RGH

Cybersecurity workforce readiness is becoming one of the UK’s most urgent resilience challenges. A few weeks back, our Group CEO Justin Madgwick sat in a room at Westminster with parliamentarians, peers and people who spend their careers thinking about cyber security. It was an All-Party Parliamentary Group discussion on cyber resilience and business readiness; serious, substantive and at times uncomfortable.

You might wonder what a workforce optimisation company was doing at that table. By the end of the discussion, it felt like the more relevant question was: why aren’t more of them there?

The conclusion the room kept arriving at, from every direction, through every lens, was this: the UK’s cyber resilience problem is not primarily a technology problem, it’s a people problem, a training problem, a workforce readiness problem and that is territory we know very well.

The statistics on the cyber skills shortage are well documented. The UK needs more security professionals, better career pathways, stronger pipelines from education into specialist roles. All of that is true, and all of it matters, but it addresses only one part of the challenge, the expert end. What receives far less attention is the vast middle ground: the millions of employees across every sector who interact with sensitive systems, handle data and make decisions every day that carry cyber risk, and who have been given almost no meaningful preparation for doing so safely.

Most organisations have tackled this with an annual e-learning module and the occasional phishing simulation. That isn’t a workforce capability programme but more of a compliance exercise and there’s a significant difference between the two. One builds genuine awareness and confidence, whereas the other gives people a certificate and moves on.

AI has sharpened the problem considerably. The tools required to produce a convincing phishing attempt, a deepfake voice note, or a targeted social engineering attack have become dramatically more accessible. The sophistication gap between a skilled threat actor and an opportunistic one has narrowed. That means the pressure on ordinary employees, not security specialists, ordinary employees doing ordinary jobs, has increased, quietly and quickly, while most organisations were focused elsewhere.

When the NHS has experienced data breaches in recent years, the impact has been personal; stealing people’s health records, their diagnoses, their most private information. Those systems are operated by human beings who, in most cases, have never been given a clear framework for understanding their role in keeping that information safe. The technology can only do so much and the rest depends on the people using it.

This is where the conversation at Westminster connected directly to what we do at RGH. Through our workforce optimisation platform, Epitome, we help organisations understand their workforce at a level most have never looked at before: mapping capabilities, identifying skills gaps, and then closing them through targeted training and development. Cyber awareness is one of those gaps. For many organisations, it isn’t even on their radar as a workforce issue, because they’ve always filed it under IT. But when Epitome surfaces it, it can be addressed the same way any other capability gap is addressed; systematically, at scale, and in a way that actually builds lasting confidence rather than ticking a box.

Organisations need to stop thinking about cybersecurity as a department and start thinking about it as a culture. Ask different questions, not just “do we have a good security team?” but whether their people across every function understand enough to reduce risk. Whether awareness is built into how they onboard and develop their workforce, or whether it appears only after something goes wrong.
The next step following the APPG discussion is a white paper with recommendations for Parliament, including proposals for a nationwide cyber awareness initiative. That work is timely because the gap that most urgently needs closing isn’t the one between the number of cyber experts the UK has and the number it needs. It’s the one between the scale of the threat and the preparedness of the wider workforce facing it.

Technology will keep improving, threats will keep evolving, the organisations that build genuine resilience will be the ones that invest in their people with the same seriousness they invest in their systems.

RGH Global is a worldwide workforce optimisation, people resource and recruitment consultancy, and the strategic distribution partner for Epitome, an AI-powered workforce intelligence and development platform. Group CEO Justin Madgwick contributed to the recent APPG discussion on cyber security policy and business resilience alongside James Morris OBE, Director of The CSBR.