A first-hand reflection on the UK Cyber Security Council’s recent “The Journey to Professionalisation” event at Conway Hall, exploring the ongoing professionalisation of the cyber security sector. Highlights include the expansion of recognised specialisms, the development of the UK Cyber Skills Framework, and discussions on AI, early-career challenges, and the need for a more inclusive, realistic skills framework to support a growing cyber economy.
Contents
- Contents
- Claudia Natanson MBE (Chair of UK CSC ): An Inspirational Start
- Andrew Elliot (DSIT Cyber Lead): Insight on Frameworks and Foundations
- Panel 1: Why Employers Should Invest in New Talent
- Ben Hanson (Microsoft): Human-Centric AI in Cyber Security
- Panel 2: Early Career Challenges in Cyber
- Final Thoughts and Closing Reflections
Introduction
Last Wednesday, I attended the UK Cyber Security Council (UK CSC) “The Journey to Professionalisation” event at Conway Hall, a venue rich in intellectual history and a fitting backdrop for an equally important dialogue: the maturation of cyber security as a recognised profession in the UK.
The event brought together leading voices from government, industry, and academia, all focused on a central question: what does it mean to professionalise cyber? And more practically, how do we build a national framework of roles, skills, and pathways to support the workforce we need?
It’s a conversation that’s long overdue. For those of us who have worked across central government, enterprise risk, and cyber innovation, the lack of structured, recognised pathways in our field has often felt like both a liability and a missed opportunity.
The event was expertly compèred by Aurorah Smith from the UK CSC, who guided the day with clarity and warmth, ensuring a seamless flow between speakers, panels, and audience engagement.
Claudia Natanson MBE (Chair of UK CSC ): An Inspirational Start
The day opened with a warm, personal, and quietly powerful welcome from Dr Claudia Natanson MBE, Chair of the UK Cyber Security Council (UK CSC). Claudia set the tone not with dry formalities, but with a clear-eyed, human approach to the challenge ahead.
She spoke about the UK CSC’s growing momentum, and most significantly, the expansion of recognised cyber security specialisms. What began with four in 2024 covering:
- Cyber Security System Architecture & Design
- Cyber Security Governance & Risk Management
- Cyber Security Audit & Assurance
- Cyber Secure Testing
… will double by 2025 to include four more:
- Cyber Security Management
- Cyber Security Incident Response
- Cyber Security Operations
- Cyber Security System Development
This evolution is significant. It reflects a broader understanding of the diversity of roles in cyber, and a recognition that professionalisation must account for the full complexity of the field. Claudia framed this not as bureaucracy, but as empowerment, a way to give credibility and direction to practitioners at every stage of their career.
Her remarks reflected both vision and compassion, reminding us that professionalisation is not just about frameworks and qualifications. It’s about building a profession that reflects the values and diversity of those working in it. She spoke with authenticity, grounding the day in both purpose and optimism.
At the lunchtime break, Claudia came over to Sevgi and me, offered us both a group hug, and warmly reminisced about the early days of the UK CSC. I mentioned that Cyber Tzar had been an early startup member of the Council, and she was not only aware but genuinely encouraging. It was a brief moment, but it captured the spirit of inclusion and approachability she brought to the entire day.
I attended the event with Sevgi Aksoy, my fellow founder at Psyber, Inc. Sevgi is a psychologist and expert in cyber psychology, and has been instrumental in supporting both the West Midlands Cyber Working Group (WM CWG) and Cyber Tzar. You can read her popular newsletter over at her new website and blog “SevgiAksoy.com”.
Andrew Elliot (DSIT Cyber Lead): Insight on Frameworks and Foundations
One of the most thought-provoking moments came during the talk given by Andrew Elliot. Andrew, from the Department for Science, Innovation and Technology (DSIT), was speaking about the UK Cyber Security Council’s development of the Cyber Skills Framework, a structured approach to defining cyber roles and the skills needed to fulfil them.
In addition to the framework itself, Andrew also reflected on the wider ecosystem of cyber programmes being delivered under his watch at DSIT. These included CyberFirst (nurturing talent from school age), Cyber Local (supporting regional innovation), CyberASAP (accelerating academic start-ups), and Cyber Runway (a national growth programme for cyber businesses).
