Tight budgets and an absence of defined career pathways are contributing to significant gaps in cyber security skills in the public sector, according to newly released government research.
It is one of the key findings of Cyber security skills in the UK labour market 2023, published by the Department for Science, Innovation and Technology (DSIT) and researched by Ipsos.
The research involved telephone surveys with organisations from four areas including the public sector, quantitative interviews, an analysis of job vacancies and supply side analysis.
Among the findings was that, although fewer public sector bodies have identified a technical skills gap than most businesses and charities, the proportion is a significant at 19%, with this affecting a number of functions in cyber security.
Significant numbers of public sector organisations said they were not confident of performing several advanced tasks: forensic analysis of breaches (29%), penetration testing (18%), interpreting malicious code (25%), vulnerability scans (10%), security architecture engineering (12%), threat intelligence (13%) and user monitoring (9%).
This could be partly attributed to a lack of resources for cyber security teams, with public sector participants pointing to the ongoing financial squeeze.
An unnamed respondent is quoted as saying: "At the moment we're not getting funding streams through to do what we're doing…Budgetary constraints are incredibly ferocious at the moment. Cyber security is a 24/7 problem, and we're not paid to do that. So, everything's been done on kind of grace and favour and best endeavours outside of hours.
The absence of clear career pathways in cyber security in both public and private sectors was brought out in the qualitive research. The report says this could be related to tight funding and a lack of available roles.
It could be partially rectified through efforts in some public bodies to develop apprenticeship programmes in cyber, enabling specialists to develop skills in which they understand the nuances and risks of the sector.
The report also indicates that public sector organisations generally have two to three people responsible for cyber – better than many businesses that only have one – and that there are still concerns around how to deal with incidents even if the response is outsourced.