A blog by Nina Olesen
Having worked on the topic of cybersecurity education, training & skills in ECSO for six years now, I have seen first-hand both the challenges posed by the fragmentation and scattered approaches that exist within this area, as well as its potential to be the fertilising ground for a strong, responsible, and resilient cybersecurity ecosystem in Europe. Reaching that potential requires thorough consideration of which skills and competencies we need to strengthen in Europe in order to manage capacities. Key skills need to be developed and nurtured to navigate the digital transformation and must be directed where they are most needed and where they can help Europe master its technological capabilities and increase its sovereignty.
There is no better time than the present to leverage the collaborative spirit of the European cybersecurity community to deliver practical solutions and initiatives that can have an impact “on the ground”. Education being a national prerogative, and inherently linked to skills development, there is a need to work closely with national entities and education and training providers to build up joint, pan-European approaches to harmonising cybersecurity education curricula and tackling the skills or, more concretely, workforce gap.
It has been evident for some time now that there is a growing need for a skilled cybersecurity workforce. Various studies across the globe from industry and academia confirm that the cybersecurity workforce demand is very high and that it is difficult to hire competent professionals. The 2021 edition of the annual Cybersecurity Workforce Study published by (ISC)² [1] estimated the shortage of cybersecurity professionals at 2.72 million globally based on a survey of 4,753 cybersecurity professionals working with small, medium and large organisations throughout North America, Europe, Latin America (LATAM) and Asia-Pacific (APAC). It showed that while an IT background remains the most common career pathway taken into cybersecurity (47% of participants), slightly more than half of cybersecurity professionals got their start outside of IT— 17% transitioned from unrelated career fields, 15% gained access through cybersecurity education and 15% explored cybersecurity concepts on their own. This is important, as it underlines the need to consider non-IT/non-technical roles, upskilling/reskilling, and self-learning when dealing with recruitment and entry into the cybersecurity field. It also shows the wide coverage and multidisciplinary nature of cybersecurity that is so unique to the field vs the more traditional IT/ICT profession. While this kind of study offers a basis upon which to assess the global situation, the reality is that it is very difficult to quantify the extent of the cybersecurity talent shortage in Europe. We know that the demand for experts will inevitably rise due to the growth of the cybersecurity market and regulatory landscape so there remains an urgent need to fill the gap with more (and different kinds of) experts.
But for all the promises of opportunity and range of different jobs that cybersecurity has to offer, why are we still struggling to bridge this gap? The answer seems to lie in its uniqueness, not only as a knowledge domain, but the manner in which cybersecurity talent is attracted, recruited, and retained, as well as how we educate about cybersecurity.
There is currently wide consensus around the fact that cyber hygiene and digital skills must be taught from the earliest age possible, due to it being fundamental to ensuring online safety, digital security and preparing children to be the future users in the era of digital transformation. There is certainly a logic to teaching cyber hygiene early on if we are to equate it with the regular habit of washing one’s hands. Only by exposing children to the topic at the very beginning of their schooling can we instil a sense of awareness around the most basic concepts in cybersecurity while planting the seeds for a possible future interest in a career in this growing and ever-evolving field.
The challenge of course is how to successfully target students before graduation. It is important to start educating and stimulating an interest in digital skills and cyber hygiene from a young age and to work to fill in the gap between middle school and university. Children may lose interest in the years right before university but also tend to make their decision on what to study around 17-18 years old. It is of course also essential to improve perceptions of cybersecurity professions, highlighting the different paths to follow (both technical and non-technical), as well as the requirements needed to pursue those.
There are many fantastic initiatives across Europe focused on cybersecurity education for children and youth. Member States have been leading from the front when it comes to developing targeted cybersecurity content, campaigns, and competitions. Yet, in order to provide a meaningful and long-lasting impact at European level, there is a need to enhance the sharing of best practices and to harmonise content and approaches.
