Numerous indicators demonstrate unequivocally that there is an acute skills gap in the cybersecurity sector worldwide. It is estimated that organisations need around 4 million cybersecurity professionals and that the labour market would need to expand by 145% in order to meet demand.[1] In 2019, the shortage had a negative impact on almost three-quarters of organisations resulting in a significantly increased workload on those already in cybersecurity employment which, in turn, prevented these workers from having the time to learn new skills.[2]
As it stands, the cybersecurity skills shortage will only increase, with the lack of qualified professionals in the labour market posing a risk to both economic development and national security. Establishing a big enough pool of cybersecurity professionals to defend information systems is, therefore, becoming a priority for policymakers. This is often reflected in countries’ cybersecurity strategies, such as the UK’s National Cyber Security Strategy 2016-2021.[3] The challenge is a multidimensional policy issue that requires the attention and cooperation of all relevant stakeholders including the government, academia, and industry.
A recent report published by the European Union Agency for cybersecurity (ENISA), focuses on the state of cybersecurity education.[4] ENISA argues that many of the current recruitment challenges across European countries could be overcome by rethinking and redeveloping cybersecurity, educational, and training pathways in a way that clearly and comprehensively defines the knowledge and skills that students should possess upon graduation. One of the main challenges, according to the report, is that employers are finding it difficult to recognise and evaluate the skills of potential candidates have – if they have even found one at all. Reaching an agreement among stakeholders on what set of soft and technical skills cybersecurity students should acquire is, therefore, a crucial step in facilitating the development of a sustained cybersecurity workforce.
ENISA examines in the report how cybersecurity degree certification can help governments address the skills shortage. When a national authority such as the UK’s National Cyber Security Centre (NCSC)[5] awards certification, it attests that the degree meets a set of standards that a group of subject matter experts determined necessary for a degree focusing on cybersecurity. The aim of the certification scheme is to increase the quantity and quality of graduates with employable skills, help employers understand the skills and knowledge that students have developed along their academic journey, and support prospective students in navigating and assessing their degree options. By way of reducing the shortage in skilled professionals and mitigating the associated national security vulnerabilities, this is a critical step.
The report’s authors explore how four countries: Australia, France, the UK and the US have redesigned cybersecurity degrees to incorporate certification schemes in an effort to limit the impact of cybersecurity skills shortage. In addition to the NCSC in the UK, Agence Nationale de la Sécurité des Systèmes d’Information (ANSSI)[6] in France; the Department of Homeland Security (DHS)[7] and the National Security Agency (NSA)[8] in the US; and the Department of Education in Australia, have certified a total of around 400 cybersecurity degrees.
Despite some variations in both the requirements of certification and their implementation in the four countries, the researchers identified six requirements for a certified higher education cybersecurity degree that were consistent. These were outlined as follows:
- A minimum amount of credits dedicated to cybersecurity courses and activities.
- A structured curriculum that includes a practical component or specific types of examinations and activities such as cybersecurity competitions.
- A high-quality teaching faculty, which could include lecturers from the industry.
- A broad multidisciplinary approach to cybersecurity.
- Outreach activities and collaborations with the rest of the national cybersecurity ecosystem.
- Information on academic and employment outcomes.
The publishing of the report was accompanied by the launch of ENISA’s cybersecurity Higher Education Database, which gathers, organises, and displays a comprehensive overview of cybersecurity degrees across Europe.[9] The platform offers a search tool that allows users to explore cybersecurity degrees and filter them by country, type of programme, and delivery method.
The database, according to ENISA, aims to assist those of school and university age, with a passion for technology, make informed decisions about their future education in cybersecurity. It will also serve as the main point of reference for anyone looking to pursue career-level qualifications in the field.
Through the ongoing collaboration across government, industry and academic institutions, the UK has made significant progress in identifying and developing practical activities and initiatives to develop cybersecurity skills that meet businesses’ needs. However, the cybersecurity ecosystem continues to evolve rapidly, and it is crucial to make sure we remain focused on the right skills areas to create fertile ground for long-term and sustainable transformation. It is also important not to underestimate the magnitude of the challenge facing the UK in securing the talents necessary to meet increasing demand. Weak uptake of STEM (Science, technology, engineering, and mathematics) subjects, the limited exposure to cybersecurity as a viable long term career option, the relative immaturity of cybersecurity as a profession, and the woeful underrepresentation of both female and BME leaders in the field, are all challenges that continue to hinder the establishment of a truly diverse and reliable cybersecurity workforce. As universities seek to develop and embed employable cybersecurity skills into academic curricula, strong business leadership and partnership are more important than ever in strengthening the pipeline of future talent.
Sources:
[1] https://www.isc2.org/Research/2019-Cybersecurity-Workforce-Study#
[2]https://www.esg-global.com/hubfs/pdf/ESG-ISSA-Research-Report-Life-of-Cybersecurity-Professionals-Apr-2019.pdf
[3] https://www.gov.uk/government/publications/national-cyber-security-strategy-2016-to-2021
[4] https://www.enisa.europa.eu/publications/the-status-of-cyber-security-education-in-the-european-union
[5] https://www.ncsc.gov.uk
[6] https://www.ssi.gouv.fr/en/
[7] https://www.dhs.gov
[8] https://www.nsa.gov
[9] https://www.enisa.europa.eu/topics/cyber security-education/education-map/