Axia Computer Systems Ltd

Cyber Security

The cyber skills gap is getting wider: what UK SMEs can actually do about it

Fortinet has been publishing a global skills-gap survey for several years and the headline keeps moving in the wrong direction. For UK SMEs that cannot hire a dedicated security engineer, the practical question is not how to find one — it is how to get the same outcome without one.

Cyber SecurityBy Axia Computer Systems Ltd
FortinetCyber SkillsManaged Security
The cyber skills gap is getting wider: what UK SMEs can actually do about it

The Fortinet global cyber skills-gap report has been telling the same uncomfortable story for several years: demand for skilled cyber professionals continues to outrun supply, vacancies are taking longer to fill, and the people who are available command senior salaries that most SMEs cannot justify for a single full-time hire. The numbers vary slightly year to year but the direction is consistent. For a 20-person SME in Hertfordshire the practical question is rarely "how do we recruit a CISO" — it is "how do we get the security outcome we need without one".

Why the gap is structural, not cyclical

The shortfall is not a temporary blip. The volume of regulatory and contractual pressure on SMEs has grown faster than the training pipeline can produce qualified people. Public-sector tenders increasingly require Cyber Essentials Plus, insurance questionnaires expect EDR and tested backups, large customers demand evidence of supplier security from their smaller suppliers. Meanwhile the university and apprenticeship pipeline produces a fraction of the graduates the industry needs. Even businesses with budget to hire often wait six to nine months for an experienced candidate and frequently settle for someone less senior than the role requires.

The four roles an SME actually needs

When we map the work to be done, an SME that wants to take security seriously needs four distinct skill sets: an identity and access person who can run Microsoft 365 or Google Workspace properly, including conditional access, MFA enforcement and policy hygiene; a network person who can segment the estate, manage firewalls and VPNs, and keep firmware current; an endpoint person who can deploy EDR, manage patching and respond to alerts; and an incident-response lead who knows what to do when something goes wrong. In a small team, that is four roles compressed into one or two people, often with neither the time nor the specialism to do any of them well.

Outcomes versus hires

  • Managed identity: a partner that owns your Microsoft 365 or Google tenant end-to-end, including policy, licensing, conditional access, joiners and leavers.
  • Managed network: a partner that owns the firewall, switching and Wi-Fi estate with a documented configuration standard and quarterly review.
  • Managed endpoint: a partner that owns EDR deployment, patch management and the alert response process, with named humans accountable for triage.
  • Managed response: a partner that holds the incident response plan, rehearses it with you annually, and is the first call when something goes wrong.

Each of these is a fraction of the cost of an equivalent in-house hire and bundled into a single monthly invoice. For an SME the result is coverage across all four skill areas from day one, with predictable cost and no recruiting risk. The genuine tradeoff is that you do not own the knowledge internally — if you ever want to bring it back in-house, plan a deliberate handover period rather than ending the managed contract cold.

What still has to live inside the business

Even with full managed coverage, three things still need an owner inside the business: an executive sponsor who signs off on policy and has authority at incident time, a primary contact who can make fast decisions about access, communications and business interruption, and a culture of cyber awareness that is not outsourced. Training, phishing simulations, clean-desk policy and clear reporting lines for anything suspicious all need to live with the people, not with the partner. The partner provides the technical capability; the business provides the culture in which it gets used.

We provide managed security services to SMEs across Hertfordshire, Bedfordshire and London — including a fully managed SOC adjacent service for businesses that want outcomes without the hiring problem. If you would like to compare the cost of an in-house security hire with fully managed coverage, get in touch for a short scoping conversation.

More from Cyber Security

Ready to talk?

Discuss your IT requirements with our team. Call 01923 333111 or send us a message.

Authorised trading partners