The UK cybersecurity landscape in 2026 presents a strange contradiction. On paper, the sector is booming. Annual revenue is estimated at approximately £14.6 billion, representing a year‑on‑year increase of around 11%, according to UK government cyber sector analysis. In practice, many security teams still feel stretched and under-resourced. They often feel like they are just one incident away from a very difficult Monday morning.
Part of the problem is our collective obsession with the Cyber Unicorn. You know these job descriptions; they look less like professional documents and more like works of fan fiction. We see it all the time, five or six niche skillsets bundled into one role that doesn’t exist in the market. They ask for deep cloud security experience, GRC knowledge, budget ownership, and the nerves of a hostage negotiator.
Boards want these candidates available immediately, happy with hybrid work, and within a budget that hasn’t moved for three years. The result is a seniority bottleneck where senior and expert‑level roles account for the majority of reported recruitment difficulty, estimated at over 70% in recent market analyses. At some point, being “selective” stops being good governance and starts looking like waiting for a British summer that lasts more than four days.
The Cost of an Empty Chair in Cyber
Leaving a senior cyber role open is not a neutral decision. It has a measurable cost, seen in slower incident response, overloaded teams, and a mounting vulnerability backlog.
- The Understaffing Tax: Organisations with high security skills shortages are associated with data breach costs that average around £1.4 million higher than organisations with adequate security staffing, according to global breach cost studies.
- The Real-World Risk: The Capita case serves as a widely cited example of how gaps in incident response capability can materially increase impact.
- The Response Gap: The ICO issued a £14 million fine in 2025 following a breach in which suspicious activity was detected but not contained for 58 hours, against an internal one‑hour response target.
The salary you think you are ‘saving’ quickly becomes a tax on your resilience.
The 70/30 Hiring Strategy
The strongest teams are not the ones holding out for perfection. Instead, they are the ones hiring for the right 70%. This means identifying the non-negotiable foundations, such as technical judgement, learning velocity, and ownership, while being flexible on the rest.
- Predictive Power: Research consistently shows that assessing candidates on demonstrated skills is a more reliable predictor of future on‑the‑job performance than formal qualifications alone.
- The Retention Win: Organisations that invest in upskilling “70/30” hires internally see a 25% higher retention rate
- The Loyalty Bonus: Employees hired via skills-based pathways stay in their roles 34% longer because they are actually being developed.
Hiring purely by “years of experience” in 2026 is a blunt tool. It tells you a candidate has been in the industry, but it does not guarantee they can adapt to a landscape that changes every few weeks.
Where a Strategic Cyber Partner Helps
In my experience managing recruitment delivery, I have found that the most valuable role I can play is acting as a market reality check. A good partner should not simply nod along with an unrealistic brief. They should be clear and honest when a job description creates expectations the market simply can’t meet.
With well over 10,000 cyber‑related roles advertised in a typical three‑month period, the competition is fierce. I help teams remove false barriers and identify Durable Skills, such as critical thinking and the ability to explain complex risk to a stakeholder without a 40-slide PowerPoint deck.
In a market that refuses to sit still, forward motion trumps a frozen search. A strong hire today is more valuable than a “perfect” hire who remains permanently under review. The companies that win will be the ones that hire for potential, support the remaining 30%, and stop letting the pursuit of perfection create unnecessary risk.
If you finally do find that one candidate who has fifteen years of AI experience, CISO-level calm, and a mid-level salary requirement, do us all a favour and do not hire them. They aren’t a unicorn; they’re just a hallucination from the very AI you’re trying to secure.
To discuss your cybersecurity hiring requirements or request a market reality check on an existing brief, please contact InfoSec People.
This article draws on industry research from UK government cyber analysis, global threat and breach reporting, leading talent and skills trend studies, and internal expertise, including:
GOV.UK, SANS Institute, IBM Security, ICO, McKinsey, LinkedIn, Deloitte, and Mercer.
InfoSec People is a UK based boutique cyber and technology recruitment consultancy, built by genuine experts. Whether you’re a cyber security professional looking for a new opportunity or a business looking to build your security team, we are here to help. Contact us as our experienced recruiters are passionate about cyber security and are committed to providing exceptional service.
Call us directly on 01242 507 100 to discuss opportunities or email info@infosecpeople.co.uk.