Research and analysis

Cyber security skills in the UK labour market 2024: technical report

Published 16 September 2024

1 Overview

The Department for Science, Innovation and Technology (DSIT) commissioned Ipsos and Perspective Economics to conduct the latest in an annual series of studies to improve their understanding of the current UK cyber security skills labour market. In February 2023 the parts of The Department for Digital, Culture, Media and Sport (DCMS) responsible for cyber security policy moved to the new Department for Science, Innovation and Technology (DSIT). The previous study was published by DSIT in 2023 (fieldwork in 2022). The studies prior to this were published by DCMS in 2022 (fieldwork in 2021), 2021 (fieldwork in 2020), 2020 (fieldwork in 2019) and 2018 (fieldwork in 2018).

This report provides the technical details for all strands of the 2024 research, and copies of the main survey instruments (in the appendices) to help interpret the findings. DSIT has published a separate report of the main findings from the research.

1.1 Full research objectives

The 2024 research, in line with previous years, aimed to gather evidence on:

• Current cyber security skills gaps (i.e. where existing employees or job applicants for cyber roles lack particular skills)
• Current skills shortages and the level and type of job roles they affect (i.e. a shortfall in the number of skilled individuals working in or applying for cyber roles)
• The role of training, qualifications, recruitment and outsourcing to fill skills gaps
• Where the cyber security jobs market is active geographically
• The roles being labelled as cyber roles versus ones that are not but require a similar skillset
• The role that recruitment agents play in the cyber security labour market
• Diversity within the cyber sector
• Staff turnover in the cyber sector
• Statistics on the size of the UK’s cyber security recruitment pool
• An estimate of the overall cyber workforce gap
• Recruitment agents’ views of the recruitment pool and how it has changed in the last year.

1.2 Summary of methodology

The methodology consisted of 4 strands:

1. Quantitative surveys – Ipsos conducted representative telephone surveys with 4 audiences: general businesses, public sector organisations, charities and cyber sector firms. These surveys gathered the main estimates on skills gaps and shortages reported in this study. Fieldwork was between 11th August and 10th November 2023.

2. Qualitative interviews – Ipsos conducted a more focused strand of qualitative research, with 28 in-depth interviews split across cyber firms, medium and large businesses, public sector organisations, and recruitment agents. The interviews explored the challenges these organisations faced in addressing skills gaps and shortages, and the approaches they were taking on recruitment, training and workplace diversity. Interviews took place between September and November 2023.

3. Job vacancies analysis – Perspective Economics analysed cyber security job postings on the Lightcast labour market database, showing the number, type and location of vacancies across the UK. This also covers remuneration, descriptions of job roles and the skills, qualifications and experience being sought by employers. This work primarily covered vacancies across the 12 months of 2023, supplementing the work done in the 2023 study (which covered vacancies from January 2022 to December 2022).

4. Supply side analysis – Perspective Economics replicated the methodology used on the 2021 cyber recruitment pool research to estimate the overall size of the current recruitment pool, as well as those likely to be entering the pool within the next 12 months (across 2023). This strand produces further statistics on the diversity, educational and occupational backgrounds, and salaries of this pool of labour, as well as outflows from the pool.

1.3 Similarities and differences from the 2023 study

The 2024 methodology is consistent with previous years, which included strands 1 to 4 in Section 1.2. This means that we can look at trends over time across the survey, job vacancies analysis and supply side analysis (the quantitative elements) are all able to look at trends over time.

It should be noted that, there is a methodological update with respect to the vacancy data. In 2021, Burning Glass Technologies (Labour Insight) merged with Emsi, and was rebranded as Lightcast - as a result, the research team now uses an updated vacancy analytics tool called Lightcast Analyst. This has the same data as Burning Glass Labour Insight; but the occupational coding and front-end have been updated. In addition, the search strategy to identify cyber security vacancies has been revised to align with the tool’s search capabilities.

To ensure that the time-series analysis was not interrupted the research team developed a search strategy that aligns with the count and breakdown of vacancies identified in previous reports. This also means that the metrics in previous reports are updated for this year. However, there are some subtle differences in how this data is reported using the new front-end (e.g. change from Travel-to-Work Area level to City / Local Authority reporting). These changes are set out in Section 4.

Questionnaire changes

The quantitative survey questions are reviewed and partially revised each year to ensure we capture the metrics that are most useful for DSIT and its stakeholders. This year, we included a new question to assess the minimum requirements for an entry-level cyber security role and reintroduced a question on whether cyber security was a formal or informal part of their role. The rationale for these changes is provided in Section 2.1.

The quantitative survey questions underwent cognitive testing in 2018. Although a small number of new questions have been added in later years, these have used tried-and-tested question wording wherever possible, so have not undergone cognitive testing. There has nonetheless been a live pilot of the quantitative survey each year, to pick up on any question comprehension problems (see Section 2.3).

Sample sizes

The overall sample sizes achieved for each audience in the quantitative survey are broadly in line with previous years, although there is a slightly higher public sector response, a slightly lower business and charity response, and similar cyber firm response to those from 2023. This year we interviewed:

• 930 businesses across the private sector (vs. 1,006 in 2023, 947 in 2022 and 965 in 2021), of which 48 were large businesses (vs. 78 in 2023, 107 in 2022 and 65 in 2021)
• 130 public sector organisations (vs. 102 in 2023, 123 in 2022 and 76 in 2021)
• 190 charities (vs. 214 in 2023, 211 in 2022 and 220 in 2021)
• 180 cyber firms (vs. 180 in 2023, 224 in 2022 and 171 in 2021)

The margin of error for the overall business sample is the similar to last year, at ±2-4 percentage points. The margin of error has remained broadly consistent for large businesses (from ±7-12 percentage points in 2023 to ±9-14 percentage points in 2024). The margin of error across other organisations has also remained consistent, for public sector organisations ±5-9 points and for both charities and cyber firms ±4-7 points.

1.4 Differences from other recent studies looking at cyber security skills

A note on the UK cyber security workforce size estimate from the 2023 Cyber security Workforce Study

ISC2 is a global membership organisation for cyber security professionals. It publishes an annual Cyber Security Workforce Study, the most recent of which was published in 2023. This is a study of the global cyber security workforce and largely reports its findings at a global level.

The 2023 ISC2 report suggests there are c.367,300 individuals in the UK cyber security workforce, with a shortage of c.73,439. It is not possible for us to validate their estimate with our data, given the vast differences in methodologies between our two studies (outlined later in this section) and a lack of published technical information on the UK sample size and representativeness of the ISC2 data. The estimate is also likely to have a substantive margin of error around it.

DSIT’s Cyber Sectoral Analysis 2023 estimates c.58,000 full-time employees working in cyber roles in the UK cyber sector, across the 1,979 cyber security companies that make up this sector. This excludes individuals working in cyber roles outside of these companies.

The ISC2 estimate has fluctuated across years, from c.366,000 in 2020, c.301,000 in 2021, c.339,000 in 2022 and c.367,000 in 2023. In our opinion, it remains unrealistically high. It would mean that almost 1 in every 100 employees in the UK are working in a cyber role. Furthermore, the DCMS Sectors Economic Estimates indicate that there were c.1.9 million jobs across all UK digital sectors from July 2022 to June 2023. If the ISC2 estimate was correct, this would mean that around 1 in 5 digital sector jobs are in cyber security.

Broader comparability issues between this DSIT study and other studies on cyber security skills

The findings from the ISC2 2023 report touch on similar themes to our study (such as skills gaps, diversity in the cyber sector and qualifications) but they are not directly comparable. This is also the case for other well-known surveys that have been published around the same time period, the NCSC/KPMG Decrypting Diversity 2021 report, the PwC Cyber Security Strategy 2022, and PwC Cyber Security Outlook 2023 report.

• Our primary research is UK-specific and has a large sample size. This means we can break down findings for UK organisations by size and sector. Other surveys have often not been able to be so granular and have typically reported findings for Europe as a whole, rather than the UK.
• Our survey results are sampled and weighted to be representative of organisations of all sizes and sectors. This includes micro and small businesses, and low-income charities, that may be less aware of their cyber security skills needs and make up the majority of all businesses and charities in the UK. The ISC2 and PwC surveys appear to have been carried out online with a self-selecting sample, skewed towards the largest and most engaged organisations. These studies are important, as they have good coverage of the organisations with the most sophisticated cyber security skills needs. However, they are not necessarily representative, and typically omit micro, small and medium businesses, and the charitable sector, where there are often more basic cyber security skills needs.
• Our cyber sector diversity statistics are also intended to be representative, as they are based on workforce-level data collected from a random sample of UK cyber firms. This differs from the NCSC/KPMG survey, which is again undertaken online with a self-selecting sample that may be subject to clustering effects (depending on where and how the survey was promoted). There is also value in the NCSC/KPMG results, which serve to highlight the lived experiences of diverse groups within the cyber security workforce. However, these results, unlike our study, cannot be used to reliably infer the incidence of characteristics in the wider population.
• This research measures skills gaps – the number of organisations lacking specific cyber security skills – in a particular way. As we cannot objectively test whether organisations are capable of carrying out specific cyber security tasks involving specialist skills, we instead ask about their confidence at being able to carry out a range of these tasks (see Chapter 4 of the main report for full details). This continues the methodology from the 2 previous studies.

1.5 Acknowledgements

Ipsos and Perspective Economics would like to thank colleagues at DSIT for their project management, support and guidance throughout the study.

2 Quantitative surveys

Ipsos carried out all aspects of the quantitative surveys. This chapter provides technical details on the questionnaire development, sampling, piloting, main fieldwork and data processing.

2.1 Questionnaire development

Questionnaire development

Ipsos developed the questionnaire and all the other survey instruments (such as the interviewer briefing notes, a reassurance email for respondents and a survey website page).

In line with the 2023 survey, the questionnaire worked as a multimode telephone and online survey script – this is covered further in Section 2.4. Changes reflected new areas that DSIT wished to gain further statistical information on:

• The question on whether cyber security was a formal part of the job role (Q26_Formal), was removed in 2023 but has been reintroduced in 2024.
• In question 13 which focuses on basic cyber skills-Code L – “Any automated defences against malicious network traffic,” was removed as an answer as part of a basic cyber skills question. This code was more aligned to an advanced skill and has therefore been added to question 14.
• Due to this additional code in question 14, the code “Any automated defences against malicious network traffic” was also added to Q29_HIGHTECHNICAL.
• For Q30_MANAGERIAL how confident, if at all, would you feel about your organisation being able to perform the following tasks codes B and E were removed in 2023.
• For Q32_DIRECTORS statement B was deleted in 2023.
• A new question was introduced to capture the responsibilities of Cyber Security Generalists (Q18J).
• To better understand what organisations are doing to encourage applications from people from ethnic minority backgrounds, this year we introduced Q47AB_BARRIERS.
• Q47C_ENTRYLEVELROLE was introduced in this questionnaire to capture how people understand entry level role requirements.

A number of the cyber firms interviewed for this study had also taken part in the earlier DSIT survey carried out in summer 2023 as part of the Cyber Security Sectoral Analysis 2024. To avoid asking these firms to repeat the same information in this latest survey, the survey script included a question that collected permission to reuse data from this survey instead of asking these questions again (on the size of their total workforce and their cyber workforce specifically).

Appendix A includes a copy of the final questionnaire used in the main survey.

2.2 Sampling

The target population included:

• Private companies with more than one person on the payroll (i.e. excluding sole traders)
• Public sector organisations – mainly NHS organisations, academies and free schools (as other types of schools are run directly by local authorities) and local authorities (excluding parish councils)
• Registered charities
• Cyber sector businesses.

We designed the survey to represent enterprises (i.e. the whole organisation) rather than establishments (i.e. local or regional offices or sites). This reflects that multi-site organisations will typically have connected cyber security infrastructure and will therefore deal with cyber security centrally.

Business and public sector sample frame (IDBR) and sample selection

The sample frame for businesses and public sector organisations was from the government’s Inter-Departmental Business Register (IDBR), which covers businesses in all sectors, including the public sector, across the UK at the enterprise level. This is the main sample frame for government surveys of businesses and for public sector organisations. In contrast to previous years, businesses from the agricultural, forestry and fishing sectors (SIC, 2007 category A) sector were included. DSIT and NCSC asked for agriculture to be reconsidered for inclusion. The digital exposure of agriculture businesses now have justified their inclusion, as does having a more representative UK business sample. DSIT approved their inclusion.

In total, we selected 54,495 businesses and public sector organisations from the IDBR. This is less than the total number we requested last year (62,068) and in the year before (56,159). It was less than in 2021 (60,500), but more than 2020 (48,702) and 2018 (37,871).

Records were selected based on disproportionate targets by sector and by size. The disproportionate stratification reflected the intention to carry out subgroup analysis by sector and size. This would not be possible with a proportionate stratification (which would effectively exclude any meaningful number of medium and large businesses from the selected sample, as well as resulting in too few interviews in certain sectors). The boosted groups included:

• Small (10 to 49 staff), medium (50 to 249 staff) and large size bands (250+ staff).
• Education businesses, finance or insurance businesses and public sector organisations (which DSIT highlighted as important sectors).
• Health, social care or social work businesses (which the 2018 literature review and subsequent research has suggested is a sector with a greater demand for cyber skills).
• Information or communication businesses (which are highly engaged with cyber security, according to findings from the separate DCMS Cyber Security Breaches Survey series).

Table 2.1 breaks down the originally selected sample by size and sector. As the survey outcomes later in this chapter show, only 11,225 IDBR records were included in the final survey, with the rest being unusable (i.e. with no valid telephone number) or being held in reserve.

Table 2.1: Pre-cleaning IDBR sample received by size and sector

SIC 2007 letter	Sector description	Micro or small (1–49 staff)	Medium (50–249 staff)	Large (250+ staff)	Total
A	Agricultural, forestry and fishing sectors	1,714	17	17	1,748
B, C, D, E	Utilities or production (including manufacturing)	1.101	598	1,488	3,187
F	Construction	5,520	161	300	5,981
G	Retail or wholesale (including vehicle sales and repairs)	3,477	470	1,194	5,141
H	Transport or storage	2,252	155	360	2,767
I	Food or hospitality	3,028	308	611	3,947
J	Information or communications	4,871	1,506	443	6,820
K	Finance or insurance	2,587	1,033	403	4,023
L, N	Administration or real estate	4,415	463	1,263	6,141
M	Professional, scientific or technical	3,339	498	733	4,570
O	Other public sector	344	119	460	923
P	Education (including academies)	1,538	516	121	2,175
Q	Health, social care or social work (including NHS)	3,282	599	521	4,402
R, S	Entertainment, service or membership organisations	1,486	114	255	1,855
Total	38,954	6,557	8,169	53,680

Charity sample frames and sample selection

The target population of charities was all UK registered charities. The sample frames were the charity regulator databases in each UK country:

• The Charity Commission for England and Wales database: https://register-of-charities.charitycommission.gov.uk/register/full-register-download
• The Office of the Scottish Charity Regulator (OSCR) database: https://www.oscr.org.uk/about-charities/search-the-register/charity-register-download
• The Charity Commission for Northern Ireland database: https://www.charitycommissionni.org.uk/charity-search/

This approach is consistent with all the previous studies.

In England and Wales, and in Scotland, the respective charity regulator databases contain a comprehensive list of registered charities. The Charity Commission in Northern Ireland does not have a comprehensive list of established charities. It is in the process of registering charities and building its database.

Therefore, while the Charity Commission for Northern Ireland database was the best sample frame for this survey, it cannot be considered as a truly random sample of Northern Ireland charities at present. This situation has, however, improved over time, as the database becomes more comprehensive.

As per previous years, DSIT was granted full access to the non-public OSCR database, including telephone numbers, meaning we could sample from the full list of Scotland-based charities, rather than just those for which we were able to find telephone numbers.

The number of charity interviews was 190 in 2024 (vs. 214 in 2023, 211 in 2022, 220 in 2021, 201 in 2020 and 470 in 2018). The sample was proportionately stratified by country and disproportionately stratified by income band. This stratification reflects the fact that the variance in survey responses tends to be higher among larger (high-income) charities, which increases the overall statistical reliability of the data.

As the entirety of the 3 charity regulator databases were used for sample selection, there was no restriction in the amount of charity sample that could be used, so no equivalent to Table 2.1 is shown for charities. In total, we sampled 1,042 charities to achieve 190 interviews.

Cyber sector sample frame and sample selection

For cyber sector firms, we used the DSIT sector database that was created as part of the Cyber Sectoral Analysis 2024 (also carried out by Ipsos and Perspective Economics). Perspective Economics built this sample frame, a list of 2,091 UK cyber sector firms, from the Orbis and Beauhurst databases. From this database, there were 1,299 records with telephone numbers. A further 343 had email addresses only but were still included in the online survey invites via email.

All 1,642 leads were included in the survey. In other words, this survey was carried out using a census approach and achieved a simple random sample of 180 interviews.

Sample telephone tracing and cleaning (required primarily for IDBR sample)

Not all the original sample was usable. In total, 38,002 records had either no telephone number or an invalid telephone number (i.e. the number was either in an incorrect format, too long, too short or a free phone number which would charge the respondent when called) in the original sample file.

In keeping with the 2023 research, as part of a raft of measures to improve telephone coverage and response rates, we carried out a more extensive programme of telephone matching. We carried out automated telephone matching through the DBS Data business database as well as the Dun and Bradstreet business database. In previous years, we have matched to the DBS Data residential database for micro businesses. However, this is no longer possible due to data protection and ethical concerns around attempting to survey business respondents via a database consisting largely of consumer numbers.

In addition to matching telephone numbers, we also matched email addresses (generic email addresses as well as those for key decision makers) and key decision maker contact names where possible. These were sourced from the Dun and Bradstreet database, public LinkedIn data, Companies House data and other publicly accessible data (e.g. company websites). These details were subsequently used for prompt emails to the loaded sample and to help bypass gatekeepers (by giving the name of a specific individual within the business).

The cyber sector sample did not require further telephone tracing or cleaning. This process had already been carried out in the previous survey conducted in summer 2023, as part of DSIT’s Cyber Security Sectoral Analysis 2024. However, we did a subsequent manual search for missing cyber sector numbers on company websites. Across the IDBR and cyber sector samples, these processes increased the amount of usable sample, helping to reduce the likelihood of non-response bias affecting the survey.

There was already very high telephone coverage for charities from England and Wales (98% with telephone numbers), Northern Ireland (98% with telephone numbers) and Scotland (84% with telephone numbers). These provided more than enough usable sample and minimised the possibility of non-response bias. Therefore, no telephone matching was required for charities.

We also cleaned the selected sample to remove any duplicate telephone numbers, and parish councils. Identifying and removing parish councils was a two-step process. Firstly, we removed all micro organisations in SIC sector O from the usable sample, as these were overwhelmingly parish councils. Secondly, we carried out a search on the remaining SIC sector O organisations for the phrase “parish council”, “town council” or “community council” to highlight further leads for removal. Central Government Departments were also excluded with a manual search.

Following telephone matching and cleaning, the usable business sample amounted to 29,915 leads. This is 56% of the original sample frame, compared to 54% in 2023, 39% in 2022 and 24% in 2021, highlighting the impact of the process to improve telephone coverage. The composition of this sample is shown in Table 2.2.

