are more likely to expect to work in science and engineering than girls (OECD, 2019[36]). In 2018, on average across OECD countries, the ‘ICT professionals’ occupation was among the top three occupations aspired by 15-year-old boys, while for girls it was not among the top 10 (OECD, 2020[37]). These occupational expectation differences by gender have changed little since 2000 (OECD, 2019[36]).

Looking at computer science students’ outcomes, including cyber security programmes, 8 out of 10 students who enrol in computer science education and training complete their studies. Yet, completion rates vary according to the type of training; see Panel A of Figure 3.13. Computer sciences apprenticeships, for instance, have higher completion rates compared to more classroom-based programmes (Level 4/5 and undergraduate programmes). This highlights the relevance of work-based learning in the ICT sector, providing labour market-relevant knowledge and skills of technical and job-specific nature. Additionally, Level 4/5 and undergraduate computer science programmes have a lower completion rate than other ICT programmes. Results from a student survey suggest that the high dropout rate in this field compared to other ICT fields is mainly because students “feel they are not getting enough for their money”, lack of enjoyment studying the field, and the field being consider too hard (Tech target, 2019[38])

In computer science in general, which includes cyber security education and training programmes, almost nine out of ten students, after completing their degree, enter the labour market or pursue further education. This ratio is the highest for students who complete apprenticeships (97%). Students who complete a first degree (undergraduate programme) have more chances to progress to a positive outcome than those who complete a Level 4 or 5 programme. This may reflect that employers value higher-level degrees more and/or are looking for workers with at least some prior experience in the sector (or related) – which is often a requirement in the Level 6 programmes.

Figure 3.14 shows the outcomes for those who graduated from higher education in 2018/19, approximately 15 months after they completed their studies (i.e. the responses can show activity between December 2019 and September 2020 – before and after the COVID-19 pandemic restrictions in the UK).8 These figures indicate that approximately 68% of cyber security graduates enter full- or part-time employment, with 12% blending employment and further study. This means that of the 3 600 students who graduated in cyber security courses in 2018/19, 80% were in employment 15 months after obtaining their degree.

Cyber security graduates are slightly more likely to engage with further study than graduates from other computer science courses (DCMS, 2019[7]), which may be linked to the need for regular updating of technical skills and knowledge in a rapidly-changing field in addition to the level of specialisation and specific training required for some of the job opportunities in this field. 18% of cyber security graduates pursue further study (6% full-time further study and 12% combined with employment) compared to 16% of their peers in computer science (see Figure 3.14). This proportion has increased compared to the previous year (15% in 2017-18).

Looking at outcomes of recent graduates in computer sciences by level of qualification, which includes cyber security graduates, the share of Level 6 graduates in employment (including those in work and further study) is significantly higher (84%) than those from Level 4-5 programmes (65%) 15 months after obtaining their qualification (see Figure 3.15). Level 4-5 computer science graduates have more chances to pursue further studies (without work) (13%) than Level 6 graduates (6%) but are also more likely to be unemployed (12% vs 5%).

The earnings potential in this field is high, even at entry-level positions. This signals the high demand for professionals in the cyber security field. Figure 3.16 shows the evolution of the average annual earnings one year after finishing a Level 6 (first degree) training programme. According to these data, the yearly earnings of ICT graduates have increased by 54% between 2011 and 2019. In cyber security, this increase has been even stronger: since 2014, the annual earnings of recent graduates have doubled from GBP 15 000 per year in 2014 to GBP 32 000 in 2019. Cyber security salaries vary depending on experience level and role. Table 3.10 shows annual earnings for selected cyber security roles by years of experience. For instance, penetration testers have the lowest annual earnings among the ten cyber security roles with available data when workers have less than two years of experience (GBP 30 000), and at the same time have among the highest yearly earnings when workers have more than five years of experience (GBP 105 000).

Information on outcomes of non-formal education and training is limited. However, since the introduction of Skills Bootcamps in September 2020, starting with the digital sector, the DfE has compiled some figures in this area. Out of 2 550 applicants, 822 learners participated in digital Skills Bootcamps, including cyber security courses, during the academic year 2020-21 (Department for Education, 2021[16]). Providers collected participation indicators, such as whether learners dropped out early or completed the course, completed all their assessments and assignments, and passed all their assessments. Table 3.11 shows that the average attendance rate of digital Skills Bootcamps was 64%. Nonetheless, 84% of learners completed all their assessments and assignments, and 81% successfully passed their assessments, meaning that even though attendance did not appear very high, a large proportion of learners still managed to complete their courses and meet the planned learning outcomes successfully. Even though most learners actively engaged with the assignments and passed their assessments, 11% dropped out of their courses before completion.

Digital Skills Bootcamps participants improve their outcomes after finishing their training on average (see Figure 3.17). At the start of the training, 27% of participants were unemployed, which fell to 21% once the course was completed – with a higher proportion of learners in employment (54%) and in training or education (4%). Among those who reported working after completing a course, the vast majority (89%) indicated their current job was the same as the one they held when they started the course, while 11% changed jobs.

As highlighted above, enrolment in cyber security programmes in England remains relatively low despite the strong and growing demand for professionals in this field. At the same time, certain groups of learners are underrepresented in cyber security education and training programmes and careers – in particular female learners. Figure 3.18 shows that only 16% of young people aged 14 to 18 in the United Kingdom report to have considered a career in cyber security. This percentage is relatively low compared to countries such as Germany (27%) or Saudi Arabia (50%). One of the potential reasons for the limited enrolment and interest in the field is that some individuals may have a limited understanding of cyber security as a field and the related areas of knowledge, which may impede identifying the right training opportunities. Consulted stakeholders state that learners have limited information on the learning pathways directly linked to cyber security occupations, as well as on the career pathways within the field.

