The UK is “dangerously exposed to future cyber-attacks” and five steps can better resolve the problem.

According to a white paper authored by Dr Ismini Vasileiou, director of East Midlands Cyber Security Cluster (EMCSC), co-chair of UK Cyber Cluster Collaboration (UKC3), and associate professor at De Montfort University Leicester, an “outmoded and fragmented” 20th Century training ecosystem risks leaving UK businesses dangerously exposed to 21st Century cyber threats.

The White Paper was published in collaboration with the APPG on Cyber Innovation sets out five steps for the Government to secure UK cybersecurity skills for decades to come. These were detailed as:

Establish a DSIT-led taskforce to co-create a UK Cyber Skills Taxonomy. This taskforce will assess systemic fragmentation and co-create a national UK Cyber Skills Taxonomy, that should define roles, career pathways, and skill levels—building on existing frameworks (e.g. SFIA, CIISec, DDaT), but critically, co-created with employers, educators, and professional bodies to ensure relevance and adoption. 

Establish a national delivery body to own and govern the Taxonomy, with DSIT serving as the sponsoring department and ensure the delivery body is properly resourced, monitored, and supported to implement, maintain, and monitor the taxonomy. To ensure national coordination and continuity, DSIT should clarify governance expectations and consider alternative delivery models if needed. The white paper also recommended that the UK Cyber Security Council - if supported to evolve its remit and strengthen engagement with the sector - could be well-placed to lead this work. 

Incentivise employer adoption of standardised, skills-based recruitment. This should support employers and talent acquisition teams to adopt clearer, skills-based job descriptions aligned with the UK Cyber Skills Taxonomy, helping to improve consistency and reduce barriers to entry. Government should also work collaboratively with sector bodies and industry groups to develop voluntary skills-based recruitment guidance.

Align education and career pathways to real-world cyber roles. Cybersecurity should be integrated more systematically into primary, secondary, and post-16 education, starting at Key Stage 2. DSIT and DfE should work with Skills England and careers bodies to embed the UK Cyber Skills Taxonomy into national guidance, LSIPs, and digital learning strategies. Guidance platforms, careers advisers, and education providers should be equipped to map learner interests to real-world cyber roles, ensuring transitions into the workforce are clear and inclusive.

Scale regional skills alignment through a National Implementation Framework. DSIT should commission a national programme of regional delivery hubs - building on proven models like Cyber Local - to test, embed, and iterate the UK Cyber Skills Taxonomy in real-world settings. This programme should link employers, training providers, and local authorities to co-design regionally responsive solutions, aligned to local labour markets and national standards.

Ambition and Reality

Vasileiou said there is currently a mismatch between Government industrial ambition and educational reality, and a 21st Century digital economy will not be solved “with a 20th Century skills pipeline.”

“This is emerging as a critical situation for SMEs, which are the backbone of the UK economy but which are increasingly exposed as they race to meet modern digital expectations and standards,” she said.

Professor Mike Kagioglou, Deputy Vice-Chancellor Planning, Research and Innovation at De Montfort University Leicester, said the recommendations in this White Paper reflect what we see every day in our work with businesses: namely, a growing demand for cyber skills and a fragmented system that is not keeping pace.

“We fully support the call from Dr Vasileiou and the APPG for a national strategy to align skills, accreditation, and employer demand,” he said. “DMU stands ready to assist and support a central, recognised, skills development and accreditation framework for cybersecurity.”

Dan Raywood

Dan Raywood is a B2B journalist with 25 years of experience, including covering cybersecurity for the past 17 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.

He has spoken at events including 44CON, Infosecurity Europe, RANT Forum, BSides Scotland, Steelcon and the National Cyber Security Show, and served as editor of SC Media UK, Infosecurity Magazine and IT Security Guru. He was also an analyst with 451 Research and a product marketing lead at Tenable.