Table 2.2: Post-cleaning available IDBR sample by size and sector

SIC 2007 letter	Sector description	Micro or small (1–49 staff)	Medium (50–249 staff)	Large (250+ staff)	Total
A	Agricultural, forestry and fishing sectors	444	13	16	473
B, C, D, E	Utilities or production (including manufacturing)	713	575	1,359	2,647
F	Construction	2,832	151	264	2,797
G	Retail or wholesale (including vehicle sales and repairs)	1,956	429	1,061	3,446
H	Transport or storage	680	146	318	1,144
I	Food or hospitality	1,126	239	518	1,883
J	Information or communications	1852	1215	351	3418
K	Finance or insurance	1,687	927	353	2967
L, N	Administration or real estate	1,860	407	1091	3358
M	Professional, scientific or technical	1,538	428	599	2565
O	Other public sector	61	95	344	500
P	Education (including academies)	789	418	99	1306
Q	Health, social care or social work (including NHS)	1,358	548	451	2357
R, S	Entertainment, service or membership organisations	731	102	221	1054
Total	17,177	5,693	7,045	29,915

The usable leads for the survey were randomly allocated into separate batches for businesses and charities. Each batch included leads proportionately selected to incorporate sample targets by sector and size band, and response rates by sector and size band, from previous Ipsos surveys with these audiences, and from previous batches. In other words, we selected more sample in sectors and size bands where there was a higher target, or where response rates were expected to be relatively low.

We drew up and released subsequent batches of sample as and when the live sample was exhausted. All available leads were released in the main stage (see Tables 2.3, 2.4 and 2.5 for the total sample loaded).

2.3 Piloting

We conducted a pilot on 11th,12th, and 15th August. This involved daily written feedback reports from all interviewers working on the project for those days, daily monitoring of raw survey data, interview lengths and sample outcomes, and an open-ended question at the end of the survey where respondents could give feedback.

We carried out 89 live pilot telephone interviews among the 4 audiences for the study. Much of the questionnaire remained unchanged and existing questions did not have to be rerouted.

Following the live pilot, we only made minor changes to the questionnaire, such as changing Q47c entry level role to be asked to all sectors not just the cyber sector. These 89 interviews were included in the final dataset, as the changes we made were not substantive enough to affect the comparability of findings before and after the pilot.

2.4 Fieldwork

Multimode data collection

As part of a range of measures this year to help improve the survey sample coverage, we implemented multimode surveying, allowing respondents to take part either by telephone or online. This was in place for the live pilot and main fieldwork (although all live pilot interviews were by telephone).

In practical terms, the multimode methodology worked as follows:

• All initial contact with organisations took place by phone, with Ipsos telephone interviewers calling organisations in line with previous years
• Where organisations requested more information before deciding to take part, interviewers could send out an information and reassurance email. This email contained a unique link for each organisation to complete the survey entirely or partially online. The interviewers explained this ahead of sending out each email
• The respondents that completed the survey online had no interaction with an Ipsos interviewer but were instead routed through an online questionnaire, with each question appearing on a separate screen
• Over the course of fieldwork, we sent 6 reminder emails to those that had started but not finished the survey online.

Table 2.3 shows that around 8% of the achieved interviews in total were online, compared to 4% last year. In other words, the overwhelming proportion of interviews were still by telephone.

Table 2.3: Interviews by data collection mode

Mode	Businesses		Public sector		Charities		Cyber sector		Total
N	%	N	%	N	%	N	%	N	%
Telephone	880	95%	121	93%	170	89%	148	82%	1319	92 %
Online	50	5%	9	7%	20	11%	32	18%	112	8%

We are aware of the potential for the change in the data collection mode to impact the survey results. If this mode effect is significant, any changes in the results compared to previous years may not reflect a real shift in the population.

DSIT and Ipsos did not expect there to be substantial mode effects in this survey, given that much of the information collected is factual, rather than attitudinal. Nevertheless, we had various measures to minimise the chances of mode effects and to monitor the data to identify mode effects:

• The intention was for only a small proportion of the sample to complete the survey online, so that any potential mode effects would be contained. In this case, we did not have to cap the number of online interviews, given that it was only 8% of all completed interviews.
• We used unimode questionnaire design wherever feasible, whereby the questionnaire administration is as similar as possible for respondents across modes. For example, sequential statements on the telephone survey (e.g. at Q13.WHATOUT) appear as a carousel of statements in the online survey. We minimised the number of questions with long, unprompted answer lists in the telephone survey (which would need to be prompted answer lists in the online survey), such as Q44.OTHRECRUIT, Q47.HARDREASON and Q47e.REASON.
• We added a screener question to the online survey (Q1x.ONLINERESP) for respondents to self-validate that they were the right person within their organisation to complete the survey – something the telephone interviewer would have established verbally. This was an extra quality assurance to prevent the survey being completed by someone who would be unable to answer many questions.
• As part of the final data checks, we manually reviewed the answers of online respondents to see if they followed a pattern that was substantially different from telephone respondents in the same sample group, or if they included a long string of “don’t know” responses. Following these broad checks, we did not need to remove any online respondents from the final data.

Completed interviews

All survey fieldwork (including the live pilot) was carried out from 11th August to 10th November 2023. In total, we completed 1,430 interviews, comprising:

• 930 businesses (excluding sole traders)
• 130 public sector organisations (excluding parish councils)
• 190 registered charities
• 180 cyber sector businesses.

The average interview length was c.15 minutes for businesses and public sector organisations and charities and c.17 minutes for cyber firms.

Fieldwork preparation

Prior to fieldwork, the Ipsos research team briefed the supervisory team for the telephone interviewers. The interviewers also received:

• Written briefing notes about all aspects of the survey
• A copy of the questionnaire and other survey instruments.

Screening of respondents

Interviewers used a screener section at the beginning of the questionnaire to identify the right individual to take part and ensure the organisation was eligible for the survey. At this point, organisations outside the cyber sector that identified themselves as sole traders with no other employees on the payroll would have been classed as ineligible. Within the cyber sector, sole trader cyber firms were still eligible, in line with previous years, because this survey still intended to capture the skill, training and recruitment needs of the firm’s founder.

As this was a survey of enterprises rather than establishments, interviewers also confirmed that they had called through to the UK head office or site of the organisation.

When an interviewer established that the organisation was eligible, and that this was the head office, we asked them to identify the senior member of staff who has the most knowledge or responsibility when it comes to cyber security. The briefing materials provided interviewers with a list of potential departments and job titles to ask for in non-micro businesses (e.g. IT Directors, Heads of Cyber Security and Chief Information Security Officers).

For UK businesses that were part of a multinational group, interviewers requested to speak to the relevant person in the UK who dealt with cyber security at the company level. In any instances where a multinational group had different registered companies in Great Britain and in Northern Ireland, both companies were considered eligible.

Franchisees with the same company name but different trading addresses were also all considered eligible as separate independent respondents.

Organisations sampled from the IDBR were able to self-identify as a registered charity during the interview. In these cases, they were included in the charity sample data. They are part of the response rate calculation for the charity sample.

Random-probability approach and maximising participation

We adopted random-probability sampling and interviewing to minimise selection bias. The overall aim with this approach is to have a known outcome for every piece of sample released. For this survey, we used an approach comparable to other robust business surveys and the previous iterations of this research:

• We called each piece of sample either a maximum of 7 times, or until we achieved an interview, received a refusal, or received enough information to make a judgement on the eligibility of that contact.
• Each piece of sample was called at different times of the day, throughout the working week, to make every possible attempt to achieve an interview. We also offered evening and weekend interviews on request to respondents.
• Respondents were also able to complete the survey online rather than over the phone.

• Several steps were taken to maximise participation in the survey and reduce non-response bias, beyond the general management and scheduling of the fieldwork and interviewing team to produce the best results. Interviewers could send a reassurance email to prospective participants to confirm the legitimacy of the study and provide more information.

• We also had a study website and GOV.UK page to reassure respondents that this was a bona fide government survey. We also offered respondents a copy of the previous year’s report and a government cyber security help card. The help card included up-to-date government guidance (from the National Cyber Security Centre) for organisations on cyber security to encourage participation. This can be found at Appendix B. Additional steps taken to secure sample

We also took several extra steps to improve the sample coverage and the response rate, including:

• Additional number matching – we matched to 2 databases this year (as noted in Section 2.2) in line with the approach taken last year.
• Adding key decision maker contact names to the matched sample where possible (as noted in Section 2.2) to help interviewers get past gatekeepers and organisation no-name policies.
• Multimode surveying (as noted at the start of this section).
• Adding email addresses to the matched sample where possible – we sent advance emails to new batches of sample loaded, alerting them that an Ipsos interviewer would call and encouraging them to book an appointment, as well as 6 reminder emails to loaded sample across the course of fieldwork. In total, 99% of the released sample had an email address, although these were largely general information or enquiries email addresses for the organisation.
• Hosting a freephone telephone number and project-specific email inbox that allowed respondents to reply and set up their own appointments or take part in the survey there and then.

Fieldwork monitoring

Ipsos is a member of the Interviewer Quality Control Scheme recognised by the Market Research Society. In accordance with this scheme, the field supervisor on this project listened in on at least 10% of the interviews and checked the data entry on screen for these interviews. The Ipsos core research team also listened in during the early interviews and gave further feedback to the telephone interviewers on how to best introduce the survey.

Fieldwork outcomes and response rate

The Ipsos research team monitored fieldwork outcomes and response rates throughout fieldwork and gave interviewers regular guidance on how to avoid common reasons for refusal. Table 2.4 shows the final outcomes, the unadjusted response rate^{[footnote 1]} and the adjusted response rate^{[footnote 2]} for business and public sector (the IDBR sample). Tables 2.5 and 2.6 show the equivalent for charities and cyber firms.

Table 2.4: Fieldwork outcomes and response rate calculations for businesses and public organisations (IDBR sample)

Outcome	Total
Total sample released	11,225
Completed interviews	1,084
Incomplete interviews	47
Ineligible leads – established during screener	107
Refusals	2,183
Unusable leads with working numbers	2,384
Unusable numbers	217
Working numbers with unknown eligibility	5,203
Expected eligibility of screened respondents	91%
Unadjusted response rate	10%
Adjusted response rate	13%

Definitions for key terms in Table 2.4

• Ineligible leads – established during screener: Among the IDBR and charity samples, ineligible leads were those found to be sole traders. Among the cyber sector sample, this included a small number of firms that did not recognise themselves to be firms offering cyber products or services.
• Unusable leads with working numbers: This include sample where there was communication difficulty making it impossible to carry out the survey (either a bad line, or language difficulty), as well as numbers called 10 or more times over fieldwork without ever being picked up.
• Unusable numbers: This is sample where the number was in a valid format, so was loaded into the main survey sample batches, but which turned out to be wrong numbers, fax numbers, household numbers or disconnected.
• Working numbers with unknown eligibility: This includes sample that had a working telephone number but where the respondent was unreachable or unavailable for an interview during the fieldwork period, so eligibility could not be assessed.
• Expected eligibility of screened respondents: Expected eligibility of screened respondents has been calculated as: (completed interviews + incomplete interviews) / (completed interviews + incomplete interviews + leads established as ineligible during screener). This is the proportion of refusals and working numbers expected to have been eligible for the survey.

Table 2.5: Fieldwork outcomes and response rate calculations for charities

Outcome	Total
Total sample released	1,042
Completed interviews	167
Incomplete interviews	19
Ineligible leads – established during screener	11
Refusals	175
Unusable leads with working numbers	276
Unusable numbers	17
Working numbers with unknown eligibility	397
Expected eligibility of screened respondents	94%
Unadjusted response rate	16%
Adjusted response rate	23%

Table 2.6: Fieldwork outcomes and response rate calculations for cyber firms

Outcome	Total
Total sample released	1,642
Completed interviews	180
Incomplete interviews	16
Ineligible leads – established during screener	7
Refusals	323
Unusable leads with working numbers	285
Unusable numbers	36
Working numbers with unknown eligibility	794
Expected eligibility of screened respondents	97%
Unadjusted response rate	11%
Adjusted response rate	14%

Unadjusted response rates compared to previous years

The unadjusted response rate (URR) for the IDBR sample is very similar to the last two years (10% in 2024 vs. 9% in the previous two years). For charities, the URR is also similar (16% in 2024 vs. 20% in the previous two years). Finally, for cyber firms, the URR is identical (11% for both years). Therefore, the survey has performed broadly in line with the past two years across all groups.

However, when compared to pre-pandemic surveys, the URRs are lower for the IDBR sample (11% in 2020 and 14% in 2018), charities (36% in 2020 and 30% in 2018) and cyber firms (22% in 2020, when this population was first surveyed for this series). The lower URRs compared to the pre-pandemic surveys are likely to be due to a combination of unique circumstances brought about by COVID-19, as well as the ongoing challenge of declining response rates in social survey fieldwork in general (see, for example, this Government Statistical Service blog on declining response rates).

More generally, there has been an increasing awareness of cyber security, potentially making businesses more reticent to take part in surveys on this topic. Adjusted response rates compared to previous years

The adjusted response rate (ARR) adjusts to exclude the unusable and likely ineligible proportion of the total sample used. This year’s ARRs can only be directly compared to the figures in the 2023 and 2022 reports and should not be directly compared to the ARRs published in previous years’ technical reports. We have simplified the ARR calculation in the last 2 years to use a single percentage figure for estimated eligibility, applied to both the refusals and the working numbers with unknown eligibility. For retrospective comparison, the ARR for this year compared to last year is as follows:

• IDBR sample: 12% in 2022, 11% 2023 vs.13% this year
• Charities: 26% in 2022, 24% in 2023 vs. 23% this year
• Cyber firms: 23% in 2022, 14% in 2023 vs. 14% this year.

As this is the sixth year that we have contacted this sample, it is likely that there is a degree of survey fatigue. It is important to remember that response rates are not a direct measure of non-response bias in a survey, but only a measure of the potential for non-response bias to exist. Previous research into response rates, mainly with consumer surveys, has indicated that they are often poorly correlated with non-response bias.^{[footnote 8]}   ###2.5 Data processing and weighting

Identifying the type and characteristics of sampled organisations using sample information versus questionnaire information

The IDBR contains businesses that might also be registered charities. Moreover, the public sector organisations within the IDBR sample are split across several sectors (most commonly SIC 2007 sectors P, Q and O^{[footnote 9]}), so cannot be fully identified at the sampling stage. We allowed all IDBR-sampled organisations to self-identify as either a private sector organisation, public sector organisation or charity in the interview. We then took this as their designated status in the final data.

For size (or income band for charities), we primarily used information collected in the questionnaire, and where this was missing, we used the information in the sample frames to fill in the missing responses.

Data management

The dataset was quality checked and cleaned. This included:

• Routing checks on all questionnaire variables
• Checks on all demographic variables
• Checks on derived scripting variables that combine sample data (from Cyber Security Sectoral Analysis data where possible) and questionnaire data
• Cleaning of variable names, variable labels and value labels
• Sense checks on all variables.

Derived variables were created for analytical purposes.

Coding

The verbatim responses to unprompted questions could be coded as “other” by interviewers when they did not appear to fit into the predefined code frame. Ipsos’ coding team coded these “other” responses manually, and, where possible, assigned them to codes in the existing code frame. It was also possible for new codes to be added where enough respondents – 10% or more – had given a similar answer outside of the existing code frame. The accuracy of the coding was verified by the Ipsos research team, who checked and approved each new code proposed.

We did not undertake SIC coding. Instead, we used the SIC 2007 codes that were already in the IDBR sample to assign businesses to a sector for weighting and analysis purposes. This is the same approach as in the 2023 survey and has been tested and validated in previous surveys, such as DCMS’s Cyber Security Breaches Survey series^{[footnote 10]}. The sector groupings used in the main report match those shown in Tables 2.1 and 2.2.

Weighting

For the IDBR and charity samples, we applied RIM weighting (Random Iterative Method weighting) to account where possible for non-response bias, and to account for the disproportionate sampling by size, sector and income band. The intention was to make the final reported data representative of the actual UK business, public sector and charity populations. This matched the weighting approaches from the 2023 study.

RIM weighting is a standard weighting approach undertaken in business surveys of this nature. In cases where the weighting variables are strongly correlated with each other, it is potentially less effective than other methods, such as cell weighting. However, this is not the case for this survey as organisation size and sector are not correlated.

We used 4 separate weighting schemes:

1. For businesses, there were non-interlocking weights by size and sector, based on the population profile in the 2022 Department for Business, Energy and Industrial Strategy (BEIS) business population estimates. Non-interlocking weighting means that we did not weight by size within each sector but weighted the whole sample separately by size and then by sector. Interlocking weighting (i.e. weighting by size band within each sector) was also possible but would have potentially resulted in very large weights. This would have reduced the statistical power of the survey results without making any considerable difference to the weighted percentage scores for each question, so was not applied.

2. We did not weight by region, but it should be noted that the final weighted data is closely aligned with the regional profile of the population.

3. For charities, we used non-interlocking weights by income band and country. We took the profile in the charity regulator databases (including the leads that could not be used in the survey) as the definitive population profile.

4. For public sector organisations, we also weighted based on the public sector profile in the 2022 BEIS business population estimates.

5. One complexity in the weighting of private and public sector organisations is that certain sectors of the economy contain a mix of the private and public sector – especially education (SIC sector P) and health (SIC sector Q). For analysing these 2 sector subgroups, we created a fourth weighting scheme that merged the private and public sector population profiles from the 2022 BEIS estimates.

We have not weighted the cyber sector sample. This is because:

• There was no disproportionate sampling for this survey sample, so corrective weights were not needed
• We compared the profile by size band achieved in this survey to the profile from the earlier Cyber Security Sectoral Analysis 2024 survey, which was also not weighted. This is the best comparison to indicate whether the sample is skewed in any way, given that it uses the same sample frame and methodology as this survey, and enables us to benchmark the achieved profile against several previous years of data. Both surveys broadly achieved the same profile
• There is no other reliable profile data on the sector.

Tables 2.7 to 2.9 show the unweighted and weighted profiles of the data.

Table 2.7: Unweighted and weighted sample profiles for businesses (excluding industry sectors that contain both private and public sector organisations)

	Unweighted %	Weighted %
Size
Micro or small (1–49 staff)	77%	89%
Medium (50–249 staff)	16%	7%
Large (250+ staff)	7%	4%
Sector
Administration or real estate	8%	11%
Construction	6%	12%
Entertainment, service or membership organisations	2%	3%
Finance or insurance	9%	2%
Food or hospitality	4%	9%
Information or communications	10%	5%
Professional, scientific or technical	6%	12%
Retail or wholesale	13%	15%
Transport or storage	3%	3%
Utilities or production (including manufacturing)	7%	6%
Region
East Midlands	6%	8%
Eastern	8%	11%
London	12%	15%
North East	2%	2%
North West	6%	9%
Northern Ireland	2%	3%
Scotland	5%	7%
South East	13%	17%
South West	8%	12%
Wales	2%	3%
West Midlands	6%	7%
Yorkshire and Humberside	5%	7%

Table 2.8: Unweighted and weighted sample profiles for charities

	Unweighted	Weighted
Income band[footnote 11]
£0 to under £100,000	37%	69%
£100,000 to under £500,000	20%	13%
£500,000 or more	41%	8%

Table 2.9: Unweighted and weighted sample profiles for public sector organisations (using independent weighting scheme) and industry sectors that contain both private and public sector organisations (using merged weighting scheme)

	Unweighted	Weighted
Size
Micro or small (1–49 staff)	47%	27%
Medium (50–249 staff)	36%	40%
Large (250+ staff)	17%	33%
Sector
Education (including academies)	13%	6%
Health, social care or social work (including NHS)	9%	5%

Analysis using the SPSS dataset

The SPSS dataset will be available on the UK Data Service. We aim to make this available within three months of publication.