Moreover, the lack of diversity in the sector may affect the enrolment of people from diverse backgrounds. Evidence from the STEM sector suggests that a lack of diversity can be perceived as a hostile environment by prospective learners from these diverse backgrounds (Breda et al., 2021[39]). Role models can provide youth with valuable motivation and information on pursuing their career goals (Valero, Keller and Hirschi, 2019[40]).

Multiple policies and strategies have been implemented in England to overcome these challenges and expand access to cyber security programmes, especially among young and adult learners from different backgrounds. The efforts have been focused on providing clear information about cyber security education and training and careers and guidance on how to engage with the distinct learning pathways available to pursue a career in the field. Similarly, financial incentives and subsidies have been provided to increase participation in cyber security education and training, especially targeting the most disadvantaged young people and adults.

Promoting participation in cyber security education and training requires people to be better informed about the field. Cyber security is a fairly complex and relatively new field; therefore, it requires more effort to inform (prospective) learners about what it entails. Effective career guidance enables people of all ages to develop informed, critical perspectives about the relationship between education and employment, helping them to visualise and plan their transitions through schooling or current jobs and into more attractive work opportunities (OECD, 2019[41]). As described in the previous Chapter, various cyber security roles exist and these can be found across various industries, and this requires supporting students to navigate them. This is especially relevant for newcomers in the field who may find it hard to understand the entry requirements and the competencies needed.

In England, several career guidance initiatives have been set up to support people interested in engaging in cyber security education and training. Some focus on providing targeted career guidance to introduce people from diverse backgrounds, mostly young people, to the cyber security world and the relevant learning opportunities in the field. At early ages, the efforts have been focused on raising awareness about cyber security issues in general and cyber security as a career.

The NCSC leads the implementation of the CyberFirst programmes, designed to identify and nurture a diverse range of talented young people into a cyber security career. CyberFirst includes multiple activities intended to inspire and encourage students from all backgrounds to consider a career in cyber security (NCSC, 2021[33]). This includes ‘CyberFirst courses’, which aim to introduce the young generation to the cyber security world and provide information on the relevant training pathways in this field (see Box 3.4). In 2020-21, more than 4 300 young students participated in these courses, of which 40% were ethnic minorities and 55% were females. For older cohorts, CyberFirst includes a scheme oriented to complement career education available in schools and colleges through the CyberFirst Schools/Colleges programme, which aims to encourage young people to engage with computer science and the application of cyber security in everyday technology use (see Box 3.4).

Multiple websites and platforms are available to provide young people and adults with relevant information about the cyber security sector. They play an important role in improving the understanding of the field and facilitating participation in cyber security learning opportunities (see Table 3.12). One interesting tool comes from the UK Cyber Security Council, the self-regulatory body for the UK’s cyber security profession that is in charge of developing, promoting, and awarding nationally recognised standards for cyber security in support of the UK Government’s National Cyber Security Strategy to make the UK the safest place to live and work online. The Council has developed a portal, ‘the careers route map’, which provides details about the 16 specialisations in cyber security and suggests pathways into, through and between them. Currently, the Council is mapping all the initiatives offered at the national and sub-national levels that seek to diversify the cyber security profession (including supporting more neurodiverse workers into the profession, increasing the number of women and facilitating non-traditional routes). The objective is to develop a website that centralises this information to make it accessible to users that can benefit from these initiatives.

Some initiatives take a more general approach by providing relevant labour market information about priority sectors – including cyber security – to inform young people and adults about jobs and learning. Several career guidance services in England, while typically sector and occupation agnostic, provide relevant information on labour market needs and training opportunities, especially at the local level. Since 2019, the National Careers Service has worked with Sector Delivery Lead (SDL) departments9 to provide information that best reflect labour market needs. A key principle of careers information, advice and guidance is that it works in the best interests of the individual, and the DfE’s National Careers Service and Careers & Enterprise Company can help industry sectors to disseminate key information to career leaders in schools/colleges and careers advisers in the community. This is a joint partnership as it requires input from industry to ensure that content is accurate and up to date. 

Moreover, the National Careers Service offers multiple industry- and occupation-specific resources and tools for youth and adults to make more informed education and training decisions. For example, the ‘explore careers’ portal provides detailed information by occupation, including cyber security professionals, on expected salary, the ways to get into this role and its skills requirements. The website also lists the current education and job opportunities available.

Addressing individuals’ financial and non-financial barriers is important to boost participation in cyber security education and training, especially among people from vulnerable backgrounds (OECD, 2019[49]).

Cyber security education can be expensive in England. For nationals, tuition fees of formal education courses can range between GBP 3 500 and GBP 9 250 per year depending on the type and level of programme, representing a significant share of individuals’ or households’ income. Multiple policies and initiatives have been implemented in England to help overcome financial constraints and support participation in cyber security education and training. For instance, high-performing students can apply for a CyberFirst bursary, a programme that provides financial assistance to students interested in studying undergraduate education in cyber security, which also covers cyber security training each summer to help them to start their career in cyber (see Box 3.4). Since 2015, more than 1 000 young people have benefited from this bursary. According to data from the summer training, 47% of beneficiaries identified as female, and 35% as Black, Asian or Mixed (DCMS, 2021[50]).

