Cyber resilience in the public sector: professionalising the workforce to combat emerging threats

As cyber threats to the UK’s public sector grow in scale and sophistication, Dr. Claudia Natanson MBE, CEO of the UK Cyber Security Council, explores how professionalising the cybersecurity workforce is key to building national resilience and securing critical services

Cyber resilience has become a growing priority for the UK’s public sector, particularly as local government and national institutions grapple with increasingly sophisticated threats. Despite the heightened focus on cybersecurity commitments, the public sector still faces significant hurdles in addressing cyber risks and ensuring that the right people are in place to protect critical infrastructure.

The need to professionalise the public sector’s cybersecurity workforce has never been more urgent. The UK Cyber Security Council (UK CSC) has developed a framework to address these challenges, embedding professional titles and offering guidance on recruitment, training, and career development. This framework is designed to help organisations better align their cybersecurity strategies with evolving threats and fill critical staffing gaps.

Addressing public sector threats through professionalisation
The public sector is a prime target for cyberattacks due to its management of sensitive data and critical infrastructure. Government bodies and public organisations have increasingly become the target of ransomware attacks, data breaches, and other cyber incidents that threaten national security and public safety.  For example, in June 2024, a cyberattack on a supplier of NHS pathology services led to the postponement of 10,152 outpatient appointments and 1,710 elective procedures [1].

Ransomware attacks on public bodies can disrupt services, expose personal data, and create substantial recovery costs. These incidents underscore the pressing need for cybersecurity professionals who are not only equipped to handle immediate threats but also to build long-term resilience within public sector organisations.

The professional framework from the UK CSC provides a roadmap to mitigate these risks. By professionalising cybersecurity roles, the framework seeks to ensure that the public sector is better equipped to address both current and emerging threats. It focuses on strengthening leadership, management, and technical capabilities of cybersecurity teams, which are often under-resourced or lack the necessary skills to combat modern threats effectively.

The new cybersecurity framework: A solution to staffing challenges
The primary goal of the UK CSC’s framework is to ensure the UK public sector has the skilled workforce needed to mitigate cybersecurity threats. The framework aims to professionalise cybersecurity roles, ensuring they are treated with the same level of expertise as other areas of leadership.

Among the most notable elements are the introduction of new professional titles which are designed to help public sector organisations recruit individuals who are not only accredited but also trained to manage and lead cybersecurity initiatives.

These titles will play a crucial role in filling gaps in the public sector’s cybersecurity workforce. Local councils, government agencies, and other public sector bodies will be able to hire professionals who have undergone specific training and certification tailored to their needs and requirements. This move addresses both recruitment shortages and the challenge of retaining skilled cybersecurity talent in a competitive job market.

Staffing gaps and recruitment challenges
A key issue facing the public sector is the chronic shortage of qualified cybersecurity professionals. While the private sector is able to attract top talent with competitive salaries and benefits, the public sector often struggles to match these incentives which has led to a widening skills gap.

A significant barrier to recruitment in public sector cybersecurity roles has been the lack of clear career progression. However, the UK CSC’s framework addresses these challenges by providing a clear career pathway, making the sector more attractive. The future development of specialisms like Cyber Manager will create a structured career ladder, providing more defined roles, responsibilities, and progression opportunities.

The framework also emphasises the upskilling of existing employees. This focus on continuous professional development will be vital in helping local councils and government agencies keep pace with evolving threats. By providing access to targeted training, certification programs, and professional development opportunities, the UK CSC aims to create a more capable and adaptable cybersecurity workforce.

The role of leadership and culture in cybersecurity resilience
While technology is a critical component in defending against cyber threats, it is leadership and organisational culture that determines the long-term success of cybersecurity strategies. The public sector has traditionally been slow to adopt comprehensive cybersecurity leadership practices, often focusing on compliance rather than innovation.

The introduction of Principal and Chartered professional titles are designed to address this issue by empowering leaders to take ownership of cybersecurity initiatives and to drive change from the top down. Effective leadership is essential not just for managing threats but also for instilling a cybersecurity-conscious culture. Cybersecurity is no longer solely the responsibility of the IT department but a cross-departmental concern that requires buy-in at all levels.

Aligning with national security priorities
The professionalisation of cybersecurity is not just about organisational resilience but about enhancing national security. As the UK faces increasing threats from cyberattacks, cybercriminals, and even domestic terrorism [2], the need for a well-trained and capable cybersecurity workforce has never been more urgent.

By achieving this, the public sector can better align with national cybersecurity strategies and support broader initiatives aimed at enhancing national resilience against cyber threats. The framework also complements other government-led efforts to improve cybersecurity resilience across critical national infrastructure, and public services.

Looking ahead: future-proofing the public sector
The introduction and adoption of the UK CSC’s framework is a step forward, but it is only one part of the broader national strategy needed to tackle cyber threats. Future steps include continuing to strengthen professional standards, expanding the number of professionals entering the field, and ensuring that the public sector can keep up with the rapid pace of technological change.

The framework will also need to evolve to reflect the growing influence of emerging technologies such as artificial intelligence (AI) and machine learning, which have the potential to both improve and challenge cybersecurity practices. These advancements will require public sector organisations to invest in continuous learning and development to stay ahead of the curve.

In conclusion, the professionalisation of the industry offers a comprehensive solution to the staffing and skills challenges facing the public sector. By professionalising cybersecurity roles, public bodies can better defend against cyber threats, enhance national security, and build a resilient digital infrastructure that can withstand the evolving nature of cyber risks.

For more information on the UK Cyber Security Council’s professional framework and how it can support the public sector, click here.