2.6 Workforce-level estimates

The following figures in the report are workforce-level estimates rather than employer-level estimates. That is, they show findings as a proportion of the cyber workforce, rather than as a proportion of employers:

• Career pathways into cyber roles outside the cyber sector (Figure 2.3 in the findings report)
• Career pathways into cyber roles in the cyber sector (Figure 2.4)
• Distribution of the cyber sector workforce by specialism (Figure 2.6)
• Diversity estimates in the cyber sector (Figure 3.1)
• Staff turnover estimates in the cyber sector (Section 8.1)

A further figure in the report is calculated as a proportion of all vacancies, rather than as a proportion of all employers with vacancies:

• The proportion of all cyber sector vacancies that are hard-to-fill (Section 6.2)

In all cases, these are weighted estimates, which account for the different number of people working in cyber roles in each organisation sampled in the survey.

Outliers

Individual outliers in the data can heavily affect these estimates. Therefore, there were two stages of checking for outliers. Firstly, the survey script included soft checks that forced interviewers to revalidate unusually high numeric answers from the respondent (e.g. an unusually high number of employees with neurodiverse conditions or learning disorders) before moving on to the next question. Secondly, the research team manually checked the final data for outliers and recalculated the estimates without these outliers, in order to check the impact, they were having on answers.

We did not remove any outliers this year from the diversity estimates.

2.7 Rounding of percentages from the survey estimates

In the findings report, the survey data are rounded up to whole percentages. Therefore, in some cases, charts will appear to add to slightly more than 100%. For example, if the calculated estimates for a question are 20.5%, 40.7% and 38.7%, they will show as 21%, 41% and 39%.

3 Qualitative interviews

As well as the survey, Ipsos conducted 28 qualitative in-depth interviews between September and November 2023. This included:

• 13 cyber sector businesses
• 15 medium and large organisations from other sectors (8 with 50-249 employees, 5 with 250-999 employees and 2 with 1,000+ employees)
• 5 recruitment agents, sampled from different recruitment agencies, who all specialised in cyber security recruitment. The focus on larger organisations is consistent with last year’s study. It reflects the fact that:
• Larger organisations tend to have more sophisticated cyber security needs and are therefore likely to have more acute cyber security skills challenges
• The sample of large organisations achieved in the quantitative survey is relatively small, so it was particularly important to explore this audience in the remaining research strands.

3.1 Sampling and recruitment

Cyber sector businesses and large organisations

The cyber firms and other medium and large organisations were almost entirely recruited from the survey. DSIT used their contacts to help Ipsos secure interviews with two large firms in the cyber sector who subsequently took part in the survey. The sampling was purposive – Ipsos identified the best organisations to recruit based on their survey responses, with quotas applied to recruit those that had:

• Hard-to-fill job vacancies and/or had experience cyber staff loss in the past year
• Staff with and without relevant qualifications in cyber security
• Taken action to improve their workforce diversity.

We also applied broader quotas to ensure a mix of organisations by sector and region (and by size within the cyber sector, where recruitment was not restricted to just larger organisations).

Survey respondents gave permission to be recontacted in the survey. Our specialist recruitment team then emailed and telephoned these respondents inviting them to take part in this follow-up strand. We offered a £70 thank you voucher or charity donation to each participant to encourage participation.

Recruitment agents

We sampled recruitment agents through desk research, using online sources such as LinkedIn and recruitment agency websites to identify people recruiting for cyber roles that might be suited to the research.

We approached these potential participants via email. Upon them agreeing to take part, we initiated contact through email and asked further screener questions, to ensure they were eligible and guide the subsequent interview.

We offered a £100 thank you voucher or charity donation to recruitment agents, with the higher incentive relative to those recruited from the survey reflecting that we were cold contacting these participants.

3.2 Fieldwork

The Ipsos research team carried out each interview either over the telephone or virtually via Microsoft Teams. Each interview lasted c.60 minutes.

The topics for discussion were agreed collaboratively between Ipsos and DSIT. Ipsos wrote these up in a topic guide that DSIT approved for use. As a summary, the topics covered in the organisation and cyber firm interviews included:

• Their main challenges and gaps related to cyber security skills
• Cyber teams, training and career pathways
• Recruitment challenges, including hard-to-fill vacancies and assessing competencies
• Retention strategies to avoid cyber skills loss
• Perceptions of workforce diversity and actions taken in this area
• Awareness and perceptions of the Cyber Career Framework
• Future skills needs and impact of AI/automation.

The topics covered in the recruitment agent interviews were:

• The cyber security candidate pool, sourcing candidates, changes and major gaps in the candidate pool
• Recruitment approach: client demands, potential regional differences, qualifications and experience, and the cost of recruitment
• Short section on observations around client retention strategies
• The diversity of the applicant pool and employers’ attitudes to diversity
• Awareness and perceptions of the Cyber Career Framework
• Future skills needs and impact of AI/automation.

The full topic guides for each audience are included in Appendices C and D.

3.3 Analysis

Interviews were summarised in an Excel analysis grid for framework analysis. Interviews also recorded to allow researchers to review findings and deepen analysis. Throughout fieldwork, the core research team verbally discussed interim findings and outlined areas to focus on in subsequent interviews. An analysis session took place after completion of fieldwork. At the end of fieldwork, we drew out key themes, examples and anonymised quotes to include in the final findings.

4 Job vacancies analysis

Perspective Economics led this strand of the research. While it was carried out concurrently with the quantitative survey, the job data included in the analysis follows on from previous years’ research. The new data for this year focuses on the 2023 calendar year (1 January to 31 December). The data in the previous studies has covered the period from 2016 to 2022, i.e. 7 years of data. Therefore, across both years of the study that have adopted this methodology, we have over 8 years of trend data to examine.

The analysis approach is consistent with last year’s research, which enables us to look at trends over time in the demand for cyber professionals in the UK labour market.

4.1 Methodology

Lightcast Analyst definition of cyber job roles

Lightcast Analyst is a new front-end labour vacancy tool which provides data regarding job postings, occupations, specific industries and demographics. We have used two searches, analysing both core cyber vacancies, and wider demand for cyber skills across all roles. Identifying core cyber security vacancies:

• Within the Lightcast tool, our search strategy for core cyber vacancies is undertaken by identifying roles that request cyber security skills, with a focus on the aforementioned job titles. This means that we typically exclude over 80 occupations and 40 job titles that may request cyber skills, but are not necessarily cyber specific roles, such as financial managers and accountants. The report builder allows us to specify skills and qualifications that may be required in core cyber positions.
• Core cyber vacancies have been formally labelled or commonly recognised as cyber security jobs. They have a greater demand for skillsets and tools directly related to cyber security, such as information systems, cryptography, information assurance, network scanners, and security operations. In other words, these are job roles where some aspect of cyber security is the main job function. This would typically include job titles such as Cyber Security Architect, Cyber Security Engineer, Cyber Security Consultant, Security Operations Centre (SOC) Analyst and Penetration Tester. Identifying all vacancies requesting cyber security skills:
• Within the Lightcast tool, our search strategy for these vacancies explores job postings with cyber security skills and qualifications listed as a requirement. This search is set out in Appendix E.
• These roles are not formally labelled or commonly recognised as cyber security jobs but require cyber security skills. Alongside cyber security skills, they demand more general IT and business skills, such as project management, risk assessment, network engineering, SQL, system administration, and technical support. This might be because the job requires light-touch knowledge and application of technical cyber security skills (e.g. for IT Technicians or Governance, Regulation and Compliance roles) or because the job role includes cyber security functions among other things (e.g. Network Engineers whose role is broader than just network security). Typical job titles, other than those already mentioned, include Computer Support, IT Support Analyst and Applications Analyst.
• It is important to note that both sets of job roles typically require a mix of technical and non-technical cyber security skills, so these cannot simply be differentiated as technical vs. non-technical jobs in cyber security.

Ensuring consistency across studies

The data used for this study is in line with the previous year’s study (2023), replicating the Lightcast Analyst search strategy. We are therefore confident that our search strategy is well aligned to previous years.

Our approach has clear inclusion and exclusion criteria and can be replicated. We sought to exclude common words and roles that might generate misleading findings, e.g. removing words such as “financial”, “fire” or “CCTV” (indicating a different type of analyst or security role). We also excluded roles that mentioned “cyber security” but would be unlikely to employ core or cyber-enabled skillsets, such as sales, recruitment, or human resources roles. Finally, we systematically remove trainee positions whereby there is no clear known employer, e.g. an advertisement for a cyber security training programme with no known job outcome.

Strengths to this approach

This methodology adds a great deal of insight to the quantitative survey data, particularly around the geographical clustering of job postings. It also reinforces the survey findings in many areas, adding another layer of credibility to this data.

A summary of the advantages of this approach is as follows:

• Volume and granularity – we are able to analyse hundreds of thousands job postings over several years, exploring the specific jobs, skills, and qualifications in demand. It can also drill down into areas such as the specific coding languages being sought. This method can uncover geographic clustering (down to specific towns and cities) of high demand and skills shortages for cyber professionals.
• Real-time analysis – the highly up-to-date data on Lightcast can provide insight into the labour market at that given moment in time. By contrast, survey statistics and other secondary data are typically several months or years old, and they are not regularly updated. This is especially important given the fast-moving nature of cyber security and the evolving demand for skills.
• Strong coverage – the Lightcast platform scrapes more than 40,000 online data sources. Online postings reflect an estimated 85% of jobs posted in the labour market (versus, e.g. print media) The Lightcast platform is consistent with the previous year’s approach to the cyber labour market. Limitations However, the findings are based solely on job postings recorded on the Lightcast platform. This means that the data comes with the following limitations:
• Selection bias – Lightcast typically scrapes free-to-use job sites, which potentially leaves an (unknown) risk of bias if major employers are using closed platforms to post jobs, or other ways of recruiting such as networking and word-of-mouth. However, we believe this is offset by both the high volume and high coverage of the data that is available. This data still gives a strong insight into the trends and patterns in the labour market.
• Interpretation of job roles – the Lightcast interpretation of cyber security jobs is reliant upon their definition, based on the skills, job titles and qualifications expected for cyber roles. There is a risk that some roles within their interpretation may not truly be considered a cyber role (e.g. administrative staff working in the NHS responsible for document shredding, flagged as “Information Security”). This is the most substantial risk associated with this methodology and is why we have adopted a more bespoke search strategy, with the tailored inclusion/exclusion terms. These search terms reduce the risk of including non-cyber roles (false positives) within the analysis.

4.2 Metrics analysed

The analysis explores the following data outputs from the Lightcast database:

• The number of cyber security job postings in the UK, including a time-series analysis of the number of job postings posted each month over the last year.
• The employers and sectors advertising the largest number of cyber security vacancies.
• The geographic locations across the UK for these job postings.
• Advertised job titles (to analyse the job roles most in demand).
• Job descriptions (to analyse the skills, experience, education, and qualifications being requested).
• The salaries or salary ranges being offered in these job postings.
• The separately published findings report includes a comparison between cyber security roles, digital roles, and the broader UK labour market (in terms of the decline and recovery in job postings).

4.3 Presentation of percentages

In the findings report, we typically show the percentages from the job vacancies analysis to 1 decimal place. This is because, unlike the survey estimates, they are based on the entirety of the secondary dataset, rather than a survey sample – they are, therefore, not estimates with margins of error. Some of the metrics covered by the Lightcast dataset will have varying sample sizes. For example, whilst all roles will have a job title, there are other measures that can be less complete such as salary brackets or employer (where the advertisement is through a recruiter). Where the sample size is lower than the number of job postings, we set out the size of the underlying sample for each measure accordingly (i.e. in any charts).

5 Supply side analysis

Perspective Economics led this strand of the research. It replicated the methodology used in the previous year’s study (2023), to estimate the overall size of the current recruitment pool, as well as those likely to be entering the pool within the next 12 months (across 2023/24). In addition, this strand produces further statistics on the characteristics of the recruitment pool, in terms of:

• Demographic diversity
• The geographic location of graduates
• Their educational and occupational backgrounds (e.g. based on course titles)
• Their salary bands
• An estimation of inflows into and outflows from the recruitment pool, informing a calculation of the overall cyber workforce gap (the annual shortfall of people working in cyber roles)

5.1 Overview of metrics and data sources

Table 5.1 covers the full list of secondary data sources used in this strand and the time periods covered.

Table 5.1: Data sources for supply side analysis

Type	Metrics	Source	UK region covered	Time period covered
Further education data	▪ Number of (Degree) Apprenticeships ▪ Number of courses and students enrolled	Department for Education (DfE)	England only	2022/23 academic year (apprenticeships), and 2021/22 (further education)
Higher education data (currently enrolled students)	▪ Number of courses and higher education institutions ▪ Number of students enrolled ▪Course titles and providers (by undergraduate and postgraduate level) ▪Location (domicile, location of study, and location within 9 months of graduating) ▪ Demographics (gender identity, ethnicity, state school marker, age)	Higher Education Statistics Authority (HESA) and Jisc bespoke data requests, (specifically HESA Student Record data) Cyber security related course (agreed by Jisc, HESA and the National Cyber Security Centre, or NCSC) and Other Computer Science markers applied to filter data	▪ UK-wide (England, Scotland, Wales and Northern Ireland)	2021/22 academic year
Higher education data (graduate outcomes)	▪ Destination of graduates ▪ Standard Occupational Classification (SOC) 2010 and SOC 2020▪ Salary bands	HESA and Jisc bespoke data requests (specifically HESA Graduate Outcomes survey data) Same markers as above applied to filter data	UK-wide	2020/21 academic year (lag due to this being the most recent Graduate Outcomes survey data published)
Estimation of inflows	▪ Data on retraining, reskilling, entry from other sectors and remote working ▪ Certification data	Perspective Economics estimates based on updated certification data, where available	UK-wide	2023 estimate (certain data unchanged since the previous report)
Estimation of outflows	▪ Retirement and other reasons for leaving the cyber firm within last 12 months	Ipsos estimate based on the survey of cyber firms	UK-wide	Survey fieldwork undertaken in late 2023

5.2 Cyber workforce gap calculation

The calculation of the cyber workforce gap involves the following constituent parts:

• Part A – an estimate of the additional annual demand for people in cyber security roles (beyond the current workforce)
• Part B – an estimate of inflows into the cyber security labour market (the number of new entrants into the market)
• Part C – an estimate of outflows from the cyber security labour market (the number of people exiting the market).

The calculation itself is as follows: A - B + C

The rest of this section lays out how each constituent part is calculated and the key assumptions and limitations of the calculation. The actual calculation and figures for each of the constituent parts is included in Chapter 9 of the findings report.

Part A – an estimate of the additional annual demand for people in cyber security roles

This first step in this estimation involves the creation of an estimate for the size of the current cyber security recruitment pool. We have taken the estimated cyber security workforce from the Cyber Skills in the UK Labour Market research (2023) of c.133,400, and applied the estimated inflows and outflows set out within this year’s report (i.e. approximately 8,100 new entrants, and 4,700 exiting the sector). This suggests an estimated cyber workforce figure of c.136,800.

We then apply the 5% growth rate in Full Time Equivalents (FTEs) from the Cyber Sectoral Analysis 2023, to estimate the additional annual demand for the twelve-month period. This suggests that, assuming a 5% growth rate, the ecosystem could demand approximately 6,800 new individuals.

Part B – an estimate of inflows into the cyber security labour market

This is the sum of the following estimates covered in the findings report:

• The latest (2021/22) data on people graduating from higher education courses in cyber security
• The latest (2021/22) data on people graduating from higher education courses in computer science
• The latest (2022/23) data on people completing relevant apprenticeships
• An estimation of people completing other certified training or private training courses that enable them to transition to cyber security roles (e.g. from current roles in IT).

We estimate an inflow of approximately 8,100 people per annum into the UK cyber security workforce.

Part C – an estimate of outflows from the cyber security labour market

We use the survey estimate of the proportion of people leaving the cyber sector (covered in Chapter 9 of the findings report) and extrapolate this to the entire cyber security workforce (within and outside the cyber sector). Applying this survey estimate (3.5%) to our estimate for the size of the current cyber security recruitment workforce (136,800), we calculate the expected number of people who may leave the cyber workforce in 2024 (c.4,800 persons). Key assumptions and limitations

The estimate of the workforce gap inevitably makes various assumptions, which are necessitated by the limitations of the available data:

• In calculating the size of the current cyber security recruitment pool, we create a high-end (maximum) estimate based on the number of FTEs within the cyber sector. In practice, not all the FTEs within the cyber sector are people working in cyber roles. They will also include a number of people in non-cyber roles (e.g. in diversified companies that offer cyber and non-cyber products and services), as well as administrative staff. Nevertheless, this number provides a good starting point for a high-end estimate.
• To estimate the additional annual demand for 2024, we have assumed that the growth rate of the cyber sector in 2024 will match the growth rate in 2023 (calculated within the DSIT Cyber Security Sectoral Analysis 2023 at 5%). This is lower than the growth trend identified between 2019-22; however, we expect that softened labour demand in 2023 may continue into 2024.

6 Research burden

The Government Statistical Service (GSS) has a policy of monitoring and reducing statistical survey burden to participants where possible, and the burden imposed should be proportionate to the benefits arising from the use of the statistics. As a producer of statistics, DSIT is committed to monitoring and reducing the burden on those providing their information, and on those involved in collecting, recording and supplying data.

This section calculates the research compliance cost, in terms of the time cost on respondents, imposed by both the quantitative survey and qualitative fieldwork.

• The quantitative survey had 1,430 respondents and the average (mean) survey length was c.15.25 minutes. Therefore, the research compliance cost for the quantitative survey this year was [1,430 × 15.25 minutes = 363 hours].
• The qualitative research had 33 respondents and the average interview length was 60 minutes. Respondents completed the qualitative interviews in addition to the quantitative survey. The research compliance cost for the qualitative strand this year was [33 × 60 minutes = 33 hours]. In total, the compliance cost for the Cyber Security Skills in the UK Labour Market 2023 was 396 hours.

Appendix A: 2024 questionnaire

INTERVIEWER/ROUTING/SCRIPTING/TEXT SUBSTITUTION INSTRUCTIONS (I.E. EVERYTHING THAT WILL NOT APPEAR ON THE INTERVIEWER SCREEN) IN CAPS QUESTION/NEW SCREEN LABELS IN BOLD CAP

GENERAL BUSINESSES OR PUBLIC SECTOR (SAMPLE S_TYPE=1)
CHARITIES (SAMPLE S_TYPE=2)
CYBER SECTOR BUSINESSES (SAMPLE S_TYPE=3)

Introduction

SHOW IF TELEPHONE RESPONDENT (CATI)
CATIINTRO
Is this the head office for [SAMPLE S_CONAME]?

IF NOT THE HEAD OFFICE, ASK TO BE TRANSFERRED AND RESTART

Hello, my name is … from Ipsos, the independent research organisation. We are conducting a survey on behalf of the UK Government Department for Science, Innovation and Technology about cyber skills. This is an annual survey used to collect government statistics. It is relevant for all types of organisations.

SAMPLE S_FREENUMTEXT

SAMPLE S_RESPTEXTSUB

SAMPLE S_INCENTIVETEXT

Would you be happy to take part in an interview? This should take around 15 minutes for the average organisation and will be shorter for smaller organisations.

ADD IF NECESSARY:

• The survey will help inform government policy on how it can best help organisations like yours to address their skills and recruitment needs.
• As a thank you, we can send you a government help card with the latest official cyber security guidance for organisations. This would get emailed to you as soon as you complete the survey.

ADD DEFINITION OF CYBER SECURITY IF NECESSARY:

• By cyber security, I mean any strategy, processes, practices or technologies that organisations have in place to protect their networks, computers, programs, the data they hold, or the services they provide, from unauthorised access, harm or misuse.