These initiatives, he noted, are not isolated efforts, but part of a coherent strategy to build both the talent and the capability required to support the UK’s cyber economy. As someone who has mentored on CyberASAP, been part of the Cyber Runway Scale programme, and for the last two years chaired the West Midlands Cyber Local funding review board on behalf of DSIT, I appreciated how he framed the importance of continuity, collaboration, and capacity-building across these programmes.
I took the opportunity to pose a direct question:
“Is the UK Cyber Skills Framework mature enough to help set the National Occupational Standards? And if not, when might it reach that level?”
I referenced SFIA+ (used across the IT sector) as a benchmark, used by awarding bodies and universities to shape curricula and create job-ready graduates. My point was simple: if we’re serious about professionalisation, we need a framework that’s detailed and mature enough to feed into NOS, which in turn inform qualifications, job descriptions, and workforce planning.
Andrew’s response was measured, but insightful.
He acknowledged that while the framework had been developed top-down, laying a strong conceptual foundation, it’s the “bottom” sector that still needs work. Specifically, more detail is needed to bridge the gap between education and employment. In other words, it’s not quite ready to guide universities at scale just yet, but that is the direction of travel.
He also made an important point. There’s often a temptation to map cyber to existing frameworks like SFIA for speed and convenience. But this can be a mistake. Cyber roles are not generic IT roles. They have distinct characteristics, and we do ourselves a disservice by squeezing them into ill-fitting boxes.
Instead, Andrew suggested that cyber deserves its own unique framing, developed in partnership with international allies, informed by employer demand, and grounded in the realities of today’s threat landscape.
He closed with a promising data point: the UK cyber sector has grown by 19% this year, up from 12% last year. That’s no small feat, and further evidence of the urgent need to professionalise how we support, train, and grow our workforce.
Andrew also brought a personal touch to his session, reflecting on his upbringing and the values that shaped his commitment to public service and cyber security. He delivered his talk with erudition and charm, and when I asked my question, he smiled, recognised me from earlier conversations, and cheekily said, “Thanks for the easy question, Wayne.” It was a small moment, but emblematic of the tone of the day: thoughtful, rigorous, and human.
Panel 1: Why Employers Should Invest in New Talent
Facilitated by Lisa Konomoore (UK Cyber Security Council), the first panel focused on employer engagement and the hiring pipeline.
Úna Whelan (Vodafone), Colin Gillingham (NCC Group), Lorna Armitage (CAPSLOCK), and Simon Whittaker (Instil) formed a strong, cross-sector panel.
The discussion ranged from recruitment challenges to the importance of creating on-ramps for emerging talent. Everyone agreed that employer appetite is there, but the system isn’t always working. We lack consistency in job titles, clarity in career paths, and structure in early-career support.
The phrase “cyber community” came up more than once, but it was interpreted variously, from mentoring groups to Slack channels. There’s clearly a desire to belong, but the community infrastructure still needs building.
During the first of the networking breaks, I also bumped into a few familiar faces from across the UK cyber scene. I briefly saw Dai Davies, specialist law expert and solicitor, who serves as one of the trustees for the UK Cyber Security Council. Another was Phil Bindley from Intercity Technology, a major cyber firm in the West Midlands, who’s recently taken on the role of Cyber Ambassador for the company. It was good to catch up and hear how he’s championing regional engagement nationally, especially recently meeting with the National Cyber Security Centre (NCSC) about doing more in the West Midlands. Well done, Phil!
Ben Hanson (Microsoft): Human-Centric AI in Cyber Security
Ben Hanson, from Microsoft, delivered one of the day’s most forward-looking talks. His focus was on the intersection of AI and human expertise in cyber security, a topic gaining traction for all the right reasons.
Ben unpacked how generative AI can both amplify and erode decision-making, particularly when overreliance leads to a kind of recursive distortion he described as “Chain of Thought analyses Chain of Thought”. In this, models trained to reason become over-dependent on intermediate reasoning patterns, degrading their effectiveness over time.
What stood out in Ben’s talk was his emphasis on AI literacy, contextual reasoning, and the imperative of keeping human oversight central to security processes. His work aligns with his published research on GenAI, which explores how higher confidence in AI can paradoxically reduce critical thinking, while greater self-confidence can improve it. The insight? AI shifts critical thinking away from creative generation towards information verification, task stewardship, and sense-making.