At ECSO, we have proposed a vehicle for pan-European collaboration for this purpose with our Youth4Cyber initiative, but challenges remain when it comes to finding resources and the needed scaling up of national level initiatives (and this link is fundamental considering that education is a national prerogative). The idea of Youth4Cyber is to provide an agile methodology able to adapt to each context but with clear guidelines for a minimum level of content or topics to address with different age groups, laying the foundations for a harmonised approach to cyber hygiene and cybersecurity teaching for youth in Europe. Youth4Cyber proposes 5 modules targeting the age groups 6-10, 10-14, 14-18, 18-22, and 22-26, as well as a module on ‘Train the Trainer’. We know that the implementation of efforts will be at national level but if we can provide a joint European platform and branding, we might be able to shed lighter on existing efforts and mobilise resources to help the European youth reach their potential as the digital users and cyber professionals of tomorrow.
Another challenge is to ensure that education is fit for purpose and that graduates of cybersecurity university programmes are equipped with the skills and knowledge necessary to meet the requirements of industry. At ECSO, we have developed a Minimum Reference Curriculum [2] aimed at supporting practitioners and course designers with guidelines relative to the competence & skills development framework along with pedagogical methodologies for the higher education programme requirements compatible with the European Qualifications Framework (EQF) and the European Credit Transfer and Accumulation System (ECTS). The Minimum Reference Curriculum will be a living document, to be updated every 6 months according to feedback from ECSO members and the community, as well as the latest developments in the field, and will also be mapped to the ENISA Cybersecurity Skills Framework (to be released in September 2022) [3]. The importance here is to ensure that university courses adequately reflect the realities of the needs of the cybersecurity job market while providing mechanisms that allow for a continuous and agile updating of curricula.
We should also think beyond cybersecurity-specific programmes and create stronger synergies between educational paths and professional training to include cybersecurity in a comprehensive way across disciplines. Far from being just a technical/IT topic, cybersecurity requires a good understanding of law, human factors, psychology, mathematics, cryptography, social sciences, economics, security & risk management/IT audit, etc. Cybersecurity should really be viewed as an emerging meta-discipline rather than an “add-on” discipline.
In addition to supporting university-level education, upskilling and reskilling initiatives are crucial in cybersecurity because they allow for continuous professional development and a more immediate response to the need for cybersecurity experts by reskilling existing workforce, attracting entrants from other relevant domains, and encouraging the participation of underrepresented groups.
If a greater influx of demand for skills acquisition takes place in either self-education or the labour force, then Europe must also be ready to supply such skills. Without sufficient supply, there will not only be a lack of candidates, but the job market will be too competitive which can further hinder the hiring process due to, for instance, too high salary demands. Emphasis should therefore also be placed on quick and efficient skilling / upskilling / reskilling initiatives to mobilise a wider workforce.
The skills shortage requires scalable and flexible solutions to quickly allow organisations to train and upskill their workforce. Some will rely on professional certifications to be able to attest their skills but practical skills assessment and increased staff training by employers is the best way to optimise the coverage of needed skills. In fact, when it comes to upskilling within industry, the adoption of flexible learning pathways and short-term courses, leveraging micro-credentials and online learning, is an efficient way to address the lack of available cybersecurity experts. In addition, skills frameworks should be complemented by practical competence assessment mechanisms to keep up with the needs of the job market.
Many professional certifications exist but holding an established certification does not necessarily prove to an organisation that the individual can do a specific job. Rather than focusing on the competencies required for a job, there should be an increased emphasis on observable abilities which can be assessed through realistic scenarios simulating job-specific tasks. Focusing on measurable abilities will give employers a reasonable assurance of the suitability of a person for a specific job role, along with options for simulated environments that can be used to test them [4]. The use of cyber ranges for competence building and development of cyber capabilities can trigger significant progress in this regard. The majority of security training today is done through online and face to face training courses where most of the learning occurs through listening to videos or live lectures, and through reading notes or slides. The use of cyber ranges changes that as it can provide a convenient and more cost-effective way of delivering hands-on training, as well as the associated training assessment and certification. Cyber ranges can also be used to continuously develop and test the capabilities of security professionals [5].