REASSURANCES IF NECESSARY:

• Details of the survey are on the GOV.UK website at https://www.gov.uk/government/publications/understanding-the-uk-cyber-security-labour-market
• You can also Google the term “Understanding the UK cyber security labour market” to find the same link yourself.
• The survey has been endorsed by the UK Cyber Security Council and UKC3.
• SAMPLE INTROTX

SHOW IF ONLINE RESPONDENT (WEB)

INTROSCREEN
Thank you for taking part in this confidential Ipsos survey about cyber skills.

IF NON-CYBER SECTOR (SAMPLE S_TYPE=1-2): This survey should be completed by the senior person at your organisation with the most knowledge or responsibility for your cyber security? If you outsource cyber security, this would be the person within your organisation responsible for managing that contract.

IF CYBER SECTOR (SAMPLE S_TYPE=3): This survey should be completed by a senior person in the business who oversees recruitment and training, such as a director or owner.

Participation in the survey is voluntary and you can change your mind at any time. To check the survey is legitimate and to view Ipsos’ privacy policy, you can visit https://www.gov.uk/government/publications/understanding-the-uk-cyber-security-labour-market/research-on-cyber-security-skills-ipsos-privacy-policy. You can also Google the term “Understanding the UK cyber security labour market” to find the same link yourself.

Reassurance email

SHOW IF TELEPHONE RESPONDENT (CATI)
REASSURANCE_EMAIL
READ OUT IF TELEPHONE RESPONDENT (CATI) AND WANTS REASSURANCE EMAIL
Just so you know, this email has more information about the survey and gives you a unique link to complete all or part of the survey online, if you prefer this.

STANDARD OPTIONS TO SEND REASSURANCE EMAIL

Consent

ASK IF TELEPHONE RESPONDENT (CATI)
Q1w_CONSENTA
Before we start, I just want to clarify that participation in the survey is confidential and voluntary. Results of the survey will be anonymised and not attributable to you. You can change your mind at any time. Are you happy to proceed with the interview?

If you would like to read the privacy policy before we continue, I can give you the link. If you’re happy to proceed we’ll continue.
ADD IF NECESSARY: You can access the privacy policy on the gov.uk website at: https://www.gov.uk/government/publications/understanding-the-uk-cyber-security-labour-market/research-on-cyber-security-skills-ipsos-privacy-policy

SINGLE CODE
Yes
No
CODE 2 CLOSES SURVEY

ASK IF ONLINE RESPONDENT (WEB)
Q1x_ONLINERESP
IF NON-CYBER SECTOR (SAMPLE S_TYPE=1-2): Before we get started, can you confirm you are the senior person with most responsibility for your organisation’s own cyber security?

IF CYBER SECTOR (SAMPLE S_TYPE=3): Before we get started, can you confirm you are one of the following:

• a senior director in the business
• a member of the executive team (e.g. a Chief Executive)
• a senior member of the team within your business that offers cyber security products or services.

SINGLE CODE
Yes – a senior person
No

ASK IF CYBER SECTOR BUSINESS (SAMPLE S_TYPE=3)
Q1y_CONSENTC
Your business may have taken part in an Ipsos survey for DSIT in May, June or July 2023, which was about understanding the UK cyber sector. We can reuse your answers from that survey in this one to make it much shorter. To do this, we would have to match your business details across both surveys. Are you happy for us to do this?
INTERVIEWER NOTE: IF THEY SAY NO, REITERATE THAT THIS IS SO WE CAN AVOID ASKING THEM TO REPEAT THEIR ANSWERS IN THE PREVIOUS SURVEY.

SINGLE CODE
Yes – reuse
No – don’t reuse
Didn’t take part in previous survey

DUMMY VARIABLE NOT ASKED
Q1z_CONSENTCDUM

SINGLE CODE
IF TOOK PART IN SECTORAL ANALYSIS AND GIVE CONSENT FOR DATA LINKING (SAMPLE S_SECTORAL=1 AND CONSENTC CODE 1): Skip questions OTHERWISE (SAMPLE S_SECTORAL=2 OR CONSENTC CODES 2 OR 3): Do not skip questions

ASK IF TELEPHONE RESPONDENT AND SAMPLED AS LARGE BUSINESS OR CYBER SECTOR ((CATI AND S_INCENTIVE=_01) OR (CATI AND SAMPLE S_TYPE=3))
Q48x_INCENTIVE
We will make a £10 charity donation on your behalf as a thank you for taking part. We have three charities for you to choose from:

• Turn2us
• The NSPCC
• Samaritans

ADD IF NECESSARY:

• Turn2us helps people in financial need gain access to charitable grants and other financial help.
• The NSPCC, or National Society for the Prevention of Cruelty to Children, is a charity campaigning and working in child protection in the United Kingdom.
• Samaritans provides emotional support to anyone in emotional distress, struggling to cope, or at risk of suicide throughout the United Kingdom and Ireland.

PROMPT TO CODE

SINGLE CODE
Turn2us
The NSPCC
Samaritans
Prefer not to donate

Organisational profile

READ OUT IF TELEPHONE RESPONDENT AND NOT SKIPPING QUESTIONS (CATI AND CONSENTCDUM NOT CODE 1)
PROFILEINTRO
First, some questions about your organisation as a whole.

ASK IF BUSINESS OR PUBLIC SECTOR (SAMPLE S_TYPE=1)
Q1_TYPEX
Is your organisation … ?
READ OUT
INTERVIEWER NOTE: IF THEY HAVE A SOCIAL PURPOSE BUT STILL MAKE A PROFIT (E.G. PRIVATE PROVIDER OF HEALTH OR SOCIAL CARE) CODE AS CODE 1

SINGLE CODE
Mainly seeking to make a profit
A social enterprise
A charity or voluntary sector organisation
A government-financed body or public sector organisation
DO NOT READ OUT: Don’t know

DUMMY VARIABLE NOT ASKED
Q1a_TYPEXDUM
Is your organisation … ?

SINGLE CODE
IF SAMPLE S_TYPE=1 AND TYPEX CODES 1, 2 OR DK: Private sector
IF SAMPLE S_TYPE=2 OR TYPEX CODE 3: Charity
IF SAMPLE S_TYPE=1 AND TYPEX CODE 4: Public sector
IF SAMPLE S_TYPE=3: Cyber sector

SCRIPT TO BASE BUSINESS/CHARITY [director/trustee] AND [turnover/income] AND [staff/staff or volunteers] TEXT SUBSTITUTIONS ON TYPEXDUM (USE CHARITY TEXT IF TYPEXDUM CODE 2, ELSE BUSINESS TEXT)

ASK IF NOT SKIPPING QUESTIONS (CONSENTCDUM NOT CODE 1)
Q2_SIZEA
ASK IF NOT CHARITY OR PUBLIC SECTOR (TYPEXDUM CODES 1, 4 OR 5)
Including yourself, how many employees work in your organisation across the UK as a whole?
ADD IF NECESSARY: By that we mean both full-time and part-time employees on your payroll, as well as any working proprietors or owners in the UK.
ASK IF CHARITY (TYPEXDUM CODE 2)
Including yourself, how many employees, volunteers and trustees working in your organisation across the UK as a whole?
ADD IF NECESSARY: By that we mean both full-time and part-time employees on your payroll, as well as people who regularly volunteer for your organisation in the UK. This does not include operations outside the UK.
ASK IF LOCAL AUTHORITY (SAMPLE S_LASTATUS=1 OR 2 AND TYPEXDUM CODE 3)
Including yourself, how many employees and council members are there in your organisation?
ASK IF OTHER PUBLIC SECTOR (SAMPLE S_LASTATUS≠1 OR 2 AND TYPEXDUM CODE 3)
Including yourself, how many employees work in your organisation? For example, if you were working in an NHS Trust, we want to know how many people work in that Trust, not the NHS as a whole.

PROBE FOR BEST ESTIMATE BEFORE CODING DK
WRITE IN RANGE 2 TO 99,999
(SOFT CHECK IF >9,999)
DO NOT READ OUT: Don’t know
WEB: I am the sole trader CLOSE SURVEY IF NOT CYBER SECTOR (TYPEXDUM NOT CODE 4)
CATI: Respondent is sole trader CLOSE SURVEY IF NOT CYBER SECTOR (TYPEXDUM NOT CODE 4)

ASK IF DON’T KNOW SIZE OF ORGANISATION (SIZEA CODE DK)
Q3_SIZEB
ASK IF NOT CHARITY OR PUBLIC SECTOR (TYPEXDUM CODES 1, 4 OR 5)
Which of these best represents the number of employees working in your organisation across the UK as a whole, including yourself?
ASK IF CHARITY (TYPEXDUM CODE 2)
Which of these best represents the number of employees, volunteers and trustees working in your organisation across the UK as a whole, including yourself?
ASK IF LOCAL AUTHORITY (SAMPLE S_LASTATUS=1 OR 2 AND TYPEXDUM CODE 3)
Which of these best represents the number of employees and council members in your organisation, including yourself?
ASK IF OTHER PUBLIC SECTOR (SAMPLE S_LASTATUS≠1 OR 2 AND TYPEXDUM CODE 3)
Which of these best represents the number of employees working in your organisation across the UK as a whole, including yourself?
PROBE FULLY, I.E. UNTIL YOU REACH THE RIGHT RESPONSE

SINGLE CODE
Under 10
10 to 49
50 to 249
250 to 999
1,000 or more
DO NOT READ OUT: Don’t know

DUMMY VARIABLE NOT ASKED
Q3a_SIZE
Which of these best represents the number of employees, volunteers and trustees working in your organisation, including yourself?

SINGLE CODE, MERGE RESPONSES FROM SAMPLE S_SECTORALSIZE, SIZEA AND SIZEB
Under 10
10 to 49
50 to 249
250 to 999
1,000 or more
Don’t know

ASK IF IDBR SAMPLE BUT SELF-IDENTIFY AS CHARITY IN QUESTIONNAIRE (SAMPLE S_TYPE=1 AND TYPEXDUM CODE 2)
Q4_SALESA
In the financial year just gone, what was the approximate income of your organisation across the UK as a whole?
PROBE FOR BEST ESTIMATE BEFORE CODING DK

WRITE IN RANGE £0+
(SOFT CHECK IF <£1,000 OR >£50,000,000)
DO NOT READ OUT: Don’t know
DO NOT READ OUT: Refused

ASK IF DON’T KNOW NUMERIC TURNOVER OF ORGANISATION (SALESA CODE DK OR REF)
Q5_SALESB
Which of these best represents the income of your organisation across the UK as a whole in the financial year just gone?
PROBE FULLY, I.E. UNTIL YOU REACH THE RIGHT RESPONSE

SINGLE CODE
£0 to under £10,000
£10,000 to under £100,000
£100,000 to under £500,000
£500,000 to under £5 million
£5 million or more
DO NOT READ OUT: Don’t know
DO NOT READ OUT: Refused

DUMMY VARIABLE NOT ASKED
Q5a_SALES
Which of these best represents the income of your organisation across the UK as a whole in the financial year just gone?

SINGLE CODE, MERGE RESPONSES FROM SAMPLE S_INCOMEBAND, SALESA AND SALESB
£0 to under £10,000
£10,000 to under £100,000
£100,000 to under £500,000
£500,000 to under £5 million
£5 million or more
Don’t know
Refused

Q6.DEFINE DELETED POST-PILOT IN 2018

Outsourcing

ASK IF NOT CYBER SECTOR (TYPEXDUM NOT CODE 4)
Q7_OUTSOURCE
Are any aspects of your cyber security handled by individuals or organisations outside your own organisation? This does not include software firms providing technical support or security updates for their own applications, such as Microsoft updates to Office 365.
ADD IF NECESSARY: This may include a service provider that manages your IT or network, or helps you recover from cyber incidents.
DO NOT READ OUT

SINGLE CODE
Yes
No
Don’t know

READ OUT IF TELEPHONE RESPONDENT AND OUTSOURCE (CATI AND OUTSOURCE CODE 1)
OUTSOURCEINTRO
I’d now like to ask a few more questions about this outsourcing.

Q8.HOWMUCH DELETED IN 2020

Q9.REASONOUT DELETED IN 2020

Q10.INVESTOUT DELETED POST-PILOT IN 2018

Q11.INVESTOUTB DELETED POST-PILOT IN 2018

Q12.OUTVALUES DELETED POST-PILOT IN 2018

ASK IF OUTSOURCE (OUTSOURCE CODE 1)
Q13_WHATOUT
Which of the following aspects of cyber security are covered by your outsourced provider or providers?
READ OUT

CATI: ASK AS A GRID
WEB: ASK AS A COLLAPSABLE GRID
RANDOMISE STATEMENT ORDER BUT KEEP i LAST
a. Setting up firewalls
b. Choosing secure settings for devices or software
c. Controlling which users have IT or admin rights
d. Detecting and removing malware on the organisation’s devices
e. Keeping software up to date
f. Restricting what software can run on the organisation’s devices
g. Creating back-ups of your files and data
h. Incident response or recovery
i. Any higher-level functions, which could include things like:

• security engineering or architecture
• penetration testing or vulnerability scanning
• using threat intelligence tools
• forensic analysis
• interpreting malicious code
• or using tools to monitor user activity

j. An external Security Operations Centre
k. Setting up new and secure user accounts and authentications
SINGLE CODE
Yes, outsourced
No, not outsourced
DO NOT READ OUT: Don’t know

ASK IF OUTSOURCE HIGHER-LEVEL FUNCTIONS (WHATOUT i CODE 1)
Q14_WHATHIGHER
Which of the following specific higher-level functions are covered by your outsourced provider or providers?
READ OUT

CATI: ASK AS A GRID
WEB: ASK AS A COLLAPSABLE GRID
RANDOMISE STATEMENT ORDER
a. Designing secure networks, systems and application architectures
b. Penetration testing
c. Using cyber threat intelligence tools or platforms
d. Carrying out forensic analysis of cyber security breaches
e. Interpreting malicious code, or the results shown after running anti-virus software
f. Using tools to monitor user activity
g. Carrying out vulnerability scans
h. Any automated defences against malicious network traffic

SINGLE CODE
Yes
No
DO NOT READ OUT: Don’t know

Q15.DEALINGOUT DELETED IN 2020

Q16.PERFORMOUT DELETED POST-PILOT IN 2018

Workforce size

READ OUT IF TELEPHONE RESPONDENT AND NOT CYBER SECTOR (CATI AND TYPEXDUM NOT CODE 4)
WORKFORCEINTRO
Now I’d like to ask some questions about you and others within your organisation.

SHOW IF ONLINE RESPONDENT AND NOT CYBER SECTOR (WEB AND TYPEXDUM NOT CODE 4)
WORKFORCESCREEN
The following questions are about you and others within your organisation.

Q16a.TITLE DELETED IN 2021

ASK IF NOT CYBER SECTOR (TYPEXDUM NOT CODE 4)
Q17_TEAM
Within your organisation, how many people, including yourself, are directly involved in managing or running your organisation’s cyber security? [IF OUTSOURCE (OUTSOURCE CODE 1): This includes whoever deals with your outsourced provider.]

WRITE IN RANGE 1 TO [SIZEA OR TOP END OF SIZEB] OR [99 IF SIZE=DK]
IF MICRO (SIZEA CODE<10 OR SIZEB CODE 1): (SOFT CHECK IF >3)
IF SMALL (SIZEA 9<CODE<50 OR SIZEB CODE 2): (SOFT CHECK IF >9)
IF MEDIUM (SIZEA 49<CODE<250 OR SIZEB CODE 3): (SOFT CHECK IF >9)
IF LARGE (SIZEA 249<CODE OR [SIZEB CODES 4 TO 5 OR DK]): (SOFT CHECK IF >30)
DO NOT READ OUT: Don’t know

ASK IF CYBER SECTOR, NOT SOLE TRADER AND NOT SKIPPING QUESTIONS (SIZEA NOT SOLE TRADER CODE AND CONSENTCDUM CODE 2)
Q17a_CYBERSIZE
How many of your VALUE AT SIZEA OR SIZEB EXCEPT IF SIZEB CODE DK employees are working in cyber security roles? By that we mean anyone involved in the development, sales or delivery of cyber security products or services.
PROBE FOR BEST ESTIMATE BEFORE CODING DON’T KNOW

WRITE IN RANGE 1 TO SIZEA OR TOP END OF SIZEB, OTHERWISE 99,999
(SOFT CHECK IF >9,999)
DO NOT READ OUT: Don’t know

ASK IF DON’T KNOW EXACT NUMBER OF CYBER STAFF (CYBERSIZE CODE DK)
Q17b_CYBERSIZEB
Are there approximately … ?
PROBE FULLY (I.E. UNTIL YOU REACH THE RIGHT ANSWER)

SINGLE CODE AND ONLY SHOW CODES AT OR UNDER CODE AT SIZEA OR SIZEB
1 to 4
5 to 9
10 to 29
30 to 49
50 to 249
250 to 499
500 to 999
1,000 or more
DO NOT READ OUT: Don’t know

DUMMY VARIABLE NOT ASKED
Q17c_CYBERSIZEDUM
How many of your employees are working in cyber security roles?

MERGE RESPONSES FROM SAMPLE S_SECTORALCYBERSIZE AND CYBERSIZE, AND SIZEA IF SOLE TRADER
WRITE IN RANGE 1 TO 99,999
Don’t know

DUMMY VARIABLE NOT ASKED
Q17d_CYBERSIZEBDUM
How many of your employees are working in cyber security roles?

SINGLE CODE, MERGE RESPONSES FROM SAMPLE S_SECTORALCYBERSIZE, S_SECTORALCYBERSIZEB, CYBERSIZE AND CYBERSIZEB, AND SIZEA IF SOLE TRADER
1 to 4
5 to 9
10 to 29
30 to 49
50 to 249
250 to 499
500 to 999
1,000 or more
Don’t know

ASK IF NOT CYBER SECTOR (TYPEXDUM NOT CODE 4)
Q18_PATHWAY
ASK IF ONE PERSON (TEAM=1): How did you enter this role dealing with cyber security within your organisation?
ASK IF MORE THAN ONE PERSON (TEAM>1 OR DK): Of all the [TEAM] people directly involved in cyber security within your organisation, how many entered this role in each of the following ways?
WEB: Please write the number next to each category.
READ OUT
IF ONE PERSON (TEAM=1): INTERVIEWER NOTE: CODE “1” AT RELEVANT RESPONSE

ASK AS A GRID
a. Absorbing this role into an ongoing non-cyber security related role
b. Recruited internally into a cyber-specific role
c. Recruited externally from a non-cyber security related previous role
d. Recruited externally from a previous role in cyber security
e. As a career starter, for example a graduate or apprentice

WRITE IN RANGE 1 TO TEAM OR [99 IF TEAM=DK] FOR EACH STATEMENT
HARD CHECK IF TOTAL ACROSS STATEMENTS >TEAM
DO NOT READ OUT: Don’t know

READ OUT IF TELEPHONE RESPONDENT AND CYBER SECTOR AND MORE THAN ONE PERSON IN A CYBER ROLE (CATI AND CYBERSIZEDUM≠1)
CYBERINTRO
Now we would like to ask some questions about the people working in cyber security roles within your organisation, including you.
IF SKIPPING QUESTIONS (CONSENTCDUM CODE 1): In the previous survey you took part in, we recorded that this was [CYBERSIZEDUM OR CYBERSIZEBDUM] employees.

SHOW IF ONLINE RESPONDENT AND CYBER SECTOR AND MORE THAN ONE PERSON IN A CYBER ROLE (WEB AND CYBERSIZEDUM≠1)
CYBERSCREEN
Now we would like to ask some questions about the people working in cyber security roles within your organisation, including you.
IF SKIPPING QUESTIONS (CONSENTCDUM CODE 1): In the previous survey you took part in, we recorded that this was [CYBERSIZEDUM OR CYBERSIZEBDUM] employees.