It was a timely reminder that while AI will play a growing role in cyber defence, it should enhance, not replace, human judgement.
A quick aside, proving just how convincingly online engagement can mimic real-world presence, I was briefly convinced that Lisa Ventura MBE was in the room, only to later realise she was attending via Zoom. Her LinkedIn post was so immediate and engaged, I’d mistaken it for a live moment. A reminder, perhaps, that the “cyber community” we kept referencing really does span both physical and digital spaces in equal measure.
Panel 2: Early Career Challenges in Cyber
The second panel, chaired by Sonja Lewis (UK Cyber Security Council’s Head of Professionalisation), examined early-career professionals’ difficulties.
Rupa Suresh (Microsoft), Lauren Powell (Bridewell), Rose Templeton (Instil), and Daniel Mountain (Rolls Royce) shared their personal journeys, highlighting the importance of mentorship, visibility, and inclusive hiring.
There were powerful moments of honesty, particularly around impostor syndrome and navigating male-dominated environments, but I couldn’t help noticing what was missing. The structural issue of job descriptions demanding two to three years of experience for so-called “entry-level” roles wasn’t really tackled.
Until we address this contradiction head-on, our pipeline will continue to leak talent at the very first hurdle. This is a very real, and serious issue across the West Midlands cyber eco-system, regularly dominating almost every open forum discussion, and I cannot imagine that it is not a significant issue across the whole UK, if not globally.
I also bumped into Kay Ng, Director of Data Governance at CyberAnalytics.ai, with previous roles at Schneider Electric and Capgemini Invent, she brings deep expertise in data risk, governance tooling, and compliance. Our conversation reinforced a truth I’ve long believed, roles like mine, Kay’s, and Sevgi’s don’t sit neatly in existing categories, yet they’re fast becoming central to modern cyber strategy.
Final Thoughts and Closing Reflections
The event highlighted an important truth: cyber security is growing rapidly, but without a clear and accepted framework for professional roles and progression, the industry risks confusion, duplication, and inefficiency. Efforts like the UK Cyber Skills Framework are not just welcome, they’re essential.
A mature framework isn’t merely a policy tool. It’s a foundation for national growth. It enables awarding bodies to build qualifications, helps universities design career-aligned courses, provides employers with clarity on expectations, and shows individuals, from school leavers to career changers, how to enter and progress in our field.
Cyber, as a domain, is still young. It doesn’t yet carry the institutional weight or legacy of law, engineering, or medicine. But that makes it all the more important that we build its future with rigour and foresight.
The eight specialisms already identified by the UK CSC mark significant progress, but they cannot be the endpoint. We must push further and recognise emerging domains such as:
- Cyber Psychology
- understanding how human behaviour, cognitive biases, and decision-making influence cyber risk, defence, and resilience.
- Post-Quantum Cryptography
- preparing for a post-quantum world by developing cryptographic systems that resist future quantum computing threats.
- Supply Chain Risk Management
- identifying, measuring, and mitigating cyber risks embedded within complex and interdependent supply chains.
- Ethical Hacking
- proactively testing systems and controls to identify vulnerabilities before adversaries exploit them.
- Security Data Science
- using data-driven approaches and statistical models to detect threats, analyse anomalies, and drive predictive cyber security.
- AI Security
- both pull and push: AI governance, ethics, and research into weaponisation and how to mitigate against it.
This framework must not be imposed from above, like a folksonomy, it must evolve in conversation with the market, the profession, and the people who live this work every day.
As someone deeply involved in Cyber in the UK, from launching the UK’s first Universal cyber risk score at CyberRiskCompare.com, founding two cyber start-ups, at Cyber Tzar and Psyber, Inc., and acting as Chair for the West Midlands Cyber Working Group (WM CWG), I left the event both encouraged and reflective. Encouraged that the right conversations are finally taking place. Reflective that we still have a way to go before we can say cyber has truly matured into a recognised, structured profession.
But we’re getting there. And I intend to help us get the rest of the way.
I was extremely sad to miss WM VentureFest this year, an event I’ve attended three years running, but felt it was important to reconnect with friends and colleagues at the UK Cyber Security Council as they expand their focus on the Cyber Skills Framework under Claudia’s leadership, following Simon Hepburn’s tenure.