Focusing on upskilling programmes is also an opportunity to enhance the participation of underrepresented groups such as women, the neurodiverse, displaced migrants, people with disabilities, etc. while short trainings, bootcamps, and internships are an efficient way of opening up pathways for graduates or employees from different departments. Organisations should look beyond their traditional approaches and talent pipelines to encourage entrants that may provide a different (and needed) skillset and that can help diversify their workforce. Several studies have shown that diverse teams are more efficient, and it has been said repeatedly that a field with such a variety of roles also requires a variety of experts with different skillsets. If organisations try to push the envelope on what that means they would surely see results in growth and productivity.
When it comes to human resources aspects, approaches and best practices should cover the attraction, recruitment, and retention of workforce talent. Cybersecurity is not only an overarching domain, but also an interdisciplinary one, meaning it heavily builds on additional competences such as networking, coding or soft skills like communication and analytical thinking. For these reasons, HR professionals face the challenge where they either use a pre-set template to hire professionals trying to fit them into a job position, backed with industry accepted certificates, or try novel approaches by up- and reskilling talents in the domains required to turn them into a cyber specialist. At ECSO, we are trying to create links between our European Human Resources for Cyber (EHR4CYBER) initiative and the HR community in order to be able to better address the challenges facing the sector. There is currently no dedicated community of HR/recruitment specialists in cybersecurity in Europe so we see this as an opportunity to bring together a small network of peers to discuss concrete tools that the cybersecurity industry could support HR with to facilitate the attraction, recruitment and retention of cybersecurity talent.
AI can also be a useful tool to support recruitment efforts, to speed up the hiring process and to remove gender and other biases in job descriptions, screening, etc., while making use of remote possibilities for talent located elsewhere can be a short-term solution to workforce shortages. Overall, organisations are increasingly encouraged to adopt remote working practices to increase staff retention and recruit internationally for technical skill shortages that cannot be met locally [6]. Yet, the retention of cybersecurity experts should also be properly addressed as it is an increasingly important topic in our sector. Various measures are put in place by organisations to retain cybersecurity professionals, ranging from trainings to incentive-based schemes and remote working opportunities. Offering trainings and involving cybersecurity experts in innovative activities and projects are common ways of retaining experts but incentives and remote working opportunities are equally important factors to consider for a domain which offers the financial motivation and flexibility to do so. Yet, investing in the education of one’s cybersecurity professionals, by offering in-house or external trainings to staff, still seems to be the most important retention measure for employees. Organisations should therefore continuously evaluate their internal training plans and the degree to which they are meeting the needs of their security team and organisation. At the same time, offering competitive salaries is becoming increasingly important in hiring and retaining cybersecurity talent and is also one of the more effective ways of attracting young people into the domain.
There also seems to be a marked increase in the time it takes on average, for organisations to fill their cybersecurity positions. In a recent survey conducted by ECSO [7], many organisations indicated that it may take up to six months for the recruitment process, which is considerably slower than in order knowledge domains. Some even stated that they have difficulties with filling their cybersecurity positions altogether. This clearly indicates that there is a mismatch between the supply and demand (i.e., bridging the gap between academia and industry requirements) and push/pull factors (i.e., candidate suitability and assessment, attraction to jobs and benefits). However, the main issue for employers remains the general lack, worldwide, of cybersecurity specialists while the demand is constantly growing. This leads to a very competitive market from an organisation’s perspective, as they are forced to cope with high salary demands from candidates while several organisations also highlight the complexity of hiring experts for a domain that they do not master. Our survey also indicated that, as a growing trend, several candidates, despite lacking significant cybersecurity skills, still enrich their CV with cybersecurity concepts and keywords.