ASK IF CYBER SECTOR AND MORE THAN ONE PERSON IN A CYBER ROLE (CYBERSIZEDUM≠1)
Q18a_CYBERSENIOR
Of all these [CYBERSIZEDUM OR CYBERSIZEBDUM] employees, how many are principal or director-level staff? These staff typically have around 6 or more years of experience.

WRITE IN RANGE 1 TO CYBERSIZEDUM OR TOP OF CYBERSIZEBDUM FOR EACH STATEMENT
HARD CHECK IF TOTAL ACROSS STATEMENTS >CYBERSIZEDUM OR TOP OF CYBERSIZEBDUM
DO NOT READ OUT: Don’t know

DUMMY VARIABLE NOT ASKED
Q18x_CYBERSENIORDUM
How many are principal or director-level staff?

SINGLE CODE
IF CYBERSIZEDUM=1, CODE 1
OTHERWISE MERGE RESPONSES FROM CYBERSENIOR

ASK IF SMALL CYBER SECTOR (CYBERSIZEBDUM CODES 1 TO 3)
Q18b_PATHWAYNUM
IF ONE PERSON IN A CYBER ROLE (CYBERSIZEDUM=1): Did you enter this role in any of the following ways?
IF MORE THAN ONE (CYBERSIZEDUM≠1): Of all the [CYBERSIZEDUM OR CYBERSIZEBDUM] employees working in cyber security roles, including you, how many entered this role in each of the following ways?
WEB: Please write the number next to each category.
READ OUT

ASK AS A GRID
a. Recruited or joined from a non-cyber security related previous role
b. Recruited or joined from a previous role in cyber security
c. As a career starter, for example a graduate or apprentice

WRITE IN RANGE 1 TO CYBERSIZEDUM OR TOP OF CYBERSIZEBDUM FOR EACH STATEMENT
HARD CHECK IF TOTAL ACROSS STATEMENTS >CYBERSIZEDUM OR TOP OF CYBERSIZEBDUM
DO NOT READ OUT: Don’t know

ASK IF LARGE CYBER SECTOR (CYBERSIZEBDUM CODES 4 TO DK)
Q18c_PATHWAYPER
Of all the [CYBERSIZEDUM OR CYBERSIZEBDUM] employees working in cyber security roles, including you, roughly what percentage entered this role in each of the following ways?
READ OUT
PROBE FULLY (I.E. UNTIL YOU REACH THE RIGHT ANSWER)

CATI: ASK AS A GRID
WEB: ASK AS A COLLAPSABLE GRID
a. Recruited or joined from a non-cyber security related previous role
b. Recruited or joined from a previous role in cyber security
c. As a career starter, for example a graduate or apprentice

SINGLE CODE
None of them
Under a quarter
More than a quarter, under a half
More than a half, under three-quarters
More than three-quarters, but not all
All of them (i.e. 100%)
DO NOT READ OUT: Don’t know

Q18d.JOBROLENUM DELETED IN 2023

Q18e.JOBROLEPER DELETED IN 2023

ASK IF TELEPHONE RESPONDENT AND CYBER SECTOR (CATI AND TYPEXDUM CODE 4)
Q18f_WEBSITE
For this next question, we would briefly like you to look at a website, which lists the UK Cyber Security Council’s 16 cyber security specialisms. This is available by Googling “cyber career framework (Previously known as UK Cyber security councils careers route map”, or I can give you the exact weblink. You will need to scroll down the page to see the 16 specialisms.

If needed, you can click on each specialism to bring up a brief description of it, but you don’t need to click on the “Learn More” button to answer this question.

ADD IF NECESSARY: https://www.ukcybersecuritycouncil.org.uk/careers-and-learning/cyber-career-framework/

ADD IF NECESSARY (BUT ENCOURAGE WEBSITE ACCESS DURING INTERVIEW): If you’re unable to access the website right now, we can send you a link to answer this question online after the interview. DO NOT PROMPT. JUST CODE THE RESPONSE

SINGLE CODE
Has accessed website
Cannot access website during interview

ASK IF ACCESSED WEBSITE IN TELEPHONE INTERVIEW OR CYBER SECTOR AND ONLINE RESPONDENT (WEBSITE CODE 1 OR (TYPEXDUM CODE 4 AND WEB))
Q18g_JOBROLE
IF ONE PERSON IN A CYBER ROLE (CYBERSIZEDUM=1): Which of these cyber security specialisms would you say best describes your role?
IF MORE THAN ONE PERSON IN A CYBER ROLE (CYBERSIZEDUM≠1): Do any of the employees working in cyber security roles, including you, specialise in any of these roles?

ADD IF NECESSARY: If you work across multiple areas, a specialism would be the area in which you spend most of your time in this role. Or if your work is equally spread across areas, you would be a Cyber Security Generalist.
INTERVIEWER NOTE REFER
DO NOT READ OUT

MULTICODE
REVERSE ORDER FOR WEB (NOT CATI), EXCEPT CODE 17
a. Cryptography and Communications Security – the designing, development, testing, implementation and operation of a system or product to provide cryptographic and/or secure communications
b. Cyber Security Audit and Assurance – the verification that systems and processes meet the specified security requirements and that processes to verify on-going compliance are in place
c. Cyber Security Generalist – the performance of the duties of multiple cyber security specialisms in one role
d. Cyber Security Governance and Risk Management – the monitoring of compliance with agreed cyber security policies and the assessment and management of relevant risks
e. Cyber Security Management – the management of cyber security resources, staff and policies at an enterprise level in line with business objectives and regulatory requirements
f. Cyber Threat Intelligence – the assessment, validation and reporting of information on current and potential cyber threats to maintain an organisation’s situational awareness
g. Data Protection and Privacy – the management of the protection of data, enabling an organisation to meet its contractual, legal and regulatory requirements
h. Digital Forensics – the process of identifying and reconstructing the relevant sequence of events that have led to the currently observable state of a target IT system
i. Identity and Access Management – the management of policies, procedures and controls to ensure that only authorised individuals access information or computer-controlled resources
j. Incident Response – the preparation for, handling of and following up of cyber security incidents, to minimise the damage to an organisation and prevent recurrence
k. Network Monitoring and Intrusion Detection – the monitoring of network and system activity to identify unauthorised actions by users or potential intrusion by an attacker
l. Secure Operations – the management of an organisation’s information systems operations in accordance with the agreed Security Policy
m. Secure System Architecture and Design – the designing of an IT system to meet its security requirements, balancing this with its functional requirements
n. Secure System Development – the development and updating of a system or product, in conformance with agreed security requirements and standards, throughout its lifecycle
o. Security Testing – the testing of a network, system, product or design, against the specified security requirements and/or for vulnerabilities (penetration testing)
p. Vulnerability Management – the management of the configuration of protected systems to ensure that any vulnerabilities are understood and managed q. Another area

ASK IF SELECTED CODE C (CYBER SECURITY GENRALIST) AT QUESTION Q18g.JOBROLE

Q18j.You have said you have employees working in a Cyber Security Generalist role. Which, if any, of the following responsibilities do you consider to be part of your employees Cyber Security Generalist role?

MULTICODE
ROTATE ORDER FOR WEB AND CATI, EXCEPT CODES L,M,N,O

a) track vulnerabilities in software, systems and networks
b) identify and assess cyber threats
c) design security controls, including those affecting the selection and development of systems
d) draft cyber security policies and procedures, particularly for the secure operation of systems
e) test and report on the security of an organisation’s systems and networks
f) manage external providers who provide cyber security services
g) advise IT staff and business managers on cyber security risks and controls, including procedures and staff behaviours
h) brief and train non-cyber staff on cyber security awareness and safe practice
i) be responsible for the overall performance and security of live systems
j) work with managers in other teams to ensure effective cyber security across the organisation
k) recruit, train and assess others in relation to cyber security
l) Other, WRITE IN
m) Don’t know
n) All of the above
o) None of the above

Workforce diversity
Q19.DIVERSITYA DELETED IN 2020

READ OUT IF TELEPHONE RESPONDENT AND CYBER SECTOR (CATI AND TYPEXDUM CODE 4)
DIVERSITYINTRO
These next questions help the government to measure diversity across the whole cyber security sector. The answers won’t be linked to your business.

SHOW IF ONLINE RESPONDENT AND CYBER SECTOR (WEB AND TYPEXDUM CODE 4)
DIVERSITYSCREEN
These next questions help the government to measure diversity across the whole cyber security sector. The answers won’t be linked to your business.

ASK IF SMALL CYBER SECTOR (CYBERSIZEBDUM CODES 1 TO 3)
Q19a_FEMALENUM
IF ONE PERSON IN A CYBER ROLE (CYBERSIZEDUM=1): Would you describe yourself as female?
IF MORE THAN ONE PERSON IN A CYBER ROLE (CYBERSIZEDUM≠1): Of all the [CYBERSIZEDUM OR CYBERSIZEBDUM] employees working in cyber security roles, how many are female?
ADD IF NECESSARY: The answers won’t be linked to your business. They will be aggregated across all interviews, to help us measure diversity across the whole cyber security sector.

WRITE IN RANGE 0 TO CYBERSIZEDUM OR TOP OF CYBERSIZEBDUM
DO NOT READ OUT: Don’t know
DO NOT READ OUT: Prefer not to say

ASK IF SMALL CYBER SECTOR (CYBERSIZEBDUM CODES 1 TO 3)
Q19b_BAMENUM
IF ONE PERSON IN A CYBER ROLE (CYBERSIZEDUM=1): Would you describe yourself as being from an ethnic minority background?
IF MORE THAN ONE PERSON IN A CYBER ROLE (CYBERSIZEDUM≠1): How many are from ethnic minority backgrounds?
ADD IF NECESSARY: The answers won’t be linked to your business. They will be aggregated across all interviews, to help us measure diversity across the whole cyber security sector.

WRITE IN RANGE 0 TO CYBERSIZEDUM OR TOP OF CYBERSIZEBDUM
DO NOT READ OUT: Don’t know
DO NOT READ OUT: Prefer not to say

ASK IF SMALL CYBER SECTOR (CYBERSIZEBDUM CODES 1 TO 3)
Q19x_DISABILITYNUM
IF ONE PERSON IN A CYBER ROLE (CYBERSIZEDUM=1): Would you describe yourself as having a disability? That is, any long-standing illness, condition or impairment, which causes difficulty with day-to-day activities.
IF MORE THAN ONE PERSON IN A CYBER ROLE (CYBERSIZEDUM≠1): How many have a disability? That is, any long-standing illness, condition or impairment, which causes difficulty with day-to-day activities.
ADD IF NECESSARY: The answers won’t be linked to your business. They will be aggregated across all interviews, to help us measure diversity across the whole cyber security sector.

WRITE IN RANGE 0 TO CYBERSIZEDUM OR TOP OF CYBERSIZEBDUM
DO NOT READ OUT: Don’t know
DO NOT READ OUT: Prefer not to say

ASK IF SMALL CYBER SECTOR (CYBERSIZEBDUM CODES 1 TO 3)
Q19c_NEURONUM
IF ONE PERSON IN A CYBER ROLE (CYBERSIZEDUM=1): Would you describe yourself as having any neurodiverse conditions or learning disorders, such as autism, Asperger syndrome, dyslexia, dyspraxia and attention deficit hyperactivity disorder (ADHD)?
IF MORE THAN ONE PERSON IN A CYBER ROLE (CYBERSIZEDUM≠1): How many have neurodiverse conditions or learning disorders, such as autism, Asperger syndrome, dyslexia, dyspraxia and attention deficit hyperactivity disorder (ADHD)?
ADD IF NECESSARY: The answers won’t be linked to your business. They will be aggregated across all interviews, to help us measure diversity across the whole cyber security sector.

WRITE IN RANGE 0 TO CYBERSIZEDUM OR TOP OF CYBERSIZEBDUM
DO NOT READ OUT: Don’t know
DO NOT READ OUT: Prefer not to say

Q20.DIVERSITYB DELETED IN 2020

ASK IF LARGE CYBER SECTOR (CYBERSIZEBDUM CODES 4 TO DK)
Q20a_FEMALEPER
Of all the [CYBERSIZEDUM OR CYBERSIZEBDUM] employees working in cyber security roles, roughly what percentage are female?
PROBE FOR BEST ESTIMATE BEFORE CODING DON’T KNOW
ADD IF NECESSARY: The answers won’t be linked to your business. They will be aggregated across all interviews, to help us measure diversity across the whole cyber security sector.

WRITE IN RANGE 0 TO 100
DO NOT READ OUT: Don’t know
DO NOT READ OUT: Prefer not to say

ASK IF CAN’T SAY EXACT PERCENTAGE (FEMALEPER CODE DK OR REF)
Q20b_FEMALEPERB
Is it … ?
PROBE FULLY (I.E. UNTIL YOU REACH THE RIGHT ANSWER)

SINGLE CODE
None of them
Under a quarter
More than a quarter, under a half
More than a half, under three-quarters
More than three-quarters, but not all
All of them (i.e. 100%)
DO NOT READ OUT: Don’t know
DO NOT READ OUT: Prefer not to say

ASK IF LARGE CYBER SECTOR (TYPEXDUM CODE 4 AND CYBERSIZEBDUM CODES 4 TO DK)
Q20c_BAMEPER
Roughly what proportion are from ethnic minority backgrounds?
PROBE FULLY (I.E. UNTIL YOU REACH THE RIGHT ANSWER)
ADD IF NECESSARY: The answers won’t be linked to your business. They will be aggregated across all interviews, to help us measure diversity across the whole cyber security sector.

SINGLE CODE
None of them
Under a quarter
More than a quarter, under a half
More than a half, under three-quarters
More than three-quarters, but not all
All of them (i.e. 100%)
DO NOT READ OUT: Don’t know
DO NOT READ OUT: Prefer not to say

ASK IF LARGE CYBER SECTOR (CYBERSIZEBDUM CODES 4 TO DK)
Q20d_DISABILITYPER
Roughly what proportion have a disability? That is, any long-standing illness, condition or impairment, which causes difficulty with day-to-day activities. ADD IF NECESSARY: The answers won’t be linked to your business. They will be aggregated across all interviews, to help us measure diversity across the whole cyber security sector.

SINGLE CODE
None of them
Under a quarter
More than a quarter, under a half
More than a half, under three-quarters
More than three-quarters, but not all
All of them (i.e. 100%)
DO NOT READ OUT: Don’t know
DO NOT READ OUT: Prefer not to say

ASK IF LARGE CYBER SECTOR (CYBERSIZEBDUM CODES 4 TO DK)
Q20e_NEUROPER
Roughly what proportion have neurodiverse conditions or learning disorders, such as autism, Asperger syndrome, dyslexia, dyspraxia and attention deficit hyperactivity disorder (ADHD)?
PROBE FULLY (I.E. UNTIL YOU REACH THE RIGHT ANSWER)
ADD IF NECESSARY: The answers won’t be linked to your business. They will be aggregated across all interviews, to help us measure diversity across the whole cyber security sector.

SINGLE CODE
None of them
Under a quarter
More than a quarter, under a half
More than a half, under three-quarters
More than three-quarters, but not all
All of them (i.e. 100%)
DO NOT READ OUT: Don’t know
DO NOT READ OUT: Prefer not to say

DUMMY VARIABLE NOT ASKED
Q_DISADVDUM

MULTICODE
CODE 1 IF HAVE WOMEN IN CYBER ROLES ((FEMALENUM>0 OR FEMALEPER>0 OR (FEMALEPERB NOT CODE 1 OR DK OR REF))
CODE 2 IF HAVE ETHNIC MINORITIES IN CYBER ROLES ((BAMENUM>0 OR (BAMEPER NOT CODE 1 OR DK OR REF))
CODE 3 IF HAVE DISABLED PEOPLE IN CYBER ROLES ((DISABILITYNUM>0 OR (DISABLITYPER NOT CODE 1 OR DK OR REF))
CODE 4 IF HAVE NEURODIVERGENT PEOPLE IN CYBER ROLES ((NEURONUM>0 OR (NEUROPER NOT CODE 1 OR DK OR REF))

READ OUT IF TELEPHONE RESPONDENT AND HAVE ANY DISADVANTAGED GROUPS IN CYBER ROLES AND MORE THAN ONE PERSON IN A CYBER ROLE AND ANSWERED HOW MANY IN SENIOR CYBER ROLES (CATI AND DISADVDUM CODES 1-4 AND CYBERSIZEDUM≠1 AND CYBERSENIORDUM NOT DK)
SENIORINTRO
On the same theme, these next questions focus on your [CYBERSENIORDUM] principal or director-level cyber staff.

SHOW IF ONLINE RESPONDENT AND HAVE ANY DISADVANTAGED GROUPS IN CYBER ROLES AND MORE THAN ONE PERSON IN A CYBER ROLE AND ANSWERED HOW MANY IN SENIOR CYBER ROLES (WEB AND DISADVDUM CODES 1-4 AND CYBERSIZEDUM≠1 AND CYBERSENIORDUM NOT DK)
SENIORSCREEN
On the same theme, these next questions focus on your [CYBERSENIORDUM] principal or director-level cyber staff.

IF HAVE WOMEN IN CYBER ROLES AND MORE THAN ONE PERSON IN A CYBER ROLE AND ANSWERED HOW MANY IN SENIOR CYBER ROLES ((FEMALENUM>0 OR FEMALEPER>0 OR (FEMALEPERB=2-6) AND CYBERSIZEDUM>1 AND CYBERSENIORDUM>0)
Q20xb_FEMALESENIOR
IF ONE PERSON IN A SENIOR CYBER ROLE (CYBERSENIORDUM=1): Is this principal or director-level staff member female?
IF MORE THAN ONE PERSON IN A SENIOR CYBER ROLE (CYBERSENIORDUM≠1): How many of the principal or director-level staff members are female?
ADD IF NECESSARY: We’d like an approximate number rather than a percentage.

WRITE IN RANGE 0 TO LOWEST OF FEMALENUM, CYBERSIZEDUM, CYBERSENIORDUM, TOP OF CYBERSIZEBDUM OR 99
DO NOT READ OUT: Don’t know
DO NOT READ OUT: Prefer not to say

If HAVE ETHNIC MINORITIES IN CYBER ROLES AND MORE THAN ONE PERSON IN A CYBER ROLE AND ANSWERED HOW MANY IN SENIOR CYBER ROLES ((BAMENUM>0 OR (BAMEPER=2-6) AND CYBERSIZEDUM>1 AND CYBERSENIORDUM>0)
Q20xc_BAMESENIOR
IF ONE PERSON IN A SENIOR CYBER ROLE (CYBERSENIORDUM=1): Is this principal or director-level staff member from an ethnic minority background?
IF MORE THAN ONE PERSON IN A SENIOR CYBER ROLE (CYBERSENIORDUM≠1): How many of the principal or director-level staff members are from ethnic minority backgrounds?
ADD IF NECESSARY: We’d like an approximate number rather than a percentage.

WRITE IN RANGE 0 TO LOWEST OF BAMENUM, CYBERSIZEDUM, CYBERSENIORDUM, TOP OF CYBERSIZEBDUM OR 99
DO NOT READ OUT: Don’t know
DO NOT READ OUT: Prefer not to say

If HAVE DISABLED MINORITIES IN CYBER ROLES AND MORE THAN ONE PERSON IN A CYBER ROLE AND ANSWERED HOW MANY IN SENIOR CYBER ROLES ((DISABILITYNUM >0 OR (DISABLITYPER =2-6) AND CYBERSIZEDUM>1 AND CYBERSENIORDUM>0)
Q20xd_DISABILITYSENIOR
IF ONE PERSON IN A SENIOR CYBER ROLE (CYBERSENIORDUM=1): Is this principal or director-level staff member disabled?
IF MORE THAN ONE PERSON IN A SENIOR CYBER ROLE (CYBERSENIORDUM≠1): How many of the principal or director-level staff members are disabled?
ADD IF NECESSARY: We’d like an approximate number rather than a percentage.

