Organisations across the UK are facing an increasing volume of complex cyber threats at the same time as a challenging talent market.
According to DSIT cyber security skills in the UK labour market 2025 report states: the skill gaps in basic cyber security and incident response have persisted:
- Nearly half (49%) of businesses had a basic skills gap, struggling with essential tasks
- Around 30% of businesses have gaps in advanced cyber skills
A significant proportion of public sector organisations (58%), businesses (31%), and charities (24%) outsourced some elements of their cyber security. In a new question asked this year to those who outsourced services, 40% of charities, 23% of businesses and 13% of public sector organisations lacked confidence in assessing whether external providers were offering value for money.
In the qualitative research, we heard that the outsourcing marketplace was confusing and fragmented, with some organisations seeking guidance on best practices for selecting providers.
In the cyber security sector, technical skills gaps among employees have increased year-on-year, with 28% of cyber security businesses reporting a gap compared to 18% in the 2021 report. The most commonly reported skills gaps were in areas like audit and assurance, digital forensics, and cryptography.
New for this year, we explored AI in cyber security. Just over half (53%) of cyber security businesses said staff were using AI in their day-to-day work and around two-thirds (65%) expected their need for AI skills among employees to increase over the next 12 months. In the qualitative research, employers expressed concern about current and future shortages of AI-related skills in cyber security.
Why organisations are increasing considering Advisory Services
- Specialist skills are scarce. Employers struggle to recruit or retain the people who can translate strategy into secure architectures, AI governance and incident-ready processes.
- Threats are evolving fast. AI amplifies the speed and scale of attacks and introduces novel vulnerabilities that existing teams often haven’t been trained to manage.
- Regulation & assurance are rising. New Codes of Practice and government guidance raise the bar for demonstrating secure AI adoption and cyber assurance, many organisations lack the internal capacity to meet them.
- Boards want outcomes, not just PowerPoints. Increasing demand on measurable resilience improvements, not only strategic recommendations.
Are security outcomes achieved through consultancy or advise?
In cyber security, and the wider IT and digital professions, consultancy and advisory are often used interchangeably, but they shouldn’t be.
For organisations operating in high-assurance and regulated environments such as HM Government, Defence, Law Enforcement, and National Security, understanding the difference isn’t just semantics. It determines whether your investment delivers a report or real, actionable outcomes.
A consultancy typically delivers recommendations through an audit, a report, or a plan for others to act on later. Too often, the output is a document that highlights risks rather than helping resolve them.
Whereas an advisory partner goes further. Advisory means being embedded alongside you, helping translate strategy into operational capability, and ensuring every decision is informed by people who’ve delivered secure systems, not just analysed them.
Advisory that stops at recommendations creates a false sense of security. Without delivery, organisations can:
- Fail audits because controls were never implemented.
- Leave AI models and data pipelines exposed to adversarial manipulation.
- Waste budget on plans that don’t measurably reduce business risk.
- Develops the in-house team capability to reduce the sklils gap.
The value lies in helping an organisation reach a state of assurance where security enables, rather than restricts, mission-critical operations. A genuine security advisory partner isn’t there for snapshots in time, they remain alongside you throughout the lifecycle of your programme, adapting as risks evolve and ensuring assurance is maintained, not just achieved.
Instead of just giving recommendations, continuous assurance allows consultants to demonstrably show improvements in risk posture, e.g.:
- Reduced mean time to detect/respond incidents
- Verified effectiveness of specific controls
- Evidence of regulatory compliance
NCSC states ‘Assurance is a means of providing confidence that security controls are working in the way you expect to ensure the security of the system. Assurance should be continually sought from the controls (whether these are procedural, personnel, physical or technical) you apply to treat cyber security risks. Gaining this confidence in your risk treatments – through the effective use of assurance activities – is therefore essential for managing cyber risks.’
Our Information Security Advisory & Assurance services are built on that principle. We don’t just interpret frameworks or tick compliance boxes — we help organisations, and delivered our own assured, usable outcomes that align with mission objectives, risk appetite, and operational reality.
Our advisory services are underpinned by nearly a decade of hands-on delivery across Defence, Government and National Security sectors. We bring lived experience from designing, building, and managing secure digital environments, meaning our advice is always practical, proportionate, and proven.
- Strengthen organisational resilience and assurance maturity
- Align security controls to mission-driven outcomes
- Optimise investment in people, process, and technology
- Build confidence through continuous assurance, not one-off audits
We’ve supported clients to:
- Achieve and maintain capabilities operating above OFFICIAL
- Embed Secure by Design principles in complex programmes
- Deliver Assurance as a Service and independent verification
- Conduct threat, vulnerability, and risk assessments aligned to NCSC guidance
- Maintain DCC (Defence Cyber Certification), demonstrating our commitment to NCSC-assured standards
In partnership with BNS Cyber, an NCSC-certified provider, we offer the full spectrum of Information Security Advisory and Assurance — from risk assessment to continuous compliance. Together, we ensure that every piece of advice is strategic, actionable, and aligned to the Secure by Design mandate.