Subsidised training programmes are also available for adults (aged 19 or older) from diverse backgrounds across England. For example, Skills Bootcamps in the digital field, including cyber security, are offered at no cost to learners. For Skills Bootcamps in which an employer is training their employees, the employer contributes 30% (large businesses) or 10% (SMEs) to the cost of the course. Some commercially delivered bootcamps providers in cyber security implement specific funding schemes to remove financial barriers and expand the enrolment of more disadvantaged learners. For instance, at CAPSLOCK (i.e. a cyber security training provider), learners have the option to attend full or part-time courses and pay nothing up-front. Instead, learners are required to pay back a percentage of their income after completing the course, but only if they land a job with a good salary (See Box 3.5).

Various publicly-funded programmes exist to increase diversity in specific sectors, such as the digital sector. This is, for example, the case for the Mayor’s Academies Programme (MAP) developed by the Mayor’s Office of London as part of its London Recovery Programme. This initiative aims at supporting the learners who have been the hardest hit by the COVID-19 pandemic into good work in key sectors for recovery and long-term economic growth. The programme co-ordinates quality marks training in London and provides support to help newly skilled people to work in priority sectors. It also builds on the Mayor’s Workforce Integration Network (WIN) work to address structural barriers as part of the Mayor’s Strategy for Social Integration. The WIN programme supports young Black men aged 16 to 24 years into living wage employment in London. It currently focuses on the construction and digital sectors and will engage other sectors and groups over time.

Another common barrier to training participation is a lack of time due to work and family responsibilities. Such time constraints may affect learners’ chances to enrol in cyber security training and therefore call for training opportunities to be compatible with busy working or family life. For these reasons, in 2018, the DCMS launched the Cyber Skill Immediate Impact Fund (CSIIF), which is designed to encourage providers to develop and scale up effective and more suitable initiatives to identify, train and place untapped talent from different backgrounds into targeted cyber security roles quickly (DCMS, 2019[51]). For instance, the training provider QA has created a training programme with Women Tech Jobs to support women’s placement into cyber security roles. The programme focuses on women who are heads of household or with family responsibilities wanting to return to work; thus, the classroom training is blended with e-learning and complemented with additional guidance and support (see Box 3.6). Similarly, through CSIIF, the DCMS has also sponsored providers offering cyber security training suitable for neurodiverse learners. For example, Immersive labs, a training provider, has developed The Neurodivergent Digital Cyber Academy, designed to help neurodiverse candidates develop their cyber security skills through hands-on practical challenges and courses. Box 3.6 provides more details about these programmes as well as other examples.

Involving employers in the design of cyber security education and training programmes is imperative to understand and develop the knowledge and skills that learners need, especially in such a fast-changing sector. While formal education programmes may take longer to adjust, programs such as bootcamps can be more flexible and tailored to employer needs. Moreover, employers can participate in the provision of work-based learning opportunities in cyber security, which are key given the high levels of skills shortages. In this way, students improve their employability, transition to the labour market faster, and access job opportunities that better align with their professional development. For employers, work-based learning provides benefits in terms of increased productivity (ILO, 2018[52]), more efficient hiring processes, and staff with job-specific technical skills. The use of work-based learning in VET is relatively common in the United Kingdom, with just over half of the learners in upper-secondary VET enrolled in programmes with a substantial work-based component (see Figure 3.19). However, according to stakeholders consulted, the supply of work-based learning opportunities in cyber security remains insufficient.

Policies and strategies can increase employer participation in the design and delivery of cyber security education and training programmes. In England, the government has played an important role in facilitating the interaction between the education sector and the world of work so that the education and training provision is more aligned with the concrete needs of the cyber security sector both nationally and regionally. Likewise, initiatives have been implemented to encourage companies to offer cyber security apprenticeship opportunities and provide support in delivering them.

Education and training providers in the cyber security field often work closely with employers to help students find career paths and benefit from their knowledge and other resources in delivering courses. Successful employer engagement is founded on long-lasting, mutually acceptable and beneficial relationships between schools and businesses. There are substantial advantages when these collaborations are systematic and scaled up as they bring coherence to education and training provision at a local and national level (Department for Business Innovation and Skills, 2015[54]).

Training providers are eager to include employers in the design of cyber security courses and modules so that they can meet employers’ skills requirements and provide students with jobs (DCMS, 2019[7]). The development of courses in industry liaison panels or advisory groups that guide course content are examples of this. For instance, De Montfort University has developed cyber security training programmes with Deloitte, Airbus, BT and Rolls-Royce, with students being assessed by cyber security professionals from the industry (DMU, 2018[55]).

Programs such as cyber security bootcamps typically have the active participation of employers in designing and establishing the structure and content of the programmes since the training aims to equip learners with the skills required to fill a specific cyber security position. For instance, Generation, a cyber security Skills Bootcamps provider, works with employers throughout the entire programme design, delivery and placement (see Box 3.7). Also, for apprenticeship employer engagement is crucial. Employers in England work with the Institute for Apprenticeships to create and develop occupational standards.10 These standards are the components of an apprenticeship, along with the End-point Assessment Plan (EPA) (i.e. assessment to evaluate apprentice performance) and a funding band (i.e. funds can be used to pay for apprenticeships training and assessment for apprentices) (IfATE, 2023[56]). Employers developed these standards to describe duties, and ‘Knowledge, Skills and Behaviours’ (KSBs). Employer groups (referred to as Trailblazer groups) participate actively in developing apprenticeships. For instance, IfATE approved the 2021 ‘cyber security technologist’, a Level 4 apprenticeship standard, which involved the participation of multiples employers such as QineitQ (i.e. high-tech company focused on defence), Siemens (i.e. company focused on industry, infrastructure, transport, and healthcare), FoxRedRisk (i.e. Information Security and Data Protection consultancy), as well as the DCMS (IfATE, 2021[57]). In 2018, Global Knowledge UK, a worldwide leader in IT and professional training, in partnership with relevant cyber security players, including QUFaro (i.e. IT training provider) and GKA (i.e. IT and business training provider), collectively formed a trailblazer group for creating a Level 3 apprenticeship standard to address the need for a broader choice of qualifications to fulfil the skills gap in the cyber security profession and meet the demands of employers (Global Knowledge, 2018[58]).

