This article critically examines the Cyber Security Skills in the UK Labour Market 2025 report, highlighting strengths, weaknesses, and regional implications. It synthesises the findings into a practitioner-academic analysis, with recommendations for aligning graduate supply, employer demand, and future skills in areas such as AI and cyber resilience.
Contents
Introduction
In this piece, we take a deep dive into the UK government’s Cyber Security Skills in the UK Labour Market 2025 report. The analysis goes beyond headline numbers to interrogate the structural issues shaping the workforce: entry-level exclusion, diversity challenges, outsourcing, and AI readiness. We also place a regional lens on the West Midlands, drawing attention to the graduate-to-employment gap and showcasing initiatives such as KPMG’s apprenticeship programmes, CyberFirst, and the West Midlands Cyber Hub. The aim is to provide both a critical academic account and a constructive roadmap for policymakers, employers, and educators.
Executive Summary (TL;DR)
The UK’s cyber workforce grew to ~143,000 in 2025, with the national skills gap narrowing to 3,800. Yet beneath the headline numbers lie deep challenges: graduate supply is rising while entry-level demand falls, diversity progress is slow, and AI skills shortages are looming. Employers still prefer mid-career hires, leaving many graduates locked out. Outsourcing fills some gaps but raises questions of value and dependency.
Regionally, the West Midlands illustrates the paradox: universities produce cyber talent at scale, but employers demand experience that students lack. Initiatives such as KPMG’s apprenticeship schemes, CyberFirst, and the West Midlands Cyber Hub (showcased during Birmingham Tech Week’s Cyber Day) demonstrate how structured pathways and collaborative ecosystems can bridge this divide.
The UK must now move from incremental progress to systemic reform:
- integrate structured entry routes,
- embed diversity accountability,
- align training with AI and emerging tech, and
- leverage regional clusters for inclusive growth.
Without such interventions, the workforce risks being numerically adequate but qualitatively inadequate, undermining both national security and economic ambition.
Synopsis
The 2025 Cyber Security Skills in the UK Labour Market report, authored by Ipsos and Perspective Economics for DSIT, represents the seventh annual iteration of this national study. It maps the UK’s cyber workforce, evaluates demand and supply dynamics, and identifies persistent skills gaps, shortages, and diversity challenges. While progress is evident, graduate inflows have risen, workforce gaps have stabilised, and frameworks such as the UK Cyber Security Council’s Career Framework have gained traction, fundamental structural issues remain unresolved. These include an over-reliance on mid-career recruitment, declining entry-level opportunities, stubborn diversity deficits, and emerging deficits in Artificial Intelligence (AI) security skills.
The report positions the UK cyber labour market as relatively resilient but fragile, where quantitative gains in workforce size risk being undermined by qualitative deficiencies in inclusivity, alignment of skills to demand, and capacity to adapt to emerging technologies.
Key Points (Bullet Summary)
- Workforce size: ~143,000 cyber security professionals in the UK in 2025; growth accelerating modestly (5% in 2024 vs. 2% in 2022).
- Workforce gap: Stabilised at ~3,800 professionals, down from 11,100 in 2023.
- Supply inflows:
- ~6,000 graduates annually (+20% growth since 2022/23).
- 2,500 entrants via certification/upskilling.
- 600 apprenticeships.
- Demand trends:
- 2,698 job postings/month in 2024; median salary £55k.
- Core cyber postings declined 33% year-on-year; entry-level demand dropped to 17%.
- Diversity: Cyber workforce less diverse than digital/UK averages. Women 17% (vs. 30% digital, 48% overall); disabled 8% (vs. 17% UK); ethnic minorities 19% overall but only 8% in senior roles.
- Skills gaps:
- 49% of businesses face basic cyber skills gaps.
- 30% report advanced skills gaps (forensics, penetration testing).
- 28% of cyber businesses cite internal technical skills deficits.
- AI in cyber: 53% of cyber businesses already use AI in daily work; 65% expect demand for AI skills to rise within 12 months.
- Outsourcing: 31% of businesses and 58% of public sector organisations outsource cyber security; confidence in value for money is uneven.
- Regionalisation: London’s dominance is weakening; North West overtook London/South East in VC cyber investment (£102m, 49% of total).
Full Critique
The 2025 report provides a valuable longitudinal perspective on the UK’s cyber skills ecosystem, yet several weaknesses limit its explanatory and policy-shaping power.
1. Workforce Growth and Gap Interpretation
The report celebrates the stabilisation of the workforce gap at 3,800 professionals. However, this figure must be interpreted cautiously. A declining demand signal (33% fewer postings) coincides with the reduction in the shortfall. The apparent closure of the gap may reflect cyclical contraction in hiring, not structural resolution of skills deficits. By framing stabilisation as progress, the report risks obscuring fragility in demand rather than strength in supply.
2. Entry-Level Pipeline Paradox
The steep fall in entry-level recruitment (25% in 2022 → 17% in 2024) contrasts with rising graduate output. This paradox indicates systemic failure to integrate new talent. Employers’ preference for mid-level recruits reflects risk aversion and cost pressures, but the effect is the accumulation of under-utilised graduates and the stalling of social mobility into cyber roles. The report documents but does not adequately interrogate this paradox.