WRITE IN RANGE 0 TO LOWEST OF DISABLILTYNUM, CYBERSIZEDUM, CYBERSENIORDUM, TOP OF CYBERSIZEBDUM OR 99
DO NOT READ OUT: Don’t know
DO NOT READ OUT: Prefer not to say

IF HAVE NEURODIVERGENT PEOPLE IN CYBER ROLES AND MORE THAN ONE PERSON IN A CYBER ROLE AND ANSWERED HOW MANY IN SENIOR CYBER ROLES ((NEURONUM>0 OR (NEUROPER=2-6)) AND CYBERSIZEDUM>1 AND CYBERSENIORDUM>0)
Q20xe_NEUROSENIOR
IF ONE PERSON IN A SENIOR CYBER ROLE (CYBERSENIORDUM=1): Is this principal or director-level staff member a person with any neurodiverse conditions? IF MORE THAN ONE PERSON IN A SENIOR CYBER ROLE (CYBERSENIORDUM≠1): How many of the principal or director-level staff members are people with any neurodiverse conditions?
ADD IF NECESSARY: We’d like an approximate number rather than a percentage.

WRITE IN RANGE 0 TO LOWEST OF DISABLILTYNUM, CYBERSIZEDUM, CYBERSENIORDUM, TOP OF CYBERSIZEBDUM OR 99
DO NOT READ OUT: Don’t know
DO NOT READ OUT: Prefer not to say

Q21.DIVERSITYDUM DELETED IN 2020

Workforce qualifications

ASK IF CYBER SECTOR (TYPEXDUM CODE 4) Q22_QUALS
Do you or any other employees in cyber security roles have, or are they working towards, any cyber security-related qualifications or certified training?
DO NOT READ OUT

SINGLE CODE
Yes
No
Don’t know

ASK IF QUALIFICATIONS (QUALS CODE 1)
Q23_WHICHQUALS
Which of the following types of qualifications or certified training do you or other employees have, or are they working towards?
READ OUT

MULTICODE
A specialist higher education qualification (e.g. a degree) related to cyber security
A general computer science, information systems or IT higher education qualification
A cyber security apprenticeship
Any other apprenticeship
Any other technical qualifications or certified training related to cyber security
SINGLE CODE
DO NOT READ OUT: Don’t know
DO NOT READ OUT: None of these

Q24.WHICHCERT DELETED IN 2021

Q25.SENIORITY DELETED IN 2020

  ###Formal versus informal cyber security roles

Q26.FORMAL DELETED IN 2023 (TO REINTRODUCE IN 2024)

ASK IF NOT CYBER SECTOR (TYPEXDUM NOT CODE 4)
Q26_FORMAL
Is cyber security a formal part of your job description, or do you cover this role informally?
DO NOT READ OUT

SINGLE CODE
A formal part of their job description
Covered informally
Don’t know

Q27.COVER DELETED IN 2021

Skills and knowledge of responsible individual or team

ASK ALL
Q28_RELATIVE
How important would you say it is for all the employees in cyber security roles within your organisation to possess each of the following? Please answer on a scale of 0 to 10, where 0 means not at all important and 10 means essential.
READ OUT

RANDOMISE STATEMENT ORDER BUT KEEP f AND g TOGETHER
WEB: ASK AS A COLLAPSABLE GRID
a. IF CYBER SECTOR (TYPEXDUM CODE 4): Complementary skills, such as oral or written communication skills and team working skills
b. STATEMENT DELETED POST-PILOT IN 2018
c. STATEMENT DELETED IN 2020
d. IF CYBER SECTOR (TYPEXDUM CODE 4): Understanding the legal or compliance issues affecting cyber security, such as data protection
e. STATEMENT DELETED IN 2020
f. STATEMENT DELETED IN 2021
g. IF NOT CYBER SECTOR (TYPEXDUM NOT CODE 4): High-level technical skills, which could include things like:

• security engineering or architecture
• penetration testing or vulnerability scanning
• using threat intelligence tools
• forensic analysis
• interpreting malicious code
• or using tools to monitor user activity
• IF NOT CYBER SECTOR (TYPEXDUM NOT CODE 4): Incident response skills, which could include things like writing an incident response plan, incident management and recovery from cyber security breaches

CATI: WRITE IN RANGE 0 TO 10
WEB: 0-10 SINGLE CODE SCALE, ALLOW REVERSED SCALE
DO NOT READ OUT: Don’t know

SCRIPT TO ROTATE ORDER OF TECHNICAL AND MANAGERIAL

ASK IF NOT CYBER SECTOR (TYPEXDUM NOT CODE 4)
Q29_TECHNICAL
How confident, if at all, would you feel about [IF MORE THAN ONE PERSON (TEAM>1 OR DK): you or any of the other individuals directly involved in cyber security] being able to do each of the following technical tasks in your work?
ADD IF NECESSARY: If you don’t currently need to do this in your work, we’d like to know how confident, if at all, you would feel about being able to do it in the future.
READ OUT
INTERVIEWER NOTE: IF CONFIDENCE LEVELS VARY ACROSS STAFF MEMBERS, THIS IS ABOUT THE MOST CONFIDENT STAFF MEMBER

RANDOMISE STATEMENT ORDER
WEB: ASK AS A COLLAPSABLE GRID
a. Storing or transferring personal data securely, using encryption where appropriate
b. ASK IF NOT OUTSOURCED (WHATOUTa NOT CODE 1): Setting up firewalls with appropriate configurations
c. ASK IF NOT OUTSOURCED (WHATOUTb NOT CODE 1): Choosing secure settings for devices or software
d. ASK IF NOT OUTSOURCED (WHATOUTc NOT CODE 1): Controlling which users have IT or admin rights
e. ASK IF NOT OUTSOURCED (WHATOUTd NOT CODE 1): Detecting and removing malware on the organisation’s devices
f. ASK IF NOT OUTSOURCED (WHATOUTe NOT CODE 1): Setting up software to automatically update where possible
g. ASK IF NOT OUTSOURCED (WHATOUTf NOT CODE 1): Restricting what software can run on the organisation’s devices
h. ASK IF NOT OUTSOURCED (WHATOUTg NOT CODE 1): Creating back-ups of your files and data
i. ASK IF NOT OUTSOURCED (WHATOUTh NOT CODE 1): Dealing with a cyber security breach or attack
j. STATEMENT DELETED IN 2023
k. STATEMENT DELETED IN 2023
l. STATEMENT DELETED IN 2023
m. STATEMENT DELETED IN 2021
n. STATEMENT DELETED IN 2021
o. STATEMENT DELETED IN 2021
p. ASK IF NOT OUTSOURCED (WHATOUTk NOT CODE 1): Setting up new and secure user accounts and authentications

SINGLE CODE, ALLOW REVERSED SCALE
Very confident
Fairly confident
Not very confident
Not at all confident
DO NOT READ OUT: Don’t know
FOR STATEMENTS e AND g ONLY: DO NOT READ OUT: Not applicable – no devices belonging to organisation

ASK IF NOT CYBER SECTOR, IF HIGHER-LEVEL SKILLS MATTER AND NOT ALL OUTSOURCED (TYPEXDUM NOT CODE 4, RELATIVEg>4 AND ANY WHATHIGHER NOT CODE 1)
Q29_HIGHTECHNICAL
And how confident, if at all, would you feel about [IF MORE THAN ONE PERSON (TEAM>1 OR DK): you or any of the other individuals directly involved in cyber security] being able to do each of the following high-level technical tasks in your work?

If these specific tasks are not relevant for your organisation, just say so and we’ll move on.
READ OUT
INTERVIEWER NOTE: IF CONFIDENCE LEVELS VARY ACROSS STAFF MEMBERS, THIS IS ABOUT THE MOST CONFIDENT STAFF MEMBER

RANDOMISE STATEMENT ORDER
WEB: ASK AS A COLLAPSABLE GRID
a. ASK IF NOT OUTSOURCED (WHATHIGHERa NOT CODE 1): Designing secure networks, systems and application architectures
b. ASK IF NOT OUTSOURCED (WHATHIGHERb NOT CODE 1): Carrying out a penetration test
c. ASK IF NOT OUTSOURCED (WHATHIGHERc NOT CODE 1): Using cyber threat intelligence tools or platforms
d. ASK IF NOT OUTSOURCED (WHATHIGHERd NOT CODE 1): Carrying out a forensic analysis of a cyber security breach
e. ASK IF NOT OUTSOURCED (WHATHIGHERe NOT CODE 1): Interpreting malicious code
f. ASK IF NOT OUTSOURCED (WHATHIGHERf NOT CODE 1): Using tools to monitor user activity
g. ASK IF NOT OUTSOURCED (WHATHIGHERg NOT CODE 1): Carrying out vulnerability scans of the organisation’s network and devices
i. ASK IF NOT OUTSOURCED (WHATHIGHERh NOT CODE 1): Any automated defences against malicious network traffic

SINGLE CODE, ALLOW REVERSED SCALE
Very confident
Fairly confident
Not very confident
Not at all confident
DO NOT READ OUT: Don’t know
DO NOT READ OUT: Not applicable – we do not need to do these tasks in our organisation

READ OUT IF CYBER SECTOR (TYPEXDUM CODE 4):
These next questions are about performing tasks for your organisation’s own cyber security, not that of any customers.

ASK ALL
Q30_MANAGERIAL
IF CYBER SECTOR (TYPEXDUM CODE 4):
How confident, if at all, would you feel about your organisation being able to perform the following tasks, given the current skill levels of your workforce?

IF NOT CYBER SECTOR (TYPEXDUM NOT CODE 4):
How confident, if at all, would you feel about [IF MORE THAN ONE PERSON (TEAM>1 OR DK): you or any of the other individuals directly involved in cyber security] being able to do each of the following communication or managerial tasks in your work?
ADD IF NECESSARY: If you don’t currently need to do this in your work, we’d like to know how confident, if at all, you would feel about being able to do it in the future.
READ OUT

RANDOMISE STATEMENT ORDER
WEB: ASK AS A COLLAPSABLE GRID
a. ASK HALF THE SAMPLE (HALF A): Communicating cyber security risks effectively to directors, trustees or senior management
b. STATEMENT DELETED IN 2023
c. ASK HALF THE SAMPLE (HALF A): Writing an incident response plan to deal with cyber security breaches
d. ASK HALF THE SAMPLE (HALF B): Carrying out a cyber security risk assessment
e. STATEMENT DELETED IN 2023
f. ASK HALF THE SAMPLE (HALF B): Writing or contributing to a business continuity plan that covers cyber security
g. ASK HALF THE SAMPLE (HALF A): Preparing training materials or training sessions for staff who are not specialists in cyber security
h. STATEMENT DELETED POST-PILOT IN 2018
i. ASK HALF THE SAMPLE (HALF B): Developing cyber security policies

SINGLE CODE, ALLOW REVERSED SCALE
Very confident
Fairly confident
Not very confident
Not at all confident
DO NOT READ OUT: Don’t know

Q31.KNOWLEDGE DELETED IN 2023

Skills and knowledge of wider staff (non-cyber firms)

READ OUT IF TELEPHONE RESPONDENT AND NOT CYBER SECTOR (CATI AND TYPEXDUM NOT CODE 4)
WIDERINTRO
The next questions are about the current skills and knowledge of wider [staff/staff and volunteers], beyond those who are directly involved in cyber security.

SHOW IF ONLINE RESPONDENT AND NOT CYBER SECTOR (WEB AND TYPEXDUM NOT CODE 4)
WIDERSCREEN
The next questions are about the current skills and knowledge of wider [staff/staff and volunteers], beyond those who are directly involved in cyber security.

ASK IF NOT CYBER SECTOR (TYPEXDUM NOT CODE 4)
Q32_DIRECTORS
How well, if at all, would you say your organisation’s [directors/trustees] or senior managers [IF LOWER-TIER LOCAL AUTHORITY (SAMPLE S_LASTATUS=1 AND TYPEX CODE 4):, including council members,] understand each of the following?
READ OUT

RANDOMISE STATEMENT ORDER
WEB: ASK AS A COLLAPSABLE GRID
a. The cyber security risks facing your organisation
b. STATEMENT DELETED IN 2023
c. When cyber security breaches need to be reported externally, for example to a regulator
d. The steps that need to be taken when managing a cyber security incident
e. STATEMENT DELETED POST-PILOT IN 2018
f. STATEMENT DELETED POST-PILOT IN 2018
g. STATEMENT DELETED POST-PILOT IN 2018
h. The staffing needs of cyber security within your organisation

SINGLE CODE, ALLOW REVERSED SCALE
Very well
Fairly well
Not very well
Not at all well
DO NOT READ OUT: Don’t know

Q33.DIRECTDUM DELETED IN 2020

ASK IF NOT CYBER SECTOR (TYPEXDUM NOT CODE 4)
Q34_CORE
How confident, if at all, would you feel in your organisation’s core [staff/staff or volunteers] [IF LOCAL AUTHORITY (SAMPLE S_LASTATUS=1 OR 2 AND TYPEX CODE 4): or council members] as a whole being able to do each of the following?
READ OUT

RANDOMISE STATEMENT ORDER
WEB: ASK AS A COLLAPSABLE GRID
a. STATEMENT DELETED POST-PILOT IN 2018
b. ASK HALF THE SAMPLE IF PRIVATE SECTOR, OR FULL SAMPLE IF PUBLIC SECTOR OR CHARITY ([HALF A AND TYPEXDUM CODE 1] OR TYPEXDUM CODES 2-3): Store or transfer personal data securely, using encryption where appropriate
c. ASK HALF THE SAMPLE IF PRIVATE SECTOR, OR FULL SAMPLE IF PUBLIC SECTOR OR CHARITY ([HALF B AND TYPEXDUM CODE 1] OR TYPEXDUM CODES 2-3): Use acceptably strong passwords
d. ASK HALF THE SAMPLE IF PRIVATE SECTOR, OR FULL SAMPLE IF PUBLIC SECTOR OR CHARITY ([HALF A AND TYPEXDUM CODE 1] OR TYPEXDUM CODES 2-3): Detect malware on the organisation’s devices
e. ASK HALF THE SAMPLE IF PRIVATE SECTOR, OR FULL SAMPLE IF PUBLIC SECTOR OR CHARITY ([HALF B AND TYPEXDUM CODE 1] OR TYPEXDUM CODES 2-3): Identify fraudulent emails or fraudulent websites
f. ASK HALF THE SAMPLE IF PRIVATE SECTOR, OR FULL SAMPLE IF PUBLIC SECTOR OR CHARITY ([HALF A AND TYPEXDUM CODE 1] OR TYPEXDUM CODES 2-3): Work collaboratively with those directly responsible for dealing with cyber security breaches

SINGLE CODE, ALLOW REVERSED SCALE
Very confident
Fairly confident
Not very confident
Not at all confident
DO NOT READ OUT: Don’t know
FOR STATEMENT d ONLY: DO NOT READ OUT: Not applicable – no devices belonging to organisation

Training and upskilling

TRAININTROA DELETED IN 2023

TRAININTROB DELETED IN 2023

TRAINSCREENA DELETED IN 2023

TRAINSCREENB DELETED IN 2023

Q35.VALUE DELETED POST-PILOT IN 2018

Q35a.NEEDSAWARE DELETED IN 2023

Q36.NEEDS DELETED IN 2023

QSOUGHT DELETED IN 2020

Q37a.TRAINED DELETED IN 2023

Q37b.FORMAT DELETED IN 2023

Q38.BARRIERS DELETED IN 2020

Q39.MODE DELETED IN 2020

Q40.TRAINER DELETED POST-PILOT IN 2018

Q41.TRAINERDUM DELETED POST-PILOT IN 2018

Q42.WORTH DELETED IN 2023

Recruitment

READ OUT IF TELEPHONE RESPONDENT AND CYBER SECTOR (CATI AND TYPEXDUM CODE 4)
RECRUITINTRO
I’d now like to ask about recruitment in cyber security job roles.

ASK IF CYBER SECTOR (TYPEXDUM CODE 4)
Q43_RECRUIT
Since the start of 2022, have you tried to recruit anyone to fill any cyber skills needs in your organisation? This includes any current vacancies you may have.
DO NOT READ OUT

SINGLE CODE
Yes
No
Don’t know

ASK IF TRIED TO RECRUIT (RECRUIT CODE 1)
Q44_OTHRECRUIT
What recruitment methods have you used to find candidates for these vacancies?
DO NOT READ OUT
PROBE FULLY, I.E. “ANYTHING ELSE?”
INTERVIEWER NOTE: IF RECRUITMENT AGENCY OR WEBSITE, WERE THESE SPECIALIST AGENCIES/WEBSITES FOR CYBER SECURITY OR GENERALIST?

MULTICODE RESPONSES UNDER THE BOLD HEADINGS
Recruitment agencies
Generalist recruitment agency
Specialist cyber security recruitment agency

Online/recruitment websites
Job ads on our own website
Generalist recruitment website, e.g. Indeed
Specialist cyber security recruitment website, e.g. Cybersecurityjobsite.com
Posts or ads on social networks like Facebook, Twitter or LinkedIn
Online ads outside social networks

Other
Ads in newspapers or magazines
Asking individuals to apply directly
Graduate schemes
Headhunting (but not through recruitment agency)
Partnering with schools/colleges
Partnering with universities
Recruiting from elsewhere in organisation
Word-of-mouth/industry networks/recommendations
Other WRITE IN

SINGLE CODE
Don’t know

ASK IF TRIED TO RECRUIT (RECRUIT CODE 1)
Q45_VACANCIES
Since the start of 2022, how many vacancies have you had in cyber security roles?
PROBE FOR BEST ESTIMATE BEFORE CODING DK

WRITE IN RANGE 1 TO 99
IF MICRO (SIZEA CODE<10 OR SIZEB CODE 1): (SOFT CHECK IF >3)
IF SMALL (SIZEA 9<CODE<50 OR SIZEB CODE 2): (SOFT CHECK IF >9)
IF MEDIUM (SIZEA 49<CODE<250 OR SIZEB CODE 3): (SOFT CHECK IF >9)
IF LARGE (SIZEA 249<CODE OR [SIZEB CODES 4 TO 5 OR DK]): (SOFT CHECK IF >30)
DO NOT READ OUT: Don’t know

ASK IF TRIED TO RECRUIT (RECRUIT CODE 1)
Q46_HARD
IF ONE VACANCY (VACANCIES=1): And has this vacancy proved hard to fill for any reason? This is even if you have since filled this vacancy.
IF MORE THAN ONE VACANCY (VACANCIES>1 OR DK): And how many vacancies, if any, have proved hard to fill for any reason? This includes vacancies that you may have since filled.
IF ONE VACANCY (VACANCIES=1): INTERVIEWER NOTE: CODE “1” IF HARD-TO-FILL, OTHERWISE 0
PROBE FOR BEST ESTIMATE BEFORE CODING DK

WRITE IN RANGE 0 TO VACANCIES OR [(SIZEA OR TOP END OF SIZEB) IF VACANCIES=DK] OR [99 IF SIZE=DK]
DO NOT READ OUT: Don’t know

ASK IF HARD-TO-RECRUIT VACANCIES (HARD>0)
Q46b_HARDROLE
IF ONE VACANCY (VACANCIES=1): What specific role or occupation was this hard-to-fill vacancy in?
IF MORE THAN ONE VACANCY (VACANCIES>1 OR DK): What specific roles or occupations were these hard-to-fill vacancies in?
PROMPT TO CODE
INTERVIEWER NOTE: IF JUST “ANALYST” OR “CONSULTANT”, PROMPT WITH SPECIALIST ROLES BEFORE CODING “OTHER”.