To some extent, the level of employer involvement is influenced by geography and the degree to which training providers are located in areas of England with strong technology-based firms. Having employers nearby helps to improve the links that training providers can develop with industry. For example, Nexus, an IT support and consulting company with headquarters in the outskirts of Exeter, has built a close relationship with Exeter College to engage with the design of cyber security undergraduate programmes, among other ICT programmes. Additionally, Nexus employees regularly go to the college to speak to students about ICT careers.

The extent of the links between industry and the FE and HE sectors also depends on the nature of employers’ activities. Not surprisingly, firms that specialise in providing cyber security services (IT companies, major consulting companies, etc.) have the closest links with training providers (DCMS, 2019[7]). However, companies in parts of the economy that are especially vulnerable to cyber attacks (e.g. financial services, advanced manufacturing, defence-related) are also major recruiters of cyber security graduates. There is a strong mutual interest in developing close links in those sectors. For example, the University of Warwick collaborates closely with Jaguar Land Rover and other automotive firms in the West Midlands for the design and delivery of its courses, including in cyber security (Warwick University, 2018[60]).

Cyber security clusters have an important role in promoting employer participation in cyber security learning opportunities in England. Sectorial clusters, in general, provide a networking environment that facilitates the interaction of all stakeholders – including training providers, think tanks, companies and regional and local authorities (The European watch on cyber security and privacy, 2022[61]). In cyber security, clusters of employers enhance co-operation and co-ordination of actions to establish synergies to move forward relevant matters and address issues that directly affect cyber security at the regional level. For instance, Cyber East, the East region cyber cluster in England, is an industry body that works alongside the government to develop the cyber security industry. Cyber East works with businesses across Norfolk, Suffolk, and Cambridgeshire and expands to other areas, encouraging collaboration with multiple stakeholders, including training providers. Co-operation among clusters also contributes to identifying and sharing good practices for managing cyber security skills shortage. For instance, UKC3, a cyber security cluster collaboration hub, supports cyber security clusters to drive growth in the sector within their nations and regions. UKC3 champions activities to support businesses, academia and other skills or talent development organisations to promote cyber skills development and careers in the cyber security industry (see Box 3.8).

Employers have a key role in providing work-based learning opportunities in cyber security. Through apprenticeships, students can access training combining classroom and work-based learning, allowing them to acquire practical skills and knowledge relevant to employers in the sector (OECD, 2014[62]). Nonetheless, the number of cyber security apprentices remains low (see above). This may be due to multiple reasons. Learners may have limited awareness about the options available. Companies, especially SMEs, may need more support to provide apprenticeship opportunities, as implementing apprenticeships has time and cost implications. One barrier that is, in particular, important for SMEs is that assigning staff to oversee training impedes them from carrying out the core business activities related to cyber security – and this may be even more problematic in the cyber security sector than in other sectors given the prevailing labour shortages and associated risks.

In order for employers to see the value of offering apprenticeship opportunities, they need to be aware of their specific cyber security skills needs. On average, 54% of businesses in England report understanding at least reasonably well their cyber security training needs – but few outside the cyber security sector report they understand these need very well (14%) (DCMS, 2022[29]). Even though a higher proportion of businesses in the cyber security sector report understanding very well their cyber security training needs (68%), only 36% of SMEs in the cyber security sector do so (DCMS, 2022[29]). Companies’ limited understanding of their cyber skill requirements can hinder the implementation of cyber security apprenticeship programmes. The NCSC provides cyber security advice for businesses, charities, clubs and schools with up to 250 employees on many issues, including training delivery. Most of the resources available from the NCSC focus on assessing cyber security needs and identifying cyber security risks. SMEs can get access to the Small Business Guide and Exercise in a Box, tools that provide key information to identify the security bridges, evaluate the level of resilience to cyber attacks and determine the capacity of the organisation to deal with cyber threats with current resources (infrastructure and human capital).

Successfully engaging more employers is necessary for realising the potential benefits of work-based learning and making work-based learning accessible for young people and adults with diverse needs and aspirations, including those without jobs or learning opportunities (Kis, 2016[63]). In England, policy makers have implemented various strategies and policy tools to unlock engagement by shifting the cost-benefit balance for employers and making the provision of apprenticeships more attractive and manageable for businesses. Introduced in 2017, the apprenticeships levy is a government initiative to encourage companies to hire apprentices and help reduce skills gaps in the United Kingdom (see Box 3.9). The levy’s introduction has increased focus on training new and existing employees for the highly skilled roles the economy needs by covering the full cost of training and assessment for levy payers and covering partially for non-levy payers (covering 95% of tuition fees). Since 2022, a new portable flexi job apprenticeship-sharing arrangement has been piloted, allowing apprentices to undertake a series of shorter contracts with a number of employers while completing their training in preparation for end-point assessment. The pilot is running across 38 standards in the creative, digital, adult care and construction sectors. These Flexi-Job Apprenticeships have been designed to ensure that those sectors and occupations where short-term contracts or other non-standard employment models are the norms can access the benefits of apprenticeships.

