Why the cyber skills gap is a myth

But the resilience gap is very real indeed

There is no shortage of people wanting to work in cybersecurity

Cybersecurity’s real challenge is not a skills shortage, but a resilience gap caused by failure to treat cyber capability and people as strategic assets essential to organisational and economic survival.

Last year, cybersecurity crossed a threshold. Ransomware attacks caused havoc, fed economic uncertainty, and dominated headlines. Once seen as a specialist IT function, cybersecurity is now tied directly to business continuity, organisational survival, and national economic security.

For years, the industry has repeated the same refrain: there is a cyber skills gap. But what if the real issue is not a lack of people willing to work in cyber, but how organisations define roles, plan their workforce, and value resilience?

Anna Brailsford, CEO of Code First Girls notes that cyber has moved “from a sub-segment of technology to one of the biggest questions facing boards.” Recent incidents have forced leaders to confront cyberattacks as threats to revenue, reputation and operations. Resilience - the ability to keep functioning during and after an incident - is now as important as prevention.

Image

Description

Anna Brailsford, Code First Girls

That resilience means planning for how an organisation functions under stress. Brian Brackenborough, CISO at Channel 4 says that much of this comes back to people.

“It’s not just about the technical side,” he says. “How would we keep working? How would we inform our staff? I think it was fascinating when the Managing Director of Co-op went on TV to talk about their incident, and she mentioned seeing the strain on the faces of the people that had been dealing with it.”

Brackenborough describes a change he finds both welcome and unfamiliar: CEOs asking deeper questions and actively supporting change. “I’m getting a level of support I’m not used to,” he (half) jokes.

The skills gap that isn’t

That there is a cyber skills gap isn’t contested. But what is causing it?

Both Brailsford and Brackenborough argue that the issue is not a lack of talent, but a failure of role design and workforce strategy. Both agree that many advertised cyber roles seem to be ‘jack of all trades.’

Image

Description

Brian Brackenborough, Channel 4

Brailsford explains: “They ask for a certain level of experience in different things like security architect and incident responder for example. That’s not creating a pipeline into the organisation, and it doesn’t allow you to succession plan.

“Rather than being strategic and planning and investing for the future, we see organisations cherry pick the same people from the market who just move from company to company, and that's not sustainable.”

Brailsford says that Code First Girls cybersecurity programmes are heavily oversubscribed. Contrary to the often-heard narrative that women are just less interested in technology focused jobs than men, demand from young women and older career switchers is not lacking. The bottleneck is on the employer side, where companies are stuck in the cherry-picking mindset described above.

Not only is this unsustainable, it also actively undermines resilience. Teams composed of people with similar backgrounds and ways of thinking are more likely to share blind spots. Cyber security, which relies on anticipating human behaviour and unconventional threats, benefits from diversity of thought which is something career switchers bring in abundance.

Brailsford points out that the five-year-old partnership that GCHQ and Code First Girls is evidence that relying solely on higher education as your cybersecurity skills pipeline doesn’t work.

“The reason GCHQ created these curriculums with us is because they couldn't get them from higher education,” she says. “The type of skills that are being taught at higher educational level are not meeting the needs of the industry. We have to look for different ways to develop talent pools with different types of backgrounds and we have to look for agile suppliers to supply those curriculums.”

The Cyber Security and Resilience Bill: opportunity and risk

This context makes the forthcoming Cyber Security and Resilience Bill both timely and challenging. The bill signals a recognition by government that cyber resilience matters at a systemic level, but Brackenborough points out that clarification is needed as the Bill moves through committee stages.

“I'm all for it,” he says, “but there are some industries and companies where there is ambiguity. For example, are Channel Four and the BBC technology service providers, Internet service providers as well as broadcasters?”

The Bill also does little to address the workforce realities which feed into wider resilience challenges. Brailsford is emphatic that the two require sustained policy focus and must be viewed holistically.

“We have a ton of research showing that women come at technology slightly later in life, whether it's in the penultimate year of university studying something outside of technology, or whether it's three to five years into another profession.

“We need to have parts of the budget that look specifically at those groups, including people currently out of work, because it's those groups that can make an immediate difference. I don't know what ROI we're going to see from investing purely in schools and in higher education.”

Compounding the problem is another trend troubling Brailsford which is the erosion of entry-level cyber roles in the UK, and an increase in the offshoring of cybersecurity. She describes a situation where a lot of firms have got themselves into a state of workforce paralysis.

“What we're seeing quietly in the background is the demand for entry level talent in permanent placement declining. Contingent placement is increasing. How is the Bill going to deal with that?

“It’s happened quietly, but I see so much offshoring. I would incentivise keeping entry level talent here. I think a lot of organisations are using AI as an excuse, because they don't know the skills that they're going to need in two years’ time.

“I don't see many organisations questioning the value of the knowledge that is being lost with offshoring, particularly when it comes to an area like cyber security. They just look at what is being saved short term.”

Short term cost cutting comes at the expense of institutional knowledge, and Brailsford acknowledges that it’s difficult to value that knowledge accurately. In 2025, we saw several examples where that loss of institutional knowledge almost certainly had a direct impact in operational resilience.

If the Cyber Security and Resilience Bill is to be effective it must extend beyond technical controls. Organisations need to invest in people, create realistic career pathways, and treat cyber capability as a strategic asset.

Resilience cannot be bought off the shelf, and talent cannot be conjured by simply consolidating job roles. Diverse teams, clear roles, and sustainable workloads are economic necessities. The cyber skills gap may be a myth, but the resilience gap is very real.

Closing it requires a fundamental rethink.