MULTICODE RESPONSES UNDER THE UNDERLINED HEADINGS UP TO HARD
Generalist roles
Generalist cyber security role
Generalist IT role
Generalist sales role
Senior management role (e.g. CEO or COO)

Specialist roles
Security governance, risk, compliance and legal
Network security (i.e. networks and firewalls)
System security (i.e. operating systems and patching)
Penetration testing
Security architecture
Security operations (e.g. intrusion detection)
Incident management, response and recovery
Threat analyst (i.e. analysing intelligence on cyber threats)
Other WRITE IN

SINGLE CODE
DO NOT READ OUT: Don’t know

ASK IF HARD-TO-RECRUIT VACANCIES (HARD>0)
Q46b_HARDSENIOR
IF ONE VACANCY (VACANCIES=1): What level of seniority was this hard-to-fill vacancy?
IF MORE THAN ONE VACANCY (VACANCIES>1 OR DK): What levels of seniority were these hard-to-fill vacancies?
PROMPT TO CODE

MULTICODE UP TO HARD
Apprentices
Entry-level staff or graduates
Experienced or senior staff, typically with around 3 to 5 years of experience
Principal-level staff, typically with around 6 to 9 years of experience
Director-level, typically with around 10 or more years of experience
SINGLE CODE
DO NOT READ OUT: Don’t know

ASK IF HARD-TO-RECRUIT VACANCIES (HARD>0)
Q47_HARDREASON
IF ONE VACANCY (VACANCIES=1): What are the reasons this vacancy has been hard to fill?
IF MORE THAN ONE VACANCY (VACANCIES>1 OR DK): What are the reasons these vacancies have been hard to fill?
DO NOT READ OUT
PROBE FULLY, I.E. “ANYTHING ELSE?”

MULTICODE RESPONSES UNDER THE BOLD HEADINGS
Offer not good enough
Job is difficult/challenging
Low pay or benefits/salary demand too high
Not offering training
Poor career progression/lack of prospects
Too much competition from other employers

Quality of candidates
Lack of candidates with the required attitude, motivation or personality
Lack of soft skills, e.g. communication skills
Lack of technical skills/knowledge
Lack of qualifications
Lack of work experience

Other reasons
Cultural fit/not matching our culture
Lack of candidates generally
Recruitment budget cuts
Remote location/poor public transport
Other WRITE IN

SINGLE CODE
Don’t know

ASK IF TRIED TO RECRUIT (RECRUIT CODE 1)
Q47a_DIVERSERECRUIT
In the last 18 months, has your organisation changed or adapted your recruitment processes, or carried out any specific activities to encourage applications from the following groups of people?
READ OUT STATEMENTS

CATI: ASK AS A GRID
WEB: ASK AS A COLLAPSABLE GRID
a. Women
b. People from ethnic minority backgrounds
c. Disabled people
d. People with neurodiverse conditions or learning disorders, such as autism, Asperger syndrome, dyslexia, dyspraxia and attention deficit hyperactivity disorder (ADHD)?

SINGLE CODE
Yes
No
Don’t know

Q47AB_BARRIERSASK IF ANSWERED YES TO ANY OF Q47a AT CODES A,B,C,D

In the last 18 months, have you carried out any of the following to encourage applications from women, people from ethnic minority backgrounds, disabled people of people with neurodiverse conditions or learning disorders>?
READ OUT

MULTICODE
a.Set diversity metrics/ quotas for recruitment
b.Hired through non-degree routes
c.Worked with third sector organisations to help identify and support more diverse groups
d,Hired through a scheme to promote diversity (e.g. the kickstarter scheme or the National Crime Agency)
e.Run talks or events in education settings (e.g. schools, colleges and universities)
f.Attended networking events/ conferences and career programmes for diverse groups
g.Taken action to diversify the senior leadership team
h.Worked with recruitment agencies to find more diverse candidates
i.Other, WRITE IN
j.Don’t know
k.None of the above

ASK IF CYBER SECTOR (TYPEXDUM CODE 4)
Q47b_INTERN
Since the start of 2022, have you offered any internships or work placements in cyber security roles?
DO NOT READ OUT

SINGLE CODE
Yes
No
Don’t know

ASK ALL
Q47c_ENTRY LEVEL ROLE
What are the minimum requirements for an entry-level cyber security role in your organisation? Please select all that apply.

DO NOT READ OUT
MULTICODE RESPONSES UNDER THE FOLLOWING HEADINGSQ30a

a. No work experience or qualifications in IT or cyber security required
b. GCSE level in digital or IT subjects
c. A-levels / T-levels / or equivalent in digital or IT subjects
d. Completing an apprenticeship/ Internship in our organisation
e. Already completed an apprenticeship/ Internship in another organisation
f. Completing a cyber security bootcamp or similar short course or online training
g. UnderGraduate degree in an IT related subject
h. UnderGraduate degree in cyber security
i. Undergraduate degree in any subject
j. Professional cyber security certifications
k. At least one year’s experience in a Cyber-related role
l. Between two to three years experience in a cyber-related role
m. We do not take on people in entry-level roles
n. Other, please specify
o. Don’t know

Staff turnover

READ OUT IF TELEPHONE RESPONDENT AND CYBER SECTOR (CATI AND TYPEXDUM CODE 4)
TURNOVERINTRO
Finally, I’d like to ask about the staff turnover in cyber security job roles.

ASK IF CYBER SECTOR (TYPEXDUM CODE 4)
Q47_LEFT
In the last 18 months, have any employees in cyber security roles left your company or retired?
DO NOT READ OUT

SINGLE CODE
Yes
No
Don’t know

ASK LEFTA AND LEFTB AS A LOOP FOR EACH STATEMENT AT RETIREA

ASK IF EMPLOYEES HAVE LEFT (LEFT CODE 1)
Q47c_LEFTA
In the last 18 months, how many employees in cyber security roles, if any, have left your company for each of the following reasons? WEB: Please write the number next to each category.
READ OUT

ASK AS A GRID
a. Retirement
b. Dismissal
d. Redundancy
e. Of their own volition

WRITE IN RANGE 0 TO 49 FOR EACH STATEMENT
IF MICRO/SMALL (SIZEA CODE<50 OR (SIZEB CODES 1 TO 2)): (SOFT CHECK IF >3)
IF MEDIUM/LARGE (SIZEA 49<CODE OR (SIZEB CODES 3 TO 5 OR DK): (SOFT CHECK IF >19)
DO NOT READ OUT: Don’t know

ASK FOR EACH STATEMENT IF DON’T KNOW HOW MANY HAVE LEFT (LEFTAa-e CODE DK)
Q47d_LEFTB
Was it … ?
PROBE FULLY, I.E. UNTIL YOU REACH THE RIGHT RESPONSE

SINGLE CODE
None
1 to 2
3 to 4
5 to 9
10 to 14
15 to 19
20 to 24
25 to 29
More than 30
DO NOT READ OUT: Don’t know

ASK IF HAD EMPLOYEES THAT LEFT OF THEIR OWN VOLITION (LEFTAe>0 OR LEFTBe CODES 2-9)
Q47e_REASON
As far as you know, what reasons did employees have for leaving of their own volition?
DO NOT READ OUT
PROBE FULLY, I.E. “ANYTHING ELSE?”

MULTICODE RESPONSES UNDER THE BOLD HEADINGS
Company offer not good enough
Better pay or benefits elsewhere
Lack of career development opportunities
Lack of training
Offered more senior position elsewhere

Other reasons
Company culture
Changed career/left cyber security
Change in personal circumstances
Job too difficult/challenging
Relationship with line manager
Remote location/poor public transport
Stress/overworked
Work-life balance
Other WRITE IN

SINGLE CODE
Don’t know

Recontact

ASK ALL
Q48_RECON
Would you be willing to be invited to a more bespoke interview with Ipsos within the next 6 months, to further explore the issues of cyber security, skills and recruitment? You don’t have to agree to take part now, just indicate your willingness to be asked closer to the time.
ADD IF NECESSARY: Everyone taking part in these further interviews would be offered £50 in voucher form, or as a donation to the charity of their choice.

SINGLE CODE
Yes
No

ASK IF MEDIUM OR LARGE BUSINESS OR CYBER SECTOR ((TYPEXDUM CODE 1 AND SIZE CODES 3-5) OR TYPEXDUM CODE 4)
Q48a_DCMSRECON
Ipsos also expects to undertake other research on the topic of cyber security on behalf of DSIT within the next 12 months. In these research studies, we would again randomly sample organisations in your sector and your organisation may be selected. In this case, having your individual contact details would save us from having to contact your switchboard. Would you be happy for us to securely hold your individual contact details for this purpose until July 2024? Participation in any other studies would still be voluntary.

SINGLE CODE
Yes
No

ASK IF NON-CYBER SECTOR (TYPEXDUM NOT CODE 4)
Q49_REPORT
Finally, would you like us to email you a copy of last year’s report and a government help card with links to the latest official cyber security guidance for organisations like yours?

SINGLE CODE
Yes
No

ASK IF COULD NOT ACCESS WEBSITE ON PHONE (WEBSITE CODE 2)
Q49a_WEBFOLLOW
Finally, can we email you a link to the last question that you weren’t able to answer over the phone? This is the question about the UK Cyber Security Council’s 16 cyber security specialisms.

SINGLE CODE
Yes
No

ASK IF WANT RECONTACT OR REPORT (RECON CODE 1 OR DCMSRECON CODE 1 OR REPORT CODE 1 OR WEBFOLLOW CODE 1)
Q50_EMAIL
Can we please take an email address for this?

WRITE IN EMAIL IN VALIDATED FORMAT
DO NOT READ OUT: Refused

SEND FOLLOW-UP EMAIL IF WANT REPORT AND GIVE EMAIL (REPORT CODE 1 AND EMAIL NOT BLANK)

GDPR privacy policy

READ OUT IF TELEPHONE RESPONDENT (CATI)
GDPRINTRO
Thank you for taking the time to participate. You can access the privacy policy on our website at: LINK TO BE CONFIRMED. This explains the purposes for processing your personal data, as well as your rights under data protection regulations to:
* access your personal data
* withdraw consent
* object to processing of your personal data
* and other required information.

SHOW IF ONLINE RESPONDENT (WEB)
GDPRSCREEN
Thank you for taking the time to participate. You can access the privacy policy on our website at: https://www.gov.uk/government/publications/understanding-the-uk-cyber-security-labour-market/research-on-cyber-security-skills-ipsos-privacy-policy. This explains the purposes for processing your personal data, as well as your rights under data protection regulations to:
* access your personal data
* withdraw consent
* object to processing of your personal data
* and other required information.

CLOSE SURVEY 

Appendix B: Government help card offered to survey respondents

INSERT IMAGE HERE

Appendix C: Topic guide for cyber firms and medium/large organisations

Using this topic guide

This document is not a questionnaire. It will be used flexibly depending on the discussions. When using the guide, the interviewer will ask questions in their own words to follow the flow of the discussion, use the prompts to guide or expand responses when necessary, and ask specific questions (in orange) based on the participant’s profile information or information they have shared during the interview. Specific notes in italics indicate interviewer instructions.

Before each interview: The interviewer will undertake some preparation work including:

• Background reading on the participant’s organisation
• Familiarising themselves with the participant’s profile highlighting information acquired through the quantitative survey.
• Gaining a broad overview of the 16 specialisms and Cyber Career Framework: https://www.ukcybersecuritycouncil.org.uk/careers-and-learning/cyber-career-framework/
• Familiarising themselves with the UK Cyber Security Council’s Route to Chartership: https://www.ukcybersecuritycouncil.org.uk/professional-standards/the-council-s-route-to-chartership/

Interviewers should feel comfortable referring to preparation material during the interview when necessary and relevant.

Introduction (2-3 min)

Thank the participant for taking part.

Introduce self and Ipsos.

DSIT wants to understand in more depth current and future cyber skills gaps, and their impact on recruitment to help inform future government policy.

All responses are confidential and anonymous.

Incentive: £70 (Voucher or charity donation to organisation of their choice)

Recording: get permission to digitally record.

Length: Approx. 50-60 mins

GDPR added consent (once the recorder is on)

Ipsos UK’s legal basis for processing your data is your consent to take part in this research. Your participation in this research is voluntary. You can withdraw your consent for your data to be used at any point before, during or after the interview. Can I check that you are happy to proceed? Context & main challenges (3 min)

• Please briefly summarise your role.
  • Probe on whether they have a cyber security background.
• Right now, what are the main challenges and gaps when it comes to cyber skills in your organisation? What would you say are the top 2-3 issues?

Cyber security team structures and career pathways (7 min)

• Please describe the cyber team / staff in your organisation.
  Refer to participant profile.

• How has this changed or evolved in the past 3 years?
• If certain aspects of cyber security are handled by entities outside of their own organisation (Q7): Why have certain cyber skills functions been outsourced?
• How would you say the cyber team is organised or split in terms of skills and roles? If appropriate, probe on technical, communications and managerial.
• What do you understand to be the main roles and responsibilities of a cyber security generalist? Would you say you have anyone in a generalist role in your organisation?
• What skills are missing in your cyber team? Probe on technical skills, incident response, complementary and governance skills. What cyber security tasks do you feel your cyber staff are less well equipped to perform?
• What thinking or work have you done around career pathways/progression for those in cyber roles in your organisation?
• Typically, are your senior level staff hired externally or have they evolved internally into their current roles?
• Please briefly tell me about what training is provided to your staff in cyber security roles. *What part do cyber security qualifications play in the training provided and why?

Cyber Career Framework and Route to Chartership (7 min)

Participants will have been sent a link to the UK Cyber Security Council 16 specialisms and Cyber Career Framework before the interview. If they have not taken a look, give them a minute to look at this link and click through some of the categories: https://www.ukcybersecuritycouncil.org.uk/careers-and-learning/cyber-career-framework/

• What had you seen/heard of the 16 cyber security specialisms and the UK Cyber Security Council’s Cyber Career Framework before taking part in this research?
• How helpful is the Cyber Career Framework?
  • How, if at all, is it being used by your cyber team/business?
  • How likely would you be to use this resource in your organisation in the future? Why/Why not?
• What could be added or improved to make it more suitable for your needs?
• The UK Cyber Security Council is introducing professional standards for each of the 16 specialisms. Were you aware of this? If necessary, explain: There will be three professional titles aligned to the Council’s professional standard for each specialisms – associate, principal and chartered.
• What are the advantages and disadvantages of introducing professional standards for each of the specialisms?
• How would you like to see these standards developed and communicated?
• How likely would your organisation be to encourage employees to achieve these professional standards? Why? Why not? How might this vary by role/level of experience? What impact would this have on training and career pathways?

Recruitment (10 min)

• What are the main challenges in recruiting people for cyber roles in your organisations?
• To what extent is the cost of recruitment an issue?
• Which roles are the most challenging to recruit for and why?
  Focus on which specialisms, seniority levels, roles, etc.

If they said in the survey they recently had vacancies for cyber roles that were hard to fill (Q46):

• You mentioned that some roles were hard to fill. What roles were hard to fill? Could you tell me what happened? Have these vacancies now been filled? How, if at all, did you adapt your recruitment approach for these vacancies or to address challenges?
• In terms of geographical challenges, how easy or difficult is it to recruit cyber roles in your local area or areas? Why do you think that is?
• What impact has remote/blended working had on recruitment into cyber roles?
• How, if at all, have you had to adjust your recruitment methods in the past three years? Why was that? What has the impact been?
• What recruitment methods have been most successful for you? How might your recruitment methods change in the future? Why is that?
• In your experience, what are the barriers and opportunities for public sector organisations in recruiting cyber staff?  Competencies

• How do you assess whether job applicants for cyber security roles are proficient? What do you especially look for? What would put you off hiring a candidate?

  • PROBE ON:

  • Qualifications/training
  • Background and experience
  • Tests or exams
  • CVs
  • Complementary skills (communication, teamwork, etc.)
• How does this differ for entry-level vs more experienced roles?

Entry-level roles & apprenticeships (7-10 mins)

• I’d like us to think about entry-level roles in cyber security. How would you define an entry-level role? What, if any, experience should people thinking about an entry-level role have? What skills and experience would you expect for an entry-level role?
• What are the advantages and disadvantages of entry-level roles?
• What sort of entry-level roles in cyber security does your organisation offer or would consider offering? What has your experience been of entry-level candidates? What are the typical requirements for a basic entry-level role?
• What would encourage your organisation to offer more/start offering entry-level roles in cyber security?
• What is your approach to offering apprenticeships or other work placements in cyber security? How far are you offering or considering offering these? What are your reasons for offering/not offering these roles?
• What are the benefits and challenges involved with apprenticeships/work placements?

If they offer apprenticeships (check Q18 and Q23):

• How have you addressed these challenges?
• What plans do you have to increase or decrease the number of apprenticeships you currently offer? Why?
• What information or support would be helpful? What information and support should be available to organisations in general to ensure more cyber security apprenticeships are offered?

If they don’t offer apprenticeships (check Q18 and Q23):

• Why do you currently not offer apprenticeships? What, if any, plans do you have to offer apprenticeships in the future?
• What information or support would you need in order to offer apprenticeships in your organisation?
• What information and support should be available to organisations in general to ensure more cyber security apprenticeships are offered?
  
  
• PROBE ON: Guidance on apprenticeship standards and funding
  Guidance on developing apprenticeship programmes
  Access to training providers
  Recruitment assistance
  Incentives and grants
  
  
• What is the role of UK government and educational institutions in helping businesses establish and run cyber security apprenticeships? What about entry-level roles more generally?
• We talked earlier about the 16 cyber security specialisms and the professional standards which the UK Cyber Security Council is developing. How could this work help increase the number of cyber security apprenticeships available? And entry-level roles?

Retention (7 min)

• Which cyber security staff do you think are most likely to leave your organisation? Why is that? What sort of roles, organisations or industry sectors would they be likely to go to?

If they have had employees in cyber security roles leave their organisation or retired in the last 18 months (Q47):

• You mentioned that employees in cyber security roles have left your organisation in the last 18 months for various reasons. What roles or specialisms were these? Which skills or competencies were lost that could not be covered immediately by others? What did you do?
• Where did these staff go? PROBE ON: public to private sector or vice versa. What was their main reason for leaving?
• What, if any, strategies have you put in place to retain your cyber staff? PROBE ON: salary, benefits packages, flexible working, remote/blended working, training and career pathways.
  
  
• How successful have these approaches been?
• Have any of these strategies become more important over the last year?
  
  
• In your experience, how easy or difficult is it for public sector organisations to retain cyber security staff? How could public sector organisations improve on retention?

Burnout in the cyber sector

• How much of an issue is burnout within the cyber sector? Is this increasing or decreasing?
  
  
• What cyber roles do you think are most likely to experience burnout?
• How much of an issue is burnout for cyber staff in your organisation?
• What, if any, strategies does your organisation have in place to prevent burnout?

Diversity (7 min)

Please probe specifically on different categories rather than asking about “diverse” candidates in general and be open to how the participant may be defining it.

Women Gender fluid Ethnic minority employees Neurodiverse employees Employees living with disabilities Employees from lower socioeconomic backgrounds Older employees

Diversity in the cyber sector and cyber teams

• What do you think of when we talk about diversity in the cyber sector? What does this refer to?
• How diverse is the cyber sector? What kind of diversity do you think is lacking? How has this changed/evolved in the last two years? What specific changes have you seen?
• What, if anything, does your organisation do to encourage inclusion in the workplace for cyber staff?
  