Some training providers offer support to employers for effectively providing apprenticeship opportunities. For instance, CyberPro, an organisation grounded on providing accessible resources to individuals and companies interested in developing cyber security learning ecosystems, offers online information on how apprenticeships in this field are established and how to benefit from the different schemes and support provided by the government to fund the cyber security apprenticeships programmes. Similarly, some training providers provide key information and raise awareness about the benefits of employing a cyber security apprentice. Escalla, a global workplace and digital skills provider, is accompanying employers with guidance and information on apprenticeship benefits. It also supports employers on how to make the most of providing apprenticeship programmes in cyber security (Escalla, 2022[65]).

Additional initiatives come from joint efforts from trade associations and the higher education sector to increase the provision of apprenticeship programmes in the tech sector. For instance, Techskill, a partnership between employers and educators for developing digital since 2021, recognises talent from within the digital degree apprenticeship sectors through the National Tech Industry Gold Digital Degree Award. The objective of providing this recognition is to highlight employers and training providers that contribute to developing the relevant skills for sectors through apprenticeship programmes and incentivising more employers to deliver digital skills apprenticeship programmes. Some universities have started incorporating digital apprenticeships into their degree programmes in partnership with enterprise conglomerates. The curricula of higher-level digital apprenticeships typically cover a variety of digital skills, including cyber security, big data, software engineering, digital banking, IT skills for the automotive industry, etc. For example, Warwick Manufacturing Group, as part of the University of Warwick, provides degree-level apprenticeship modules embedded in undergraduate courses, including one in cyber security engineering (see Box 3.10). Another example is the partnership of J.P. Morgan, a multinational investment bank and financial services company, with the University of Exeter in October 2018 to offer the UK’s first degree apprenticeship programme in applied finance and cyber security. The programme covers areas ranging from securities to IT in investment operations and prepares apprentices to become financial services professionals with the essential skills for using digital banking products. A large proportion of the programme takes place at the workplace through projects linked to academic content, while some modules can also be completed by distance learning.

Teachers and trainers are at the heart of quality education and training provision. When providing education and training in areas that face shortages in the labour market, it can be difficult to find the workforce to teach those skills. This, in turn, may affect the quality and relevance of the education and training provided. Teachers typically account for an important share of expenditures in education (see Figure 3.20). In the United Kingdom, expenditure on teachers is equivalent to almost half of the total VET expenditure (49%). Teacher shortages have important implications for the provision of education and training programmes, which may affect any strategy or policy aimed at expanding training provision. Moreover, fast-changing sectors, such as cyber security, call for regular changes to curricula and, therefore, also to teacher training and professional development. It could also imply changes to teachers’ recruitment strategies if more industry experience is desired.

Ensuring the quality of cyber security education programs is crucial to expanding enrolment and tackling shortages. Generally, well-recognised programmes tend to attract more students (UNESCO, 2020[66]). Cyber security is no exception; based on evidence from the computer science field, good quality ICT programs attract more students, not only those who already have knowledge or experience in the sector but also those completely external to the field. Moreover, cyber security issues require standardised practices, methods and knowledge that students must develop in their cyber security education and training programmes. For this reason, the UK Government has focused part of its efforts on developing strategies to ensure that formal education and training programmes in cyber security are provided at the highest quality.

Teachers in FE are unique in terms of how they are recruited and trained. They are expected to have not only the subject and pedagogical knowledge but, in many cases, work experience in their industry. Moreover, FE teachers’ skills can be in high demand in occupations other than teaching, making it harder to recruit and retain teachers in related subjects (OECD, 2021[67]). Given the shortages of skilled cyber security professionals, the cyber security field may be particularly difficult to attract and retain teachers.

Despite the relevance of understanding teacher shortages, regularly and systematically collected comprehensive data focused on FE teachers, including the number of teachers, hiring needs and shortages across OECD countries, is limited (OECD, 2021[67]). In England, the Staff Individualised Record (SIR) data has information on teachers in the FE sector. Table 3.15 shows that the proportion of staff teaching ICT subjects is 2.1%, which is low compared to other fields, and it is not aligned with the percentage of FE students in the field, potentially reflecting a lack of teachers and trainers in the field. However, information on teacher shortages by sector is not readily available. Teacher information for the narrow field of cyber security is particularly hard to come by, and the DCMS has already recommended collecting more data in this area to enhance cyber security training provision (DCMS, 2019[7]).

Teacher shortages can damage the stable provision of specific occupational courses and the sustainable supply of qualified workers for associated occupations (OECD, 2021[67]). Teacher shortages may also increase the costs of training provision. For instance, in England (ACL Consulting, 2020[68]), higher costs during times of FE teacher shortages may be driven by increased use of lower- or less-qualified teaching staff and temporary or agency staff – which is not always cheaper than hiring suitably qualified teachers – and can lead to increased workloads and stress for existing staff.

The NCSC is the governmental body responsible for recognising and supporting the best cyber security education programs for students and employers. Since 2018, working in partnership with the DCMS, Cabinet Office (CO), UK Research and Innovation (UKRI), the NCSC certifies programmes across higher education institutions that best respond to cyber security standards established by CyBOK and the national cyber security priorities (Cabinet Office, 2022[69]). The NCSC certifies degree apprenticeships, Bachelor’s degrees and Integrated Master’s degrees in cyber security and closely related fields (see Table 3.16). For the certification of degree apprenticeships, NCSC follows apprenticeship standards established by the Institute for Apprenticeships to conduct the assessment (Institute for Apprenticeships and Technical Education, 2020[70]). Among bachelor’s degrees, NCSC assesses computer science for cyber security, computer science and cyber security, and computer science and digital forensics.

