Closing the UK Cybersecurity Skills Gap in 2026
One in 10 companies face £500,000 in incident-related losses, according to our latest study.
UK organisations are facing a stubborn cybersecurity skills gap in 2026, especially in advanced areas like AI-driven threats, incident response, and risk controls, despite widespread investment in training and certification.
What is the current cyber security skills gap in the UK?
Firebrand’s 2026 survey of senior UK leaders across energy, financial services, retail, telecoms, professional services, and IT shows that just under half of organisations openly acknowledge this high tech skills and knowledge gaps in cybersecurity.
Almost half report gaps specifically in risk controls and information security, with sizeable shortfalls in incident response and infrastructure security capability.
The impact of these gaps is not simply theoretical. Just under half of the surveyed organisations experienced at least one cyber attack in the last 12 months, and at least 73% of those hit suffered more than one incident.
For those attacked, financial impacts most commonly fell between £10,000 and £199,999, with nearly one in ten reporting total costs over £500,000 once recovery, reputational damage, and regulatory exposure are included.
However, oftentimes, the skills gap doesn’t show up on a balance sheet – the breach response does.
Is the cybersecurity skills shortage a myth?
Some commentators have argued that the “skills gap” is overstated. Perhaps even the companies themselves are not aware of their shortcomings.
Of course, these companies only realise the shortage in skills when the attacks hit them. Other than the financial impact, there are hidden costs to cyber attacks too. Up to 32% reported increased strain on internal IT and security teams, which can lead to attrition, low morale, loss of productivity, among others.
What are the key areas for the cybersecurity skills gap?
Across the sample, leaders most frequently flagged skills shortages in risk controls (50%), information security (50%), incident response (42%), and infrastructure security (37%), with fewer but still notable gaps in auditing.
These are not entry‑level deficits. They sit at the intersection of architecture, governance, and hands‑on technical response, where experienced practitioners are hardest to find and retain.
AI and Machine Learning Security
AI has rapidly become the sharpest edge of the skills problem. Over three‑quarters of UK leaders believe AI is increasing cyber risk for their organisation. Despite this awareness, only 27% say they are fully prepared for AI‑powered cyber attacks.
More than a third estimate their cyber risk has risen by 10 to 49% due to AI‑driven threats, with a further 17% seeing a 50 to 99% increase.
Data loss prevention, adversarial tactics, and social engineering are viewed as the most exposed areas, with 59%, 52%, and 41% respectively, perceiving increased AI risk here.
As Firebrand’s own AI threat report notes, UK firms can now “see clearly where AI is amplifying existing weaknesses,” but capability and playbooks for defending AI‑powered attacks have not kept pace.
Cloud and Zero-Trust Architecture
The shift to cloud and zero‑trust has created another pressure point. The survey’s reported gaps in infrastructure security and risk controls imply that many organisations have not fully embedded zero‑trust principles or consistent guardrails across their estates.
Identity and Access Management (IAM)
Identity and Access Management is increasingly where security either fails quietly or succeeds invisibly. The study suggested under‑resourced IAM governance, policy design, and privilege management. These roles often sit in a “grey zone” between security, IT operations, and compliance, which can dilute accountability and lead to chronic understaffing.
National labour‑market data shows that cyber roles with specialist technical skills, such as penetration testing and other high‑demand disciplines, are particularly hard to retain. It is reasonable to extend this pattern to IAM engineers and architects, who shoulder constant operational load and regulatory scrutiny but often lack visible career pathways.
GRC and Compliance
Governance, Risk, and Compliance (GRC) sits at the nexus of regulation, business strategy, and technical controls. The survey’s finding in audit readiness suggests a shortage of practitioners who can translate frameworks (such as ISO 27001 or NIST CSF) into pragmatic control sets and reporting.
Incident Response and OT Security
Incident response stands out as both a pressure test of skills and an area where gaps hurt the most. Among organisations that suffered cyber attacks, internal IT and security teams were the most impacted resource, with 54% citing heightened demand on these teams, followed closely by financial loss (50%) and downtime or service disruption (46%).
Recovery is rarely instantaneous: while 71% recovered fully within a week, nearly a quarter took between one and four weeks or longer.
Operational technology (OT) environments add another layer of complexity. Sectors like energy and utilities, which are well represented in the survey sample, must contend with legacy systems, safety‑critical operations, and a growing convergence between IT and OT.
The skills needed to manage OT risk are still relatively niche. Organisations often rely on a small number of specialists or external partners, increasing single‑point‑of‑failure risk and driving up response times when incidents occur.
What is driving the cybersecurity skills shortage in the UK?
The UK labour market picture is nuanced: the estimated cyber workforce stands at around 143,000 people and has grown by 5% year‑on‑year, yet a workforce gap of roughly 3,800 professionals remains.
At the same time, demand for mid‑level experience (2 to 6 years) dominates recruitment, while demand for true entry‑level candidates has fallen, leaving fewer structured pathways into the profession.
Against this backdrop, Firebrand’s survey shows leaders grappling with AI‑accelerated threats, rising attack frequency, and complex regulatory obligations – all with teams that are already stretched.
