The cyber skills gap is a validation problem hiding in plain sight

The cyber security industry has been telling itself a story about a skills shortage for the last decade. The story goes: there are not enough cyber security people. We need to train more, certify more, recruit harder. Once the supply catches up, the problem solves itself.

The DSIT Cyber Security Labour Market Survey 2025 - the UK government’s annual headcount on the state of the cyber workforce - has just delivered the data point everyone was hoping for. The workforce gap, which sat at 14,100 unfilled cyber roles in 2022, has stabilised at 3,800 in 2025. A four-fold improvement in three years. Press release written, conference panel booked, board presentation done.

Then look one page down in the same report.

49% of UK businesses still have a basic technical cyber security skills gap. 30% have an advanced skills gap - in things like forensic analysis, malicious code interpretation, and penetration testing. 28% of cyber businesses themselves report skills gaps among their existing employees.

The shortage isn’t getting better. It’s just getting renamed.

The DSIT 2025 numbers, briefly

For anyone who hasn’t read the full report, here are the headline figures that matter for the hiring conversation:

• 3,800 - the current cyber security workforce gap (down from 14,100 in 2022)
• 49% - UK businesses with a basic technical cyber skills gap
• 30% - UK businesses with an advanced skills gap
• 28% - cyber security businesses reporting their own employees lack the technical skills the job requires
• 33% - the year-on-year decline in core cyber security job postings in 2024
• 43% - UK businesses that experienced a cyber security breach or attack in the last twelve months

Two of those numbers tell the headline story (3,800 workforce gap, 33% decline in postings). The rest tell the story underneath.

The headline read

If you only read the executive summary, the report says cyber hiring is solving itself. The supply pipeline is working. Universities are producing graduates, certification bodies are producing certificate-holders, vendors are producing badged practitioners. The 14,100-strong workforce shortfall has been chewed down by a factor of nearly four.

This reading is not exactly wrong. There genuinely are more cyber security people in the UK workforce now than there were three years ago. The supply machinery is working at the level it was designed to work at - producing credentials.

The problem is that the question being asked has changed underneath us.

The data underneath

A workforce gap of 3,800 is the number of empty seats. It says how many cyber security job postings UK employers have open that they cannot fill at all. That is a genuinely useful number for capacity planning, university enrolment forecasts, and immigration policy.

It is the wrong number for the question hiring managers actually have. Hiring managers are not asking can I find a body to put in this seat. They are asking can I find a body that can do the job in this seat. Those are different questions.

The 49% figure - businesses with a basic technical skills gap - is the number that matches the hiring manager’s question. Nearly half of UK businesses have hired the seats they needed and still have a skills problem. The seats are filled. The capability is missing.

The 28% number is the same problem inside the cyber security industry’s own employer community. More than a quarter of the businesses whose entire job is cyber security report that their own existing employees lack the technical skills their work requires.

The 33% decline in cyber job postings is doing a lot of work in the headlines. The implication some commentators have drawn from it is that demand is cooling. That reading misses the more honest one: many employers have stopped advertising roles they could not previously fill, because the previous postings produced piles of applicants who looked qualified on paper but failed the technical bar in interview. When credential-rich, capability-poor applicants flood your funnel, you eventually stop opening the funnel.

What you are looking at, when you put these numbers next to each other, is not a supply-side improvement story. It is a credential-supply improvement story. The credentials are arriving. The capability evaluation is what is broken.

The validation gap

The phrase that fits this picture is the skills validation gap - the gap between the volume of cyber-credentialed people the supply system produces and the volume of cyber-capable people the hiring system can identify.

The supply system is not the problem. Universities, certification bodies, training providers - they are doing their part. People are graduating, getting certified, putting work into their careers. There are more capable cyber security professionals out there than there have ever been.

The hiring system is the problem. The hiring system was built around credentials as a proxy for capability. CVs list certifications. Job specs require them. Interviews assume them. Recruiters filter on them. HR systems screen on them. The whole pipeline runs on the assumption that a credential held is a capability demonstrated.

It used to be a defensible assumption. When CISSP was the dominant cyber credential a decade ago, the population of people who held it was small enough and well-vetted enough that holding it told you something useful. That correlation has decayed. ISACA’s 2024 State of Cybersecurity report found that 57% of certified cyber security professionals lack the practical experience to back the certification they hold. The most-cited cyber qualifications no longer reliably predict the job.

The result is the picture DSIT 2025 paints. The supply system delivers credentialed people; the hiring system filters on credentials; the seats get filled; the work does not get done. Forty-nine percent of UK businesses, by their own report, are now sitting in that gap.

Why this matters for how you hire

If the framing above is right, the implications for hiring managers are immediate and uncomfortable. Three of them.

One. The problem is no longer “find me more candidates.” It is “tell me which of these candidates can actually do the job.” If you are sitting on 80 applicants for a SOC analyst role, the binding constraint is not your top-of-funnel - it is your filter.

Two. The signals your hiring process currently runs on - certifications, years of experience, employer logos, interview confidence - have lost calibration. They were never high-fidelity indicators of capability, and the credential decay of the last decade has made them noisier still.

Three. Doing more of what you already do will not fix it. You can run another round of interviews, ask another structured-behavioural set of questions, recruit harder, pay more. None of it changes the structural problem - your funnel filters for credentials, your job needs capability, and the two have drifted apart.

The fix is not at the supply end. The supply end is doing its part. The fix is at the validation end - changing how you evaluate the applicants who already arrive at your hiring funnel.

What better hiring looks like

The alternative is straightforward in concept and harder in execution: test for the work, not for the proxies. Put the candidate in front of the actual things they would do on the job - read a real log, write a real KQL query, triage a real alert, examine a real packet capture - and observe what they do.

Hands-on assessment in realistic environments closes the validation gap directly. The signal it produces - did this candidate complete the task, in the time given, without help - is high-fidelity. It does not depend on whether you trust their CV, their interview performance, or the certification body that issued their badge. It depends on whether they could do the work.

This is not a new idea in principle. The discipline of skills-based hiring has been making inroads in software engineering for years. The cyber security industry has been slower to adopt it, partly because the credential layer is so culturally embedded, partly because building hands-on cyber assessments is genuinely harder than building coding tests, and partly because the existing assessment vendors have not been cyber-shaped enough to make the transition easy.

The interesting moment we are in now is that all three of those barriers are lowering at once. The credential layer is being undermined by the capability data we keep collecting on the people who hold the credentials. The technical infrastructure for hands-on cyber assessment is now mature - real Linux environments per candidate, AI-generated job-spec-to-assessment workflows, calibrated scoring across cohorts. And cyber-specific assessment platforms have started to exist, where five years ago there were mostly engineering-coding platforms with a cyber category bolted on. We covered the wider category in the seven best cyber security skills assessment platforms.

The headline from DSIT 2025 is real. The 14,100-to-3,800 workforce gap improvement is meaningful, and the people who built that supply-side improvement deserve credit. But the work is not finished, and the next phase of the work happens at the validation end, not the supply end.

One honest sentence

The cyber skills shortage is improving in the only sense the supply system can improve it - we have more credentialed people. The hiring system has not caught up. Forty-nine percent of UK businesses are sitting in the gap between the two, and closing it is now a hiring problem, not a training problem.