This certification process has a clear objective: to set the standard for good cyber security higher education in the United Kingdom and better alignment with the priority actions to strengthen the UK’s cyber ecosystem (Government, 2021[71]), which may positively affect all stakeholders. Recognition of cyber security education and training programmes benefits training providers, students and employers. For example, NCSC certification helps universities attract additional numbers of skilled students from the United Kingdom and abroad. Since navigating the range of cyber security degree programmes on offer in the United Kingdom may be difficult, NCSC certification can help students to choose a cyber security course which has been evaluated by the NCSC. Students from NCSC-certified degree programmes will be provided with an additional form of recognition (i.e. that the student has successfully completed an NCSC-certified degree), which will help employers distinguish between applicants’ qualifications.

Cyber security programme recognition is also granted to schools and colleges through the NCSC’s CyberFirst schools and colleges programme (see Box 3.4). Eligible secondary schools or colleges where CyberFirst operates can apply to be part of the CyberFirst Schools and Colleges scheme. Successful applicants receive NCSC recognition and are promoted as leaders committed to providing a structured approach to excellence in cyber security education. Schools and Colleges are certified to become part of the CyberFirst Education eco-system to promote cyber security education among young people.


[1] (ISC)² (2022), Cybersecurity workforce study, https://www.isc2.org//-/media/ISC2/Research/2022-WorkForce-Study/ISC2-Cybersecurity-Workforce-Study.ashx.

[68] ACL Consulting (2020), Costs and cost drivers in the Further Education sector, https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_dat.

[39] Breda, T. et al. (2021), Do Female Role Models Reduce the Gender Gap in Science? Evidence from French High Schools, https://halshs.archives-ouvertes.fr/halshs-01713068v5.

[69] Cabinet Office (2022), National Cyber Strategy 2022, https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/1053023/national-cyber-strategy-amend.pdf.

[18] CAPSLOCK (2022), Capslock cybersecurity blended training model, https://capslock.ac/the-course.

[2] CISCO (2019), Annual security report, https://www.cisco.com/site/us/en/index.html#tabs-ca9b217826-item-1b113ceb83-tab.

[43] Cyber Explorers (2023), Cyber Explorers, https://www.cyberexplorers.co.uk/ (accessed on  2023).

[8] CyBOK (2021), Introduction to CyBOK, The National Cyber Security Centre, https://www.cybok.org/media/downloads/Introduction_v1.1.0.pdf.

[6] CyBOK (2019), The Cyber Security Body of Knowledge, The National Cyber Security Centre, https://www.cybok.org/media/downloads/CyBOK-version-1.0.pdf.

[29] DCMS (2022), Cyber security skills in te UK labour market, https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/1072767/Cyber_security_skills_in_the_UK_labour_market_2022_-_findings_report.pdf.

[50] DCMS (2021), CyberFirst Evaluation, https://www.gov.uk/government/publications/independent-evaluations-of-cyber-discovery-and-cyberfirst-programmes/cyberfirst-evaluation#summer-courses.

[31] DCMS (2021), DCMS sector economic estimates 2021: employment 2019 to June 2021, https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/1072767/Cyber_security_skills_in_the_UK_labour_market_2022_-_findings_report.pdf.

[51] DCMS (2019), Cyber Skill Immediate Impact Fund (CSIIF), https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/825141/CSIIF_Third_Round_Guidance_for_Applicants.pdf.

[7] DCMS (2019), Identifying the Role of Further and Higher Education in Cyber Security Skills Development, Department of Digital, Culture, Media and Sport, https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/767425/The_role_of_FE_and_HE_in_cyber_security_skills_development.pdf.

[23] DCMS (2018), Initial National Cyber Security Skills Strategy - Increasing the UK’s cyber security capability, https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/949211/Cyber_security_skills_strategy_211218_V2.pdf.

[54] Department for Business Innovation and Skills (2015), Understanding the link between employers and schoos and the role of the National Career Service, https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/386030/bis-14-1271-understanding-the-link-between-employers-and-schools-and-the-role-of-the-national-careers-service.pdf.

[10] Department for Education (2023), Introduction to T Levels, https://www.gov.uk/government/publications/introduction-of-t-levels/introduction-of-t-levels.

[9] Department for Education (2022), Education and training statistics for the UK, https://www.gov.uk/government/statistics/announcements/education-and-training-statistics-for-the-uk-2022#full-publication-update-history.

[15] Department for Education (2022), Find a Skills Bootcamp, https://www.gov.uk/guidance/find-a-skills-bootcamp/eligibility.

[5] Department for Education (2022), Skill Bootcamps training providers, https://www.gov.uk/government/publications/skills-bootcamps-training-providers.

[16] Department for Education (2021), Skills bootcamps process evaluation, https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/1027163/Bootcamps_wave_1_final_evaluation_report.pdf.

[12] Department for Education (2020), Higher technical education reforms, https://www.gov.uk/government/publications/higher-technical-education-reforms/higher-technical-education-reforms.

[55] DMU (2018), UK cyber skills to receive breakthrough boost with pioneering new training course, https://www.dmu.ac.uk/about-dmu/news/2015/november/uk-cyber-skills-to-receive-breakthrough-boost-with-pioneering-new-training-course.aspx.

[21] EdX (2021), Accelerating our movement: 2021 EdX impact report, https://www.edx.org/assets/2021-impact-report-en.pdf.

[65] Escalla (2022), Employing a cyber security apprentice, https://escalla.co.uk/employing-a-cyber-security-apprentice/.

