Tommaso De Zan is a Research Affiliate with the Centre for Technology and Global Affairs and a PhD Researcher in Cyber Security at the Centre for Doctoral Training in Cyber Security, University of Oxford.
It is a truism in the cybersecurity field that there is a shortage of talent. The cybersecurity skills shortage, as it is frequently called, is much discussed and usually underscored with some grim numbers: Some claim today there is a shortfall of 2.9 million cyber security professionals globally, while others predict the shortfall will get even worse in the near future. While few governments like Japan, the United Kingdom, and the United States have formulated action plans to address the shortage, the reality is more complicated.
Some experts are convinced that the shortage does not even exist. Rik Ferguson, vice president for security research at Trend Micro, said, "You're being conned. There's no such thing. It doesn't exist." Others like the European Centre for the Development of Vocational Training argue that even if the shortage exists, there are no clear effective policies and practices to address skills imbalances.
So the question remains: Is there a shortage and what evidence do we have for it? If there is one, what are countries doing to increase the pipeline of professionals?
Last year I conducted exploratory research to look further into the shortage, and my findings depict an extremely complex picture: Generally, we know there is a mismatch between cybersecurity supply and demand, but the nature of that shortage is not understood well enough to mount an effective policy response.
The perception of a shortage is evident and widespread, but the current empirical research on the shortage, which is based mainly on industry reports, is piecemeal and riddled with methodological issues. These issues include ambiguous questionnaires, ill-formulated indicators, doubtful quantifications of the worldwide shortage, and overall poor generalizability of research findings.
Despite the dubious veracity of industry reports, there is an abundance of evidence stemming from national policy documents and anecdotes from my interviews suggests that, at least in certain countries, there is a potential mismatch between cybersecurity supply and demand. For example, there were almost 314,000 active cybersecurity job openings in the United States between 2017 and 2018; in Australia between 2014 and 2016 cybersecurity salaries increased by 2.7% compared to an average annual wage growth of 1.7 per cent in the wider IT industry, signaling a scarcity of workers which in turn drives wages up. Despite these scant examples, however, so far no comprehensive measurement has been able to confidently capture the incidence, scale, and nature of the problem, at the national and even less so at the international level.
But if the shortage exists in some form, how have governments reacted to it?
The most active countries in addressing the shortage—Japan, the United Kingdom, and the United States—have attempted to target a wide range of different groups with a multi-stakeholder approach involving the three main actors in the debate, namely the government, private sector, and academia. Governments have invested mainly in higher education, research institutions, and the workforce, but we do not know to what extent these policies have worked so far, or if the policy instruments being used are even targeting the right problem.
First, policy measures implemented by some national authorities suggest that the nature of the shortage is still not well understood. For instance, few governments distinguish between policies that are trying to increase the pipeline of security professionals (under-supply) from those that are seeking to improve the quality of job candidates (under-skilled).
Second, some national policies might need recalibration. The shortage could be also caused by the lack of professional experience of graduates and the absence of entry-level opportunities. While industry reports almost unanimously depict the education and training system as the main culprit behind the shortage, the interviews I conducted suggest employers are exacerbating the problem by rarely providing entry-level opportunities and good quality training. If this conclusion is confirmed, some policies and resources could be reconfigured to ease the transition from school to the workplace.
Third, after a long enumeration of strategies, action plans, and policies, one is still left wondering how many individuals targeted by these policies have later joined the cybersecurity sector as not many governments have metrics in place to evaluate programs for reducing the shortage. To understand how to deal with the shortage, an important step would be to put in place rigorous policy evaluations of the programs that are already out there.
In an era of increasingly sophisticated cyber-attacks with the potential to disrupt all of our lives, it is wise to educate and train an adequate number of cybersecurity professionals who are able to fend off cyber-attacks. If data and systems are the essences of the new digitized economy, governments should adopt the necessary measures to guarantee their confidentiality, integrity, and availability, including by growing the right people to do it.