Bridging the Gap: Reflections on the UK Cyber Skills Landscape 2025

By /

By Emily Rosenorn-Lanng, CEO, Cyber Innovations Ltd.

The publication of the Cyber Security Skills in the UK Labour Market 2025 report by the Department for Science, Innovation and Technology (DSIT, 2025) provides an important opportunity to reflect on where we are, nationally, in developing the skills and resilience needed to thrive in an increasingly digital society. For Cyber Innovations Ltd. (CI), and for our flagship programme Cyber First Aid (CFA), the findings are particularly resonant. They speak directly to the challenges we set out to address: the widespread gaps in basic cyber capability, the over-reliance on outsourcing, the need for psychological resilience alongside technical knowledge, and the importance of inclusive pathways into the cyber workforce.

The persistent gap in basic cyber skills

One of the most striking findings of the report is the sheer scale of basic skills gaps across the UK. Nearly half of all businesses (49%) report deficits in foundational cyber knowledge, with the figure rising to 59% for charities (DSIT, 2025). Importantly, these are not high-end technical deficiencies but the everyday practices that underpin organisational resilience: configuring passwords and access permissions, recognising phishing attempts, applying software updates, and ensuring data is stored and transmitted securely.

This distinction matters. Much of the discourse around cyber skills is framed in terms of specialist expertise: penetration testing, forensic analysis, secure coding, and so forth. These are, of course, essential functions, but they represent only a narrow slice of the problem space. What the data reveal is that a vast proportion of the risk landscape stems from very human vulnerabilities. A single click on a malicious link, or a moment of panic in response to a convincingly urgent email, can unravel even the most robust technical defences.

It is precisely here that CFA positions itself. Our mission has never been to produce a new cadre of cyber experts — universities, bootcamps, and certifications already exist for that purpose. Instead, CFA is designed to equip non-technical staff with the skills and psychological resilience needed to act effectively as first responders. It fills the space between general awareness campaigns and high-level technical training, offering practical, evidence-based interventions that strengthen the human firewall at scale.

Outsourcing and the illusion of resilience

Another important thread in the DSIT report is the extent of outsourcing. Thirty-one per cent of businesses, 58% of public sector organisations, and 24% of charities outsource at least some of their cyber security functions (DSIT, 2025). While outsourcing can provide access to specialist expertise, the report highlights a concerning lack of confidence among many organisations in assessing value for money or even the effectiveness of the services procured.

This reflects a wider structural issue: the mistaken belief that cyber resilience can be wholly delegated to external providers. In practice, even with the best outsourcing contracts in place, an organisation’s staff remain the frontline. It is employees and volunteers who encounter phishing emails, who process financial transactions, who handle sensitive client data. If they lack the skills or confidence to recognise a threat and respond appropriately, no external consultant can step in quickly enough to prevent harm.

CFA responds to this by creating internal capacity. By combining practical exercises, scenario-based learning, and the integration of psychological resilience models, CFA builds confidence and competence in-house. Rather than competing with outsourced providers, we complement them, ensuring that organisations have the internal reflexes to detect, escalate, and contain threats. In doing so, CFA addresses the “confusing and fragmented” outsourcing market by offering a stabilising, democratising alternative (DSIT, 2025).

Psychological resilience as an overlooked skill gap

The DSIT report focuses primarily on technical and operational skills, but it implicitly highlights an area where CFA is distinctive: the role of psychological resilience. Research increasingly demonstrates that effective cyber incident response requires not just knowledge but also the ability to remain calm, think critically, and resist emotional manipulation in high-pressure situations (Katos et al., 2025).

Traditional awareness training often overlooks these dimensions. The Cyber Kill Chain (CKC), developed by Hutchins, Cloppert, and Amin (2011), provides a useful framework for understanding the technical progression of an attack, from reconnaissance through weaponisation, delivery, exploitation, installation, command-and-control, and finally, actions on objectives. However, the CKC was not designed to capture the complexities of human interaction in the attack lifecycle.

This is where the Human Layer Kill Chain (HLKC), developed by Katos et al. (2025), adds critical value. The HLKC explicitly focuses on how adversaries exploit human vulnerabilities: profiling, trust establishment, emotional triggering, sustained engagement, manipulation, and psychological clean-up. By incorporating these stages into training, CFA prepares staff to anticipate and resist manipulation in ways that technical controls alone cannot. In practice, this means recognising not just what an attacker might do, but how it will feel in the moment — and having the tools to respond resiliently.

Aligning with demand and evolving technical priorities

The report also identifies the most in-demand skills across the sector: vulnerability management, risk assessment, incident response, auditing, and increasingly, AI-related competencies (DSIT, 2025). While CFA is not designed to train deep technical specialists, our curriculum deliberately interfaces with these domains. For example:

  • CFA Essentials modules cover incident response basics, helping staff understand how to recognise and escalate events.
  • Our resilience-based exercises include vulnerability awareness, encouraging staff to think about their own digital behaviours as potential entry points.
  • The CFA Toolkit provides risk and incident playbooks aligned with organisational workflows, creating practical continuity with the technical functions delivered by IT teams.

In short, CFA does not attempt to replace advanced training, but it provides the human scaffolding upon which those advanced skills can operate effectively.

Inclusivity, diversity, and alternative pipelines

Another concern raised by DSIT is the persistent lack of diversity within the cyber workforce. Women account for only 17% of professionals in the field, compared with 30% across the wider digital sector (DSIT, 2025). Representation is also low across ethnic minority groups and for those with disabilities, particularly in senior roles.

This matters because diversity is not simply a moral imperative; it is a resilience imperative. Homogeneous teams are more vulnerable to shared blind spots, while diverse teams bring richer perspectives and improved decision-making.

CFA contributes to addressing this gap by creating accessible, non-degree pathways into cyber resilience. By training non-technical staff, volunteers, and community groups, CFA helps organisations harness talent that would otherwise remain untapped. Our Train-the-Trainer pathway extends this further, allowing individuals from underrepresented groups to become certified instructors, creating new professional routes into the sector without requiring a traditional degree or technical background.

Mapping CFA against national needs

If we map CFA against the national skills landscape described in the DSIT report, the synergies are clear:

  • Basic skills gap (49% of businesses, 59% of charities): CFA Basic and Essentials directly address this.
  • Outsourcing reliance and confusion: CFA Business builds in-house capacity, enabling better oversight of external providers.
  • Demand for incident response and risk management: CFA Toolkit provides tailored playbooks and resources aligned with these needs.
  • Diversity and inclusivity challenges: CFA’s accessible format and Train-the-Trainer programme broaden the entry pipeline.
  • Psychological resilience gap: CFA uniquely integrates resilience, filling a gap absent from most cyber training initiatives.

A hopeful conclusion

While the DSIT report highlights persistent gaps, it also shows progress. The net workforce shortfall has stabilised at 3,800, with around 6,000 graduates and 2,500 certification entrants joining the market each year (DSIT, 2025). The challenge now is not just to produce more specialists but to ensure that everyone in an organisation has the capacity to act as part of the defence.

That is the mission of Cyber First Aid. We do not claim to solve every cyber skills problem. But by focusing on the foundational, human, and psychological dimensions of resilience, we believe we can make a tangible contribution to closing the gaps that matter most.

Reading the 2025 report, my reflection is simple: the UK cyber workforce is not just made up of technical experts. It includes the receptionist who recognises a suspicious invoice, the charity volunteer who reports a phishing text, the teacher who knows how to handle a ransomware scare calmly. By equipping these individuals with both skills and resilience, we can transform vulnerability into strength.

References

Related Posts

Scroll to Top