[28] Fry, R., B. Kennedy and C. Funk (2021), STEM Jobs See Uneven Progress in Increasing Gender, Racial and Ethnic Diversity, https://www.pewresearch.org/science/2021/04/01/stem-jobs-see-uneven-progress-in-increasing-gender-racial-and-ethnic-diversity/.

[24] Generation (2022), Skills Bootcamp on IT support with cyber security, https://uk.generation.org/london/itsupport-cyber/.

[59] Generation (2021), Annual Report 2021: Moving Forward, https://www.generation.org/wp-content/uploads/2022/06/Generation-Annual-Report-2021.pdf.

[58] Global Knowledge (2018), Qufaro sponsors trailblazer group for level three cybersecurity apprenticeship in partnership with global knowledge UK, https://www.globalknowledge.com/en-gb/company/news/press-releases/qufaro-sponsors-trailblazer-group-for-l3-cybersecurity-apprenticeship-in-partnership-with-gk.

[71] Government (2021), Global Britain in a Competitive Age: the Integrated Review of Security, Defence, Development and Foreign Policy, https://www.gov.uk/government/publications/global-britain-in-a-competitive-age-the-integrated-review-of-security-defence-development-and-foreign-policy.

[11] HM Government (2022), T-Levels in the UK, https://www.tlevels.gov.uk/students/subjects/digital-support-services.

[42] HM Government (2016), Initial National Cyber Security Skills Strategy: Increasing the UK’s Cyber Security Capability - A Call for Views, https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/949211/Cyber_security_skills_strategy_211218_V2.pdf.

[19] Hosting Data UK (2022), Best Online Learning Platforms, https://uk.indeed.com/career-advice/career-development/online-course-platforms.

[4] Houston, R. et al. (2022), Recognising and overcoming barriers to participation in STEM, https://aerospaceamerica.aiaa.org/departments/recognizing-and-overcoming-barriers-to-participation-in-stem/.

[26] IET (2018), Women in STEM, https://warwick.ac.uk/fac/sci/eng/about/athenaswan/edit-contents/women_in_stem_bro.pdf.

[56] IfATE (2023), Developing an occupational standard, https://www.instituteforapprenticeships.org/developing-new-apprenticeships/developing-occupational-standards/.

[13] IfATE (2022), Aproved Higher Technical Qualifications, https://www.instituteforapprenticeships.org/qualifications/higher-technical-qualifications/approved-higher-technical-qualifications-cycle-one/.

[57] IfATE (2021), Cyber security technologist occupation standards, https://www.instituteforapprenticeships.org/apprenticeship-standards/cyber-security-technologist-2021-v1-0.

[52] ILO (2018), Investing in work based learning, https://www.ilo.org/wcmsp5/groups/public/---ed_emp/---ifp_skills/documents/publication/wcms_565923.pdf.

[17] Immersivelabs (2022), Arming Organizations Against Cyber Threats Since, https://www.immersivelabs.com/our-story/.

[70] Institute for Apprenticeships and Technical Education (2020), Standards for cyber security technical professional (Integrated degree), https://www.instituteforapprenticeships.org/apprenticeship-standards/cyber-security-technical-professional-integrated-degree-v1-0.

[63] Kis, V. (2016), Work-based learning for youth at risk: Getting employers on board, OECD publications, https://www.oecd.org/education/skills-beyond-school/Work-based_Learning_For_Youth_At_Risk-Getting_Employers_On_Board.pdf.

[14] Learn21 (2022), What is a bootcamp and is it useful in learning new skills?, https://learn21.in/blog/what-is-a-bootcamp-how-is-it-useful.

[22] LinkedIn Learning (2022), Workplace Learning Report - The transformation of learning and development, https://learning.linkedin.com/resources/workplace-learning-report.

[3] Malcom, S. and M. Feder (eds.) (2016), Barriers and Opportunities for 2-Year and 4-Year STEM Degrees, National Academies Press, Washington, D.C., https://doi.org/10.17226/21739.

[47] NCSC (2022), Bursary and Degree Apprenticeship, https://www.ncsc.gov.uk/cyberfirst/bursary-and-degree-apprenticeship (accessed on 8 March 2023).

[44] NCSC (2022), CyberFirst courses, https://www.ncsc.gov.uk/cyberfirst/courses (accessed on 8 March 2023).

[46] NCSC (2022), CyberFirst Girls Competition, https://www.ncsc.gov.uk/cyberfirst/girls-competition (accessed on 8 March 2023).

[48] NCSC (2022), CyberFirst overview, https://www.ncsc.gov.uk/cyberfirst/overview (accessed on 8 March 2023).

[45] NCSC (2022), CyberFirst Schools and Colleges, https://www.cyberfirstschools.co.uk/ (accessed on 8 March 2023).

[33] NCSC (2021), CyberFirst annual report 2020 - 2021, https://www.ncsc.gov.uk/files/CF-Annual-Report-2020-21-Final-Version.pdf.

[32] NCSC (2021), Decrypting Diversity: Diversity and Inclusion in Cyber Security, https://www.ncsc.gov.uk/files/KPMG-and-the-NCSC-Decrypting-Diversity-2021-report.pdf.

[67] OECD (2021), Teachers and Leaders in Vocational Education and Training, OECD Reviews of Vocational Education and Training, OECD Publishing, Paris, https://doi.org/10.1787/59d4fbb1-en.

[37] OECD (2020), Dream Jobs? Teenagers’ career aspirations and the future of work, https://www.oecd.org/education/dream-jobs-teenagers-career-aspirations-and-the-future-of-work.htm.

[53] OECD (2020), Education at a Glance 2020: OECD Indicators, OECD Publishing, Paris, https://doi.org/10.1787/69096873-en.