Quickly advancing threats
Adversaries are moving faster than governance and training cycles. New techniques in AI‑powered phishing, deepfake‑enabled fraud, and automated vulnerability discovery mean that playbooks and defences become outdated far more quickly than traditional annual training cycles allow.
While 68% of organisations already have an ongoing cybersecurity training programme and another 24% plan to implement one, this still leaves a minority without structured, continuous development in place.
Skills mismatch
Another driver is a persistent mismatch between the skills organisations need and what they recruit or train for. In Firebrand’s survey, organisations frequently highlight gaps in risk controls, information security, and incident response. These are all areas that require cross‑functional skills spanning technology, process, and communication.
Hiring processes can compound the problem. The leaders who are hiring may not know exactly what they need to look for.
"Leaders are more likely to be aware of the gaps in their staff skills, but don't know how to translate this into an actionable training plan or what training courses would fit their needs," says Firebrand Cyber Security Expert, Phil Chapman.
"Quite often an organisation would require a bespoke training plan and one that would include specific requirements to be emphasised. This could be a set of regulatory standards within Information Security or a skillset in cloud or AI tools that needs to be acquired. This is where proper training needs analysis is a requirement for each organisation. This allows them to plan both strategically and operationally to meet the needs of the business with regards to upskilling themselves and their teams," Phil added.
Budget constraints
Budget perceptions and constraints also hold organisations back. Many leaders still assume that upskilling or reskilling in cybersecurity requires either large capital projects or hiring expensive senior talent, rather than structured, incremental training routes. Yet the data shows that where organisations invest in ongoing certification training, 86% report a reduction in cyber risk, and nearly half of those able to measure it see risk reductions of more than 50%.
These risk reductions translate directly into hard outcomes such as fewer successful attacks (32%), faster incident response (30%), reduced downtime (19%), and improved audit results (17%).
Lack of diversity
Diversity is another under‑leveraged solution. Encouraging girls and women in STEM, mid‑career switchers from adjacent fields, and candidates without traditional degrees to pursue cybersecurity can help broaden thinking, improve problem‑solving, and close gaps in high‑demand areas such as GRC, security operations, and secure development.
How do you address the cybersecurity skills gap?
The evidence suggests that the skills gap is solvable when organisations treat cybersecurity capability as a strategic asset, not a one‑off project.
Upskill both tech and non-tech teams
Cyber risk is no longer contained within security and IT. While specialist technical roles remain crucial, many of the biggest risk‑reduction wins come from equipping non‑technical teams – finance, HR, operations, marketing – with practical, role‑specific security skills.
The survey shows that internal IT and security teams are often the most impacted by attacks, absorbing time and stress that could be reduced if first‑line staff were better prepared.
Cross‑skilling initiatives can include empowering operations teams to spot and escalate anomalies quickly and giving HR and legal teams a deeper understanding of incident processes and data‑protection obligations.
When non‑technical teams are confident handling their part of the security chain, specialists can focus on higher‑value tasks instead of firefighting avoidable issues.
Build training pipelines
Rather than hiring reactively every time a new threat emerges, organisations can design structured pipelines that take staff from foundational awareness through to advanced certification. Firebrand’s survey indicates that almost seven in ten organisations already run ongoing cybersecurity training programmes, and nearly a quarter plan to add one, demonstrating a clear shift towards pipeline thinking.
A typical pipeline might look like this: baseline awareness training for all staff; role‑based learning for key teams, professional certifications for core cyber staff, and advanced or niche pathways for OT, AI threat defence, or incident response leaders.
Combining classroom or bootcamp learning with hands‑on labs and simulated incident exercises helps bridge the gap between theory and real‑world readiness.
Cybersecurity as an ongoing initiative, not a one-off project
Threats evolve continuously, particularly with the acceleration of AI‑enabled attacks, so cybersecurity capability cannot be treated as a “set and forget” project. The data that 73% of organisations have increased training, 64% have updated policies, and 56% have adopted new tools in response to AI risk shows that many are moving in the right direction, but maturity still lags ambition.
Organisations that view security as an ongoing initiative typically put in place continuous learning programmes and periodic reviews of controls against evolving standards.
They also measure outcomes – such as reductions in successful attacks, faster response times, and improved audit results – and feed those insights back into training plans, ensuring that capability grows alongside the threat landscape.
Form ecosystems and partnerships
No single organisation can build every skill it needs in‑house, especially in specialised domains such as AI threat defence, OT security, or advanced incident response. Partnerships with training providers, universities, industry bodies, and technology vendors allow teams to access up‑to‑date expertise and flexible capacity.
Firebrand’s own survey evidence shows the value of structured certification training in risk management and improving outcomes, making a strong case for engaging experienced partners to design and deliver programmes tailored to each organisation’s risk profile.
For UK organisations looking to turn cybersecurity from a constraint into a competitive advantage, the next step is to build or extend these ecosystems. That might mean co‑designing training pathways for career‑changers, partnering on apprenticeship schemes, or running joint AI‑threat simulation exercises with external experts.
If you are ready to move from awareness of the skills gap to a concrete, data‑backed strategy for closing it, now is the time to connect with Firebrand and explore how a tailored training and certification roadmap can strengthen your resilience for 2026 and beyond.