3. Diversity and Inclusion: Slow Incrementalism
Despite progress in postgraduate female participation (21% in 2020/21 → 27% in 2022/23), the workforce remains structurally male-dominated and exclusionary for disabled professionals. The report underlines this gap but offers limited causal analysis—particularly around socio-economic barriers, geographic disparities, and the cultural framing of cyber roles. The proposed TechFirst programme is ambitious, but without binding accountability mechanisms, there is a risk of rhetorical rather than material progress.
4. Skills Gap Measurement Limitations
As in prior years, skills gaps are inferred via confidence-based survey responses rather than objective task assessments. While this maintains consistency, it leaves open whether “gaps” reflect competence deficits or simply organisational self-perceptions. This is particularly problematic when framing national workforce resilience, where perception biases may distort actionable priorities.
5. AI and Future Skills Readiness
The report successfully foregrounds AI in cyber security, with half of organisations already embedding AI tools. However, the analysis remains descriptive rather than prescriptive. There is no robust mapping of AI-related competencies to existing frameworks (e.g., UK Cyber Security Council’s Career Framework), leaving policymakers without clear guidance on training design. The UK risks repeating the lag observed in cloud security adoption (2015–2019), where skills frameworks trailed behind industry practice.
6. Outsourcing Ambiguities
While 58% of public sector organisations outsource cyber security, nearly a quarter lack confidence in their providers’ value. Yet the report does not distinguish between strategic outsourcing (e.g., managed SOCs) and tactical stopgaps (e.g., ad hoc MSSPs). Without this granularity, the outsourcing findings risk conflating dependency with inefficiency.
7. Regional Dimension
The report gestures at regional rebalancing—London’s salary premium narrowing, VC capital shifting to the North West—but does not connect this to local skills ecosystems, such as Manchester’s AI/cyber cluster or Cheltenham’s GCHQ-driven gravity. This omission weakens the report’s utility for levelling-up strategies, where regional talent pipelines are critical.
Recommendations for Improvement
- Reframe Workforce Gap Metrics: Disaggregate demand-side contraction from genuine supply improvements to avoid misleadingly positive narratives.
- Strengthen Entry-Level Integration: Incentivise employers through tax credits, procurement criteria, or wage subsidies to expand graduate and apprenticeship intake.
- Mandate Diversity Accountability: Require larger employers and public sector contractors to publish diversity data and progression statistics linked to cyber roles.
- Advance AI Competency Frameworks: Embed AI security explicitly into the UK Cyber Security Council’s standards, aligned with NCSC/DSIT AI security codes of practice.
- Differentiate Outsourcing Models: Distinguish strategic from tactical outsourcing to generate more policy-relevant insights.
- Regional Skills Ecosystem Mapping: Produce cluster-level analysis to align training, VC funding, and local industrial strategies.
- Move Beyond Confidence-Based Gap Analysis: Incorporate objective assessment instruments (e.g., simulated incident exercises, skills benchmarking platforms) to measure gaps empirically.
Merged Results: Synthesis of Key Findings and Recommendations
When merged, the results indicate a sector at a crossroads:
- Quantitative growth (more graduates, stabilised workforce gap) risks being undermined by qualitative deficiencies (entry-level exclusion, shallow diversity, weak AI readiness).
- Regional rebalancing presents opportunities for levelling up, but only if coupled with investment in local training ecosystems.
- Outsourcing and AI adoption both reflect adaptive strategies to capability shortfalls but may create long-term dependencies unless addressed through systematic upskilling.
The overarching synthesis: The UK is producing more cyber talent than ever before, but is failing to channel this talent effectively into the workforce, particularly at entry-level, while under-preparing for the next wave of AI-driven threats.
Regional Dynamics: Bridging the Student-to-Employment Gap
In the West Midlands, one of the sharpest issues is the gulf between the volume of cyber graduates being produced and the limited number of roles available to them. Employers often insist on two years’ experience, while students leave university unable to access the very jobs they trained for, a paradox that leaves both sides frustrated.
Yet examples of best practice show how this gap can be bridged. KPMG’s apprenticeship and graduate programmes demonstrate how structured on-ramps can blend academic knowledge with workplace skills. Likewise, initiatives such as CyberFirst are beginning to prepare students earlier, equipping them with practical exposure before they hit the job market. Regionally, the emerging West Midlands Cyber Hub and showcase platforms like Birmingham Tech Week’s Cyber Day offer exactly the kind of collaborative ecosystem where students, employers, and training providers can connect more directly.
The challenge now is to scale these models across the region, ensuring that universities, businesses, and hubs work together so that talent does not go to waste, but is harnessed to drive the Midlands’ growing cyber economy.
Conclusion
The 2025 labour market report provides a valuable empirical base, but its framing risks complacency. The stabilised workforce gap, falling entry-level demand, and persistent diversity deficits should be read as warning signs, not achievements. A skills system that produces but does not absorb talent risks social inequity, wasted public investment, and heightened vulnerability to emergent cyber threats.
The path forward lies in aligning graduate supply with structured entry routes, embedding diversity accountability, integrating AI security into national frameworks, and leveraging regional clusters for inclusive growth. Without such interventions, the UK risks possessing a quantitatively adequate but qualitatively inadequate cyber workforce, an outcome that undermines both national security and economic ambition.