The challenges and issues faced by organisations in hiring and retaining cybersecurity professionals are many, complex, and interconnected. The expectations and attitudes of the employers sometimes exceed the real qualification and proficiency levels of the graduates and there are very limited options for HR professionals to assess this. In this respect, the discrepancy between the expectations and the actual cybersecurity competence landscape, along with the capabilities of (candidate) employees, challenges the capabilities of the HR department as it cannot complement the process as professionally and effectively as in the case of other professional domains.
A more intensive collaboration between industry and academia, not only in the identification and definition of the requirements and objectives, but also joint investments in internship programmes, equipment of practical laboratories, work-based learning, tools for hands-on learning, etc. is very necessary and urgent.
These investments should focus not just on the cybersecurity specific competence building and how to incentivise prospective candidates to take up positions, but they should also contribute to the HR professionals’ better understanding and cyber workforce related situational awareness.
In order to optimise the previously mentioned efforts, the importance of speaking the same language when it comes to the assessment and application of skills in a field as complex and diverse as cybersecurity is fundamental. ENISA’s European Cybersecurity Skills Framework (ECSF) is very welcome in this regard as it provides the European cybersecurity community with a common framework and taxonomy upon which to work. Whether it be defining university curricula or training programmes, drafting job advertisements, or developing upskilling/reskilling initiatives, the ECSF provides a common basis upon which to build the cybersecurity workforce. It will lead to a better understanding of the skills needs and the practical realities of different job profiles which will enhance the cybersecurity workforce, not only through more efficient recruitment and retention measures, but also through facilitating the entry or re-entry of more women and other underrepresented groups (i.e., the neurodiverse) into the field. In its first release, the ECSF already highlights the importance of soft / transferrable skills in the cybersecurity domain which will hopefully help remove the misconception of it as a purely technical domain while encouraging more girls and women to enter into cybersecurity education and professions. Future releases of the ECSF will put even more emphasis on this aspect which will ensure that the framework reflects the reality of the cybersecurity profession, with its variety of roles and need for technical as well as non-technical experts.
There is an urgent need to overstep the biases of the cybersecurity workforce shortage and focus on addressing the challenge by providing overarching solutions, from early education to the reskilling and retention of experts. Defining the ecosystem and stakeholders is still an ongoing process and while a lot of work has been done in the domain, an effective collaboration mechanism still needs to established and sufficient resources dedicated.
If appropriate funding from the public and private sector would be allocated to this topic, there is a chance to address the fragmentation and challenges head on and implement scalable solutions to increase cybersecurity talent in Europe on the short, medium and long term.
We are starting to understand the many complexities at play in cybersecurity education and recruitment – now we need to come together and mobilise the needed resources to deliver the solutions that will effectively meet the needs.
If we succeed, I have no doubt that unlocking the potential that exists in this domain could significantly contribute to making Europe a global leader for cybersecurity talent and expertise.
[1] (ISC)² (2021); Cybersecurity Workforce Study 2021: https://www.isc2.org//-/media/ISC2/Re-search/2021/ISC2-Cybersecurity-Workforce-Study-2021.ashx
[2] European Cyber Security Organisation (2022), Minimum Reference Curriculum – Version 2, https://www.ecs-org.eu/documents/publications/6283b1eb9bce9.pdf
[3] European Union Agency for Cybersecurity (2022), European Cybersecurity Skills Framework, https://www.enisa.europa.eu/topics/cybersecurity-education/european-cybersecurity-skills-framework
[4] Cyber Ranges (2022), Top 10 Abilities, https://top10abilities.org/
[5] European Cyber Security Organisation (2020), Understanding Cyber Ranges: From Hype to Reality, https://www.ecs-org.eu/documents/publications/5fdb291cdf5e7.pdf
[6] Cyber Ireland (2021), Cyber Security Skills Report 2021: National Survey, https://cyberireland.ie/cyber-security-skills-report-2021/
[7] European Cyber Security Organisation (2021), Understanding European Cybersecurity HR Recruitment Processes: a collaboration with the European Cybersecurity Competence Network Pilot projects, https://www.ecs-org.eu/documents/publications/6202804a65a70.pdf
News
Facts and figures