Published by The Lawfare Institute
in Cooperation With
Evidence suggests there is a global cybersecurity skills shortage affecting businesses and governments alike, which means that organizations are struggling to fill their cybersecurity vacancies. For example, the United Kingdom would need to attract approximately 17,500 new people every year into its cybersecurity sector to meet demand, and similar workforce difficulties have been reported in Australia, Italy, Japan, and the United States. Cybersecurity firm Fortinet depicted a stark picture of this gap in its 2022 report: 80 percent of polled organizations suffered one or more breaches due to a lack of cybersecurity skills and/or awareness, and 67 percent agreed that this shortage creates additional risks for their organizations.
Further compounding this growing skills shortage has been increasing reliance on information systems, data, and networks to facilitate daily life. Modern information and communication technologies (ICT) are the main drivers of the “information society” of which cyberspace is a constitutive element and very much intertwined with the other physical, social, economic, and political layers. Hence, the absence of professionals who could defend the technological backbones of modern societies could have dire consequences for economic development and national security. For example, when cybersecurity skills are not available in the private sector, companies may incur heavier financial losses, experience disrupted operations, or compromise customers’ privacy and safety. And if this shortage were to happen on a large scale, firms will suffer because of cyber-related incidents in addition to market-related ones.
Meanwhile, the absence of cybersecurity experts protecting national critical infrastructures constitutes a national security threat, a loophole that may be exploited by malicious actors. The importance of securing systems that are generally unclassified or nonmilitary was highlighted even during the ongoing military confrontation in Ukraine by the former head of the U.K. National Cyber Security Centre, who pointed out that “[t]he strategic vulnerability to disruption and sabotage lies not so much in the military space but in the hospital booking system (Ireland), the logistics schedule (Maersk), the political party … and thousands of other mainstream, civilian, mostly privately owned networks.” Because societies are dependent on these information technology (IT) systems, which today are subject more than ever to “elevated cyber threats,” stakeholders should have a twofold approach: start treating the cyber skills shortage as a strategic policy challenge and devise a comprehensive strategy to deal with it.
The Cybersecurity Workforce as a Strategic Asset
Luckily, some national authorities have already framed the lack of cybersecurity experts as a relevant issue and have recognized the need for action. For instance, the U.K. Parliament was “struck” by the government’s apparent lack of urgency in addressing the shortage, which is of “vital importance to both national security and the economy.” The U.S. government expanded on this sentiment even further, stating that:
America’s cybersecurity workforce is a strategic asset that protects the American people, the homeland, and the American way of life. The National Cyber Strategy, the President’s 2018 Management Agenda, and Executive Order 13800 …, each emphasize that a superior cybersecurity workforce will promote American prosperity and preserve peace.
If the cybersecurity workforce is a strategic asset that can promote prosperity and preserve peace, then it follows that the lack of cybersecurity workers is a strategic issue with potential geopolitical implications. And if a country could significantly accrue its cybersecurity expertise by creating a proficient national cyber workforce, it would gain a comparative advantage: By nurturing the people with the right skills to fend off online attacks, that country could continue enjoying the benefits of digital advancements, as opposed to other countries that may struggle to defend themselves if they lack a security-savvy workforce.
Some governments seem aware of what cybersecurity expert Greg Austin has suggested could become a “cyber workforce arms race.” The White House in its 2018 National Cyber Strategy stated that “[o]ur peer competitors are implementing workforce development programs that have the potential to harm long-term United States cybersecurity competitiveness.” This sentiment is also shared among other superpowers, most notably China, where President Xi Jinping reportedly argued that “talent is the first resource; competition in cyber space is ultimately talent competition.”
Treating the skills shortage as a strategic issue does not imply that cybersecurity education and skills should be “securitized.” Instead, this realization should help stakeholders allocate the right resources when they plan to enhance the cyber resilience of their countries and organizations. Unfortunately, so far, the skills shortage has belied the high ranking of cybersecurity on corporate and national risk registers: Clearly, the identification of the problem has not translated into adequate investments in skills in the short or long term. For instance, it costs only 37,000 thousand euros to organize programs such as national cybersecurity skills competitions, whose goals are to help students increase their technical competencies and encourage them to choose cybersecurity as a career path, yet such competitions involve almost 18,000 talented youth in Europe every year. Not surprisingly, however, and despite the little investment needed to implement these programs, only 25 percent of national organizers think they have enough financial resources to achieve their objectives.
A Comprehensive Cybersecurity Skills Strategy
A new inclusive strategy is imperative as multiple factors continue to worsen the shortage. On the one hand, there probably are not enough students enrolling in degrees that are conducive to a career in the cybersecurity sector. For example, in the U.K., almost 80,000 students are enrolled in computer science degrees, but only 6,000 (a mere 13 percent) study cybersecurity. Moreover, both hiring managers and academics complain that students’ cybersecurity skills are often too theoretical and that students lack practical experience. Conversely, employers are not making the situation any better when they publish job vacancies with unrealistic requirements, provide no entry-level opportunities, offer salaries below market value, or do not offer adequate cybersecurity training. For example, 89 percent of cybersecurity-related job postings in the U.S. require a bachelor’s degree, 75 percent require three to five years of professional experience, and 59 percent require professional certification. Thus, because this shortage has several roots, a holistic strategy needs a strong public-private partnership (PPP), where all relevant parties convene to bring their resources and expertise to solve this problem together.
From government reforms to changes in the way businesses recruit, much can be done. While private- and public-sector entities can take some measures immediately to ease their internal shortages, the reality is that this issue requires a national-level effort. Governments should ensure that more young people become interested in cybersecurity. In Israel, cybersecurity education is taught from an early age through the famous Magshimim program. Another option is to organize effective national cybersecurity competitions such as the Italian CyberChallenge.IT, which has noted an increased interest in general cybersecurity among its participants thanks to a mix of training, career seminars, and local and national capture-the-flag events. Governments can also design cybersecurity degrees that are academically and industry relevant, as they did in France and the U.S., where national cybersecurity authorities sat with faculty and professionals to establish new standards for cybersecurity curricula. Depending on the most in-demand jobs nationally, administrations could design market-level interventions to retrain junior IT staff and help them obtain an entry-level cybersecurity role, as the U.K. has already partially done with the Cyber Skills Immediate Impact Fund. Finally, employers must also have an active role in this process and increase junior placements, reconsider entry requirements, and upskill their current workforce. As a threat research expert put it eloquently, “Once it becomes clear that off-the-shelf experts aren’t realistic at scale, cultivating entry-level talent emerges as the only long-term solution—not just for a hiring organization but for the field as a whole.”
Compared to five years ago when I started analyzing solutions to the skills shortage, we now know more about the problem and what tools may be used to remedy it. However, more could be achieved if stakeholders started treating the shortage as a strategic issue requiring appropriate resources. The lack of cybersecurity professionals might harm information society’s progress and beget geopolitical confrontation, and stakeholders need to converge on strong PPPs to find common solutions before it is too late.