  
• PROBE ON
  Flexible work policies
  Inclusive benefits and policies (e.g. accommodation for disabilities)
  Diversity and inclusion training
  Partnering with diverse organisations
  Diversity in recruitment
• What, if any, recruitment strategies are in place to recruit a diverse cyber workforce for your organisation?
  
  
• How do you ensure different elements of the recruitment process such as job adverts, candidate screening, interviewing and candidate selection will enable you to reach and attract diverse candidates?
• To what extent is cost a barrier to recruiting diverse candidates? What other barriers are there?
• What, if any, specific benefits packages, working conditions, and/or hiring bonuses are offered to candidates who would diversify the cyber team?
• To what extent are HR colleagues involved?
  
  
• If mentioned in the survey that they have taken action to improve diversity in recruitment (Q47a): Could you tell me a bit more about your experience of how you have taken action to provide diversity in your recruitment practices? How did you do so?
  
  
• What prompted you to do this?

• What has the impact been? What has worked well? What has worked less well?

• What strategies would you consider in the future to diversify the cyber workforce in your organisation? Future skills needs and impact of automation AI (5 min)
• How will the needs of cyber security skills organisations like yours change in the next few years?
• Which specific cyber security skills do you think will be most in demand?
• What impact is automation likely to have on cyber skills and careers? How about AI? What changes have you seen already?
  
  
• PROBE ON: Entry-level roles/apprentices
  Career pathways
  Cyber specialisms/generalist roles
  Wrap-up (2-3 min)
  
  
• What do you think the government should be doing to address the challenges we have discussed? What is the most important thing for the government to do?
• What should industry be doing?
• What should your organisation’s senior management be doing/focused on?

Thank the participant and close the interview. Remind them of confidentiality and £70 incentive in the form of a voucher or charity donation to the organisation of their choice. If the latter, please note down information.

Appendix D: Topic guide for recruitment agents

Using this topic guide

This document is not a questionnaire. It will be used flexibly depending on the discussions. When using the guide, the interviewer will ask questions in their own words to follow the flow of the discussion, use the prompts to guide or expand responses when necessary, and ask specific questions (in orange) based on the participant’s responses they have shared during the interview. Specific notes in italics indicate interviewer instructions.

Before each interview: The interviewer will undertake some preparation work including:

• Background reading on the participant’s organisation and role
• Gaining a broad overview of the 16 specialisms and Cyber Career Framework: https://www.ukcybersecuritycouncil.org.uk/careers-and-learning/cyber-career-framework/
• Familiarising themselves with the UK Cyber Security Council’s Route to Chartership: https://www.ukcybersecuritycouncil.org.uk/professional-standards/the-council-s-route-to-chartership/

Interviewers should feel comfortable referring to preparation material during the interview when necessary and relevant.

Introduction (2-3 min)

Thank the participant for taking part.

Introduce self and Ipsos.

DSIT wants to understand in more depth current and future cyber skills gaps, and their impact on recruitment to help inform future government policy.

All responses are confidential and anonymous.

Incentive: £100 (Voucher or charity donation to organisation of their choice)

Recording: get permission to digitally record.

Length: Approx. 50-60 mins

GDPR added consent (once the recorder is on)

Ipsos’ legal basis for processing your data is your consent to take part in this research. Your participation in this research is voluntary. You can withdraw your consent for your data to be used at any point before, during or after the interview. Can I check that you are happy to proceed?

Context (3 min)

• Can you summarise your background and any technical knowledge of cyber security?
• Right now, what are the main challenges when it comes to the cyber roles you recruit? What would you say are the top 2-3 issues?

Current applicant/candidate pool (15 min)

Sourcing candidates

• How do you go about sourcing cyber candidates? What are the most and least effective methods for finding good quality candidates?
• To what extent have your methods of sourcing candidates changed in the past year? What lessons have you learnt?
• How does your approach differ by region, if at all? In which particular regions are candidates harder to source from?
• If harder to source candidates in some regions: What is causing this? What is the impact of these regional differences?
• What are the key factors you look for when you put candidates on your books? How does this differ between roles?
  
  
• PROBE ON:Qualifications/training
  Background and experience
  Tests or exams
  CVs
  Complementary skills (communications, teamwork, management, etc.)
  Referral practice

Current recruitment pool

• Approximately, how many active and passive cyber candidates do you have on your books? How has this changed compared to the past few years?
  Active refers to actively looking for a job or move
  Passive refers to not actively looking for a job or move

• How, if at all, has the quality and type of candidates in the cyber recruitment pool changed in the past year?
  
  
• PROBE ON: Typical experience/seniority
  Sector backgrounds
  Education/qualifications
  
  
• What, if any, other changes have you seen in cyber sector recruitment in the past year?

Entry-level candidates

• How do you or your clients define entry-level roles?
• Roughly what proportion of your candidates come from a cyber background already vs. those looking to transition into cyber roles? What sectors do candidates looking to transition come from? How does this compare to last year?
• How often are you asked to source entry-level roles? What sort of organisations are seeking entry-level candidates and why?
• How, if at all, do your recruitment methods differ for sourcing entry-level vs more experienced cyber roles?
• What type of skills and experience do you/would you look for?
• Do you or would you ever get involved in recruiting cyber security apprentices? Why? Why not? What have your experiences been?

Gaps in the recruitment pool

• What would you say are the biggest gaps in the recruitment pool at the moment?
  
  
• PROBE ON: Roles
  Specialisms
  Specific skill sets (technical and/or complementary)
  Seniority-level
• More specifically: Cyber security architecture<br/Cyber risk management
  Penetration testing
  Incident response and management
• Why are these roles so difficult to fill? How have you gone about filling these gaps?
• How much change has there been in skills gaps in the candidate pool in the past year?

Recruitment (15 min)

Client demands

• What are your clients’ biggest needs presently, when recruiting for cyber roles?
  
  

• PROBE ON: Skills, roles, specialisms
  Qualifications/training
  Background and experience
  Complementary skills (communications, teamwork, management, etc.)

• How have these needs evolved in the last year? What requirements have become more important?
• How realistic is it to meet these demands from the current cyber candidate pool? Why do you say so?

Regional differences

• How, if at all, do client demands vary according to location? How important is the location of candidates to clients? How has this changed over the past year?

Qualifications and experience

• What kind of formal qualifications are clients typically looking for? What makes a candidate particularly desirable in terms of qualifications?
  
  
• PROBE ON: Higher education vs. other technical qualifications
  Any specific programmes or qualifications considered more valuable or more reliable than others
  
  
• Typically, how many years of experience do your clients look for? What kind of experience do employers value? What do they look for in entry-level roles?
• In the past year or so, how, if at all, has the demand for specific qualifications or experience changed?
• How easy is it to fulfil these qualification and experience requirements from the current candidate pool? How flexible are clients on these demands? How does this compare to previous years?

Job adverts

• What involvement do you typically have in drafting clients’ job descriptions/ adverts?
• How clear do clients tend to be about what they need when recruiting for cyber roles? To what extent do clients have realistic expectations? What aspects tend to be challenging to fulfil? How has this changed in the past year or so?
• **If a client provides unrealistic or unclear job descriptions/adverts, how do you approach this? How open are they to amendments?

Cost of recruitment

• To what extent do recruitment costs for cyber roles influence the decisions your clients make about recruitment? How does this vary by type of organisation?
• To what extent do your clients try to negotiate with you the costs of recruitment?
• How much of a barrier are costs to filling cyber vacancies and skills gaps? Why is that?

Public sector recruitment

• In your experience, what are the barriers and opportunities for public sector organisations in recruiting cyber staff?
• In your experience, how easy or difficult is it for public sector organisations to recruit cyber security staff? How could public sector organisations improve recruitment?

Hiring managers & HR

• How would you describe your relationships with hiring managers? How willing are they to listen to your advice/guidance?
• When recruiting for cyber roles, how involved are HR staff? What aspects do they get involved in? Probe on job descriptions, recruitment costs and diversity.

Diversity (7 min)

• **We would like to talk about diversity in the current cyber security candidate pool. What do you think of when we talk about diversity in the cyber sector? What does this refer to?

Please probe specifically on different categories (gender, socioeconomic status, ethnicity, disability, neurodiversity, age) rather than asking about “diverse” candidates in general and be open to how the participant may be defining it.

Supply side: candidate pool

• How would you describe the diversity of the current candidate pool? To what extent is it more diverse than a year ago? Why do you say so?
• How, if at all, do you diversify the pool of candidates on your books?
  
  
• Which strategies, partners, networks, or communication channels work particularly well to reach to different candidates?
• How, if at all, has this changed in the past year?
  
  
• What would help widen access to the cyber security labour market for different candidates?
  
  
• How do recruitment agencies, such as your own, contribute to this and encourage applicants from different backgrounds and profiles to apply?
• What has been successful? What strategies were less successful? Why?
  
  

Demand side: employer approach

• What are typical client demands when it comes to diversity? How has this changed in the past year?
• Which diversity quotas, if any, do clients ask for on the shortlisted candidates? Who typically asks for this – HR? Cyber hiring manager?
• How often do clients ask for your guidance when it comes to diversity? What sort of responsibility, if any, do recruitment agents have in this area?
• What would encourage employers to prioritise diversity in recruitment? How can recruiters support this?
  
  
• What impact, if any, could increasing the number of entry-level candidates have?

Retention (5 min)

• How easy or difficult is it to recruit people who are not actively looking to leave? Which cyber roles are most difficult for organisations to retain? Why?
• What strategies have your clients put in place to try to retain their cyber staff? Which are most effective and why?
• In your experience, how easy or difficult is it for public sector organisations to retain cyber security staff? How could public sector organisations improve on retention?
• How much of an issue is burnout within the cyber sector? Do you think this is increasing or decreasing?
  
  
• What cyber roles do you think are most likely to experience burnout?
• What, if any, strategies do organisations have in place to prevent burnout?
  
  
• To what extent do you think that burnout within the cyber sector is a reason for people leaving their cyber roles or changing roles? Where do staff go if they leave? Another sector? From public to private sector or vice versa?

Cyber Career Framework and Route to Chartership (7 min)

Participants will have been sent a link to the UK Cyber Security Council 16 specialisms and Cyber Career Framework before the interview. If they have not taken a look, give them a minute to look at this link and click through some of the categories: https://www.ukcybersecuritycouncil.org.uk/careers-and-learning/cyber-career-framework/

• What had you seen/heard of the 16 cyber security specialisms and the UK Cyber Security Council’s Cyber Career Framework before we got in touch with you?
• In what ways, if at all, do clients use or refer to the 16 specialisms or the Cyber Career Framework?
• To what extent is the Cyber Career Framework a helpful resource for recruitment agents?
• What could be improved to make it more suitable for your needs?
• Are you aware of the Council’s work in developing professional standards such as chartered status?
• The UK Cyber Security Council is introducing professional standards for each of the 16 specialisms. Were you aware of this? If necessary, explain: There will be three professional titles aligned to the Council’s professional standard for each specialisms – associate, principal and chartered.
• What are the advantages and disadvantages of introducing professional standards for each of the specialisms? In what ways, if any, will this be helpful for i) recruitment agents like you and ii) employers? What impact might it have on recruitment?

Future skills needs and impact of automation AI (3-5 min)

• How will the cyber security skills organisations need change in the next few years?
• Which specific cyber security skills do you think will be most in demand?
• What impact is automation likely to have on cyber skills and careers? How about AI? What changes have you seen already?
  
  

• PROBE ON: Entry-level roles/apprentices
  Career pathways
  Cyber specialisms/generalist roles
  
  
  ###Wrap-up (2-3 min)

• What do you think the government should be doing to address the challenges we have discussed? What is the most important thing for the government to do?
• What should industry be doing?
• Thank the participant and close the interview. Remind them of confidentiality and £100 incentive in the form of a voucher or charity donation to the organisation of their choice. If the latter, please note down information.

Appendix E: Inclusion/exclusion criteria for job vacancies analysis

We developed the search string below to identify job postings for technical cyber job role and cyber-enabled roles on the Lightcast database, after following the process laid out in Chapter 4. The first part of the string, presented in black text, specifies the included search terms across the job postings search. The part of the string presented in red text, specifies the excluded terms across job postings search. Please note, this search consciously includes partially spelled words and, in some cases, spelling errors. This reflects common spelling errors across these job postings.

Search Strategy (Core Cyber Roles)

Roles containing any of the selected skills: “cyber” (29 matches), “information security” (25 matches), Application Security Testing, Cloud Security Infrastructure, CompTIA IT Fundamentals (ITF+), Computer Security, Digital Security, Endpoint Security, IT Security Architecture, IT Security Documentation, ITIL Security Management, Microsoft Security Essentials, Network Security, Network Security Policy, Network Security Specialist, Operational Technology (OT) Security, Security Controls, Security Technology, Software Security, Web Application Security, WiFi Security, Wireless Security And CONTRACT_TYPE=”Permanent” AND POSTING_TYPE=”Newly Posted” And EXCLUDE job titles containing… “accountant” (280 matches), “cctv” (2 matches), “entry” (67 matches), “finance” (302 matches), “fire” (106 matches), “solicitor” (10 matches), “trainee” (118 matches), Account Managers, Azure Engineers, Business Analysts, Business Delivery Specialists, Business Department Chairs, Business Designers, Business Developer Managers, Business Developers, Business Development Account Executives, Business Development Account Managers, Business Development Account Representatives, Business Development Administrative Assistants, Business Development Administrators, Business Development Executives, Business Development Managers, Core Network Engineers, Data Scientists, DevOps Engineers, DevSecOps Engineers, Embedded Software Engineers, Front End Developers, Full Stack, Developers, Infrastructure Engineers, Infrastructure Managers, IT Auditors, IT Managers, IT Support Engineers, IT, Support Technicians, Java Developers, Lecturers, Lecturers in Computer Science, Line Support Engineers, Network Engineers, Recruitment Consultants, Sales Development Representatives, Software Developers, Software Engineers And EXCLUDE occupations containing… Account Manager / Representative, Accountant, Actuary, Administration, Manager, Advertising Sales Representative, Alarm / Security System Technician, Asset Protection / Security, Manager, Auditor, Bookkeeper / Accounting Clerk, Business / Management Analyst, Business Continuity Planner / Analyst, Business Development Executive, Business Intelligence Architect / Developer, Civil Engineer, Clinical Coder, Computer Programmer, Computer Support Specialist, Computer Systems Engineer / Architect, Credit Analyst / Authoriser, Customer Service Manager, Customer Service Representative, Data / Data Mining Analyst, Data Engineer, Data Warehousing Specialist, Database Administrator, Database Architect, Door - to - Door Sales Worker, Driving instructors, Electrical Engineer, Emergency Management Director, Financial Analyst, Financial Manager, Financial Services Sales Agent, Human Resources / Labour Relations Specialist, Human Resources Manager, Industrial Engineer, Insurance Sales Agent, Lawyer, Logistics / Supply Chain Analyst, Market Research Analyst, Marketing Coordinator / Assistant, Marketing Manager, Marketing Representative, Marketing Specialist, Mechanical Engineer, Mechatronics Engineer, Medical / Pharmaceutical Sales Representative, Membership Sales Representative, Network / Systems Administrator, Network / Systems Support Specialist, Office / Administrative Assistant, Operations Analyst, Parts Specialist / Salesperson, Personal Banker / Banking Sales Staff, Procurement Manager, Production Worker, Quality Control Analyst, Recruiter, Repair / Service Technician, Retail Sales Associate, Route Sales Representative, Sales Assistant, Sales Consultant, Sales Delivery Driver, Sales Engineer, Sales Manager, Sales Representative, Sales Supervisor, Scheduler / Operations Coordinator, Search Engine Optimisation Specialist, Security Officer, Senior Administrator, Sheet Metal Fabricator / Mechanic, Software Developer / Engineer, Software QA Engineer / Tester, Solar Sales Representative, Stocking Clerk / Sales Floor Support, Storage / Distribution Manager, Technical Sales Representative, Technical Writer, Transportation Security Officer, Tutor, UI / UX Designer, University Lecturer, Utilities Technician, Validation Engineer, Web Designer, Web Developer   Search Strategy (ALL Cyber Roles)

Roles containing any of the selected skills: “cyber” (29 matches), “information security” (25 matches), Application Security Testing, Cloud Security Infrastructure, CompTIA IT Fundamentals (ITF+), Computer Security, Digital Security, Endpoint Security, IT Security Architecture, IT Security Documentation, ITIL Security Management, Microsoft Security Essentials, Network Security, Network Security Policy, Network Security Specialist, Operational Technology (OT) Security, Security Controls, Security Technology, Software Security, Web Application Security, WiFi Security, Wireless Security AND POSTING_TYPE=”Newly Posted”

  ##Our standards and accreditations

Ipsos’ standards and accreditations provide our clients with the peace of mind that they can always depend on us to deliver reliable, sustainable findings. Our focus on quality and continuous improvement means we have embedded a “right first time” approach throughout our organisation.

ISO 20252

This is the international market research specific standard that supersedes BS 7911/MRQSA and incorporates IQCS (Interviewer Quality Control Scheme). It covers the five stages of a Market Research project. Ipsos was the first company in the world to gain this accreditation.

Market Research Society (MRS) Company Partnership

By being an MRS Company Partner, Ipsos endorses and supports the core MRS brand values of professionalism, research excellence and business effectiveness, and commits to comply with the MRS Code of Conduct throughout the organisation. We were the first company to sign up to the requirements and self-regulation of the MRS Code. More than 350 companies have followed our lead.

ISO 9001

This is the international general company standard with a focus on continual improvement through quality management systems. In 1994, we became one of the early adopters of the ISO 9001 business standard.

ISO 27001

This is the international standard for information security, designed to ensure the selection of adequate and proportionate security controls. Ipsos was the first research company in the UK to be awarded this in August 2008.

The UK General Data Protection Regulation (GDPR) and the UK Data Protection Act (DPA) 2018

Ipsos is required to comply with GDPR and the UK DPA. It covers the processing of personal data and the protection of privacy.

HMG Cyber Essentials

This is a government-backed scheme and a key deliverable of the UK’s National Cyber Security Programme. Ipsos was assessment-validated for Cyber Essentials certification in 2016. Cyber Essentials defines a set of controls which, when properly implemented, provide organisations with basic protection from the most prevalent forms of threat coming from the internet.

Fair Data

Ipsos is signed up as a “Fair Data” company, agreeing to adhere to 10 core principles. The principles support and complement other standards such as ISOs, and the requirements of Data Protection legislation.

1. This is:completed interviews / total sample released. ↩

2. The adjusted response rate with estimated eligibility has been calculated as: completed interviews / (completed interviews + incomplete interviews + refusals expected to be eligible + any remaining working numbers expected to be eligible). It adjusts to exclude the unusable and likely ineligible proportion of the total sample used. ↩

3. See, for example, Groves and Peytcheva (2008) “The Impact of Nonresponse Rates on Nonresponse Bias: A Meta-Analysis”, Public Opinion Quarterly (available at: https://academic.oup.com/poq/article-abstract/72/2/167/1920564) and Sturgis, Williams, Brunton-Smith and Moore (2016) “Fieldwork Effort, Response Rate, and the Distribution of Survey Outcomes: A Multilevel Meta-analysis”, Public Opinion Quarterly (available at: https://academic.oup.com/poq/issue/81/2). ↩

4. The definitions for these SIC letters is in Table 4.1. ↩

5. See https://www.gov.uk/government/collections/cyber-security-breaches-survey. ↩

6. For just under 2% of the charities interviewed, income status was unknown, and these were not weighted by income. ↩