It’s widely agreed that the cybersecurity skills gap can be filled by increasing the amount of diversity in the workforce, but many UK companies are failing to take advantage of this potential.

In fact, half of businesses (49%) have a basic technical cybersecurity skills gap, especially in more advanced technical areas, according to the UK government’s cybersecurity skills in the UK labour market 2025 survey.

Women make up just 17% of the cybersecurity workforce, falling to 12% in senior positions, compared to 48% representation in the wider UK workforce, according to the government’s study.

So, why are the numbers so low and what can firms do to increase the amount of diversity in their teams to fill the growing skills gap?

Unsurprising Figures

Many in the industry are not surprised by the UK government’s findings. There’s “a lot of talk”, “a few tick-box programmes”, but “no real transformation”, says Women in Tech and Cyber Hub (WiTCH) founder, Illyana Mullins. “The education system still teaches in ways that tend to engage boys more than girls, and the industry culture, while improving slightly as we talk about it more, hasn’t drastically changed.”

“We still see women dressed as props at trade shows and senior women on stands being ignored while visitors automatically talk to the men. Until we challenge those everyday behaviours and the systems behind them, the numbers won’t shift.”

At the same time, statistics also show that women continue to maintain the higher percentage of caring responsibilities, says Becky Pinkard, MD of global cyber operations in the chief information security office at Barclays.

Meanwhile, cybersecurity is often presented as a technically demanding field, she points out. “This further discourages some women from first entering the industry. For those who have, it’s then about being able to continue growing their careers when they may feel challenged by perceived technical demands,” says Pinkard.

And today, cybersecurity is not a purely technical subject. Demand for technical skills will always exist, but the job has changed, says Amanda Finch, CEO, The Chartered Institute for Information Security. “High-profile attacks and complex regulation now require capabilities beyond the purely technical. Expertise must be paired with problem-solving abilities and strong communication.”

Young Women Choosing Cybersecurity 

However, while there are fewer women in senior positions, more young women are entering the industry, says Kunjal Tanna, co-founder of specialist cyber recruitment company LT Harper.

She cites the example of ISC2’s 2024 Cyber Workforce study, which showed an increase in female representation at the earlier career stage. Women aged under 30 make up 26% of the cybersecurity workforce, compared to 16% in the age 39 to 44 bracket, according to the report.

“So clearly, we are getting better at attracting women into the industry,” Tanna says.

But it’s not as simple as just encouraging more women to enter cybersecurity, says Rebecca Harper, head of content marketing at IO. “I think that too often, the conversation is framed as a pipeline issue, with statements like, ‘if only more young women studied STEM’, or ‘if only we had more role models’.”

The reality is different, she says. “Women and other underrepresented groups are already entering the field, yet they leave at far higher rates because the systems and cultures they encounter don't support progression. That's not a pipeline problem; it's a workplace problem.”

PR for the industry does not help. The image of a cyber professional is still one of a young, white man wearing a hoodie, working in a dark basement full of computer screens, Tanna points out.

The language used in cybersecurity adds to the problem. “A lot of it is inherently masculine: For example, cyber warfare, or penetration testing,” says Tanna.

At the same time, decisions on promotions and hiring can sometimes be made by people who are inexperienced in allowing for unconscious bias, resulting in them unintentionally favouring those they have similarities with, Tanna says.

Diversity Beyond Women

While the low number of women in cybersecurity is concerning, it’s also important to consider how other types of diversity can help fill the skills gap in the workforce.

Inclusion and opportunity is “100% about more than just bringing in more women”: “It's about the different life perspective,” says Pinkard.

Those “lived perspectives” are driven by areas such as neurodiversity, ethnic diversity and physical ability diversity, she says.

For example, neurodivergent individuals often bring unique strengths, such as advanced problem-solving abilities, exceptional focus and keen attention to detail, says Hannah Roome, talent acquisition manager at Bridewell. These skills are “particularly well-suited for highly technical cybersecurity roles”, she says.

Socioeconomic diversity is also “crucial”, because not everyone can afford a traditional tech career path, Mullins adds.

Programmes in Place

There are several successful programmes encouraging diversity in cybersecurity.

For example, non-profit community Women in Cybersecurity (WiCys) has a programme of events across the country geared towards helping women share their knowledge and experience, says Tanna.

Meanwhile, ISC2 hosts an annual summit on diversity and inclusion including a host of speakers and topics.

Roome says Bridewell “actively invests” in diverse recruitment tactics to access untapped talent for its early careers programme, Bridewell Academy.

LT Harper hosts free networking breakfasts called InClusive InCyber in London and Manchester, bringing together “hundreds of women from all the different roles within the cyber industry”, according to Tanna.

Focusing on Diversity 

While some businesses are already focusing on the area, there’s still work to be done. In general, companies are facing challenges “on many fronts” when approaching inclusive hiring, Pinkard says.

Issues include “globally complex and competing political climates, in addition to progressing expectations for work-life balance and hybrid working”.  

“This requires mature hiring practices, complete with ongoing reviews and necessary pivots as required to adapt to geopolitical requirements and pressures, combined with an ability to clearly and widely articulate hybrid or remote working terms and evolving conditions,” Pinkard says.

Too many companies still treat diversity as a compliance exercise, says Mullins. “When it was no longer a legal requirement in the US, many simply stopped. Others will say, ‘we want more women’, but won’t update their maternity policies and complain that only men apply to their roles. Or they say ‘we want neurodiverse talent’, but resist implementing more flexible working policies to facilitate them.”

The skills gap in cybersecurity means looking in non-traditional places to find talent, Pinkard says.

For example, firms must be open to cross-train people from fields such as accounting, literature, sociology or even chemistry or geology. “We need to think more about the kinds of wider ranging skills that are mandatory to be successful in cybersecurity. These include attention to detail, curiosity, a willingness to ask questions, and the desire to continuously learn.”

In order to close the UK's cybersecurity skills gap, inclusion “can't remain an optional initiative sitting in HR”, says Harper. “It needs to be treated like any other business control. Activities must be measurable, structural, and tied to leadership accountability. That means tracking who is hired, who is promoted, who leaves, and why. And, it means holding leaders responsible for equitable outcomes, not just awareness campaigns.”

Kate O'Flaherty Cybersecurity and privacy journalist