[49] OECD (2019), Getting Skills Right: Engaging low-skilled adults, https://www.oecd.org/els/emp/engaging-low-skilled-adults-2019.pdf.

[41] OECD (2019), Investing in career guidance, https://www.oecd.org/education/career-readiness/Investing%20in%20Career%20Guidance_en.pdf.

[36] OECD (2019), PISA 2018 Results (Volume II): Where All Students Can Succeed, PISA, OECD Publishing, Paris, https://doi.org/10.1787/b5fd1b8f-en.

[62] OECD (2014), Skills beyond School: Synthesis Report, OECD Reviews of Vocational Education and Training, OECD Publishing, Paris, https://doi.org/10.1787/9789264214682-en.

[34] Office for Students (2022), Two thousand new scholarships available to boost digital skills, https://www.officeforstudents.org.uk/news-blog-and-events/press-and-media/two-thousand-new-scholarships-available-to-boost-digital-skills/.

[35] Oxford University (2019), Closing the diversity gap in computer science, https://www.development.ox.ac.uk/report2019-20/closing-the-diversity-gap-in-computer-science.

[64] Patrignani, P. et al. (2021), The impact of the Apprenticeship Levy on apprenticeships and other training outcomes, https://cver.lse.ac.uk/textonly/cver/pubs/cverdp034.pdf.

[27] Royal Society (2020), Ethnicity STEM data for students and academic staff in higher education, https://royalsociety.org/-/media/policy/Publications/2021/trends-ethnic-minorities-stem/Ethnicity-STEM-data-for-students-and-academic-staff-in-higher-education.pdf.

[25] SANS (2022), Upskill in cyber, https://www.sans.org/mlp/upskillcyber-uk/.

[38] Tech target (2019), Computer science undergraduates most likely to drop out, https://www.computerweekly.com/news/252467745/Computer-science-undergraduates-most-likely-to-drop-out.

[61] The European watch on cyber security and privacy (2022), Engaged clusters, https://www.cyberwatching.eu/engaged-clusters.

[20] Think Impact (2021), Skillshare review, https://www.thinkimpact.com/skillshare-review/.

[30] UK Cyber Security Council (2023), Outreach and diversity in the cyber security profession, https://www.ukcybersecuritycouncil.org.uk/outreach-and-diversity/.

[66] UNESCO (2020), Towards universal access to higher education: International trends, https://globaleducationforum.org/wp-content/uploads/2021/10/DOC-11-Towards-universal-access-to-higher-education-international-trends.pdf.

[40] Valero, D., A. Keller and A. Hirschi (2019), “The Perceived Influence of Role Models and Early Career Development in Native and Migrant Youth”, Journal of Career Development, Vol. 46/3, pp. 265-279, https://doi.org/10.1177/0894845318763905.

[60] Warwick University (2018), Jaguar Land Rover launches Lifelong Learning Academy with WMG as partner, https://warwick.ac.uk/newsandevents/pressreleases/jaguar_land_rover_launches_lifelong_learning_academy_with_wmg_as_partner1/.


← 1. Level 3 qualifications are a group of courses which are all equivalent to A-Levels (short for Advanced Level) and come after the General Certificate of Secondary Education (GCSE).

← 2. T-Levels are an alternative to A-Levels, apprenticeships and other 16 to 19 courses. Equivalent in size to 3 A-levels, a T-Level focuses on vocational skills and can help students into skilled employment, higher study or apprenticeships.

← 3. HTQs are an alternative to apprenticeships or degrees. HTQs are existing and new Level 4 and 5 qualifications – that correspond to ISCED 5, i.e. short-cycle tertiary education.

← 4. English Level 2 and 3 programmes are both mapped to ISCED Level 3, the main difference being that Level 2 qualifications are considered in the ISCED classification as “Sufficient for partial level completion, without direct access to post-secondary non-tertiary education or tertiary education” and the Level 3 qualifications as “Sufficient for level completion, with direct access to tertiary education”.

← 5. ICT education programmes also include ICT for users, which involve all training for developing general competencies on ICT usage and adoption. This may include cyber security training for raising awareness and providing prevention measures.

← 6. Qualifications at Level 1 also exist in digital skills, but these do not include cyber security content as they are primarily concerned with equipping individuals with essential digital skills.

← 7. Universities and Colleges Admission Service (UCAS) – Information retrieved on 11 of November 2022, https://www.ucas.com/https://www.ucas.com/.

← 8. The cyber security course figures are comparable to other computer sciences courses. In both cases, overall employment rates are also similar to the previous year, which suggests that cyber security and computer science graduate employment remained broadly consistent despite the COVID-19 pandemic.

← 9. Sector Delivery Leads assess sectors’ needs and drive policy intervention to support workforce supply, retention and progression in their sector. Their approach involves: Collecting and monitoring data on sector needs and supply pipeline; engaging with employers to understand barriers to recruitment, retention and progression; co-ordinating and driving activity across government, ensuring government effort focusses where it will be most effective; economic analysis; and sector engagement.

← 10. Occupation standard is a description of an occupation that contains an occupational profile and describes the ‘knowledge, skills, and behaviours’ (KSBs) needed for someone to be competent in the occupation’s duties.

Metadata, Legal and Rights

This document, as well as any data and map included herein, are without prejudice to the status of or sovereignty over any territory, to the delimitation of international frontiers and boundaries and to the name of any territory, city or area. Extracts from publications may be subject to additional disclaimers, which are set out in the complete version of the publication, available at the link provided.

© OECD 2023

The use of this work, whether digital or print, is governed by the Terms and Conditions to be found at https://www.oecd.org/termsandconditions.