Mind the Cyber Skills Gap: a deep-dive
When we talk about new, emerging technologies, we tend to wrap them up together. Artificial Intelligence (AI), Internet of Things (IoT), Machine Learning, Robotics all blend into one big digital cacophony of terms that few of us understand - whether this is due to the difficulty or novelty of the technologies themselves. While cybersecurity often falls under this umbrella, it is far from new (or emerging), and quite different in its nature and function.
In fact, we can think of cybersecurity as an enabling technology: one that makes it possible for advances in other disciplines like AI, IoT and robotics to take place in a safe and secure online space. And as these digital technologies evolve and are increasingly adopted across sectors, cybersecurity grows in importance – and so does the need for skilled cybersecurity experts with more specialised Information and Computer Technology (ICT) knowledge that know how to keep people, systems and businesses secure.
With malignant attacks and cyber-scams growing in frequency and sophistication, the skillset of a cybersecurity professional is also evolving and changing with a rapid pace. This makes the process of educating and training cybersecurity professionals even harder; and looms over the targets of making the next decade digital and European. Education systems have been slow to respond to the realities of the labour market, and the shortage of cybersecurity experts both in Europe, and in the world, gets more and more pronounced with each next year. In Europe only, the shortage of cybersecurity professionals is close to 1 million people (around 883,000), while the number of cyber experts needed globally will soon reach 4 million. The gender gap in the cybersecurity field is yet another aspect that requires urgent attention: as the latest data suggests and as we will see below, women do not even make up a quarter of cybersecurity professionals in Europe; and they are outnumbered in terms of ICT and cybersecurity enrolment in higher education too.
Introduction
Cybersecurity is an ever-growing field: no longer a buzz word, but rather a necessity for people and businesses alike. More than 90% of households (Eurostat, 2023) in Europe access the Internet often for various reasons – from doing one’s online banking or other purchases, to using online government services or booking a holiday online. Since this involves sensitive information being shared, the safe and secure storage and handling of one’s data is a priority for all – and unless good practice protocols in cybersecurity are followed, companies, governments and people risk significant leaks of information of various nature and intents – from financial and reputation damage, to identity thefts and misuse of personal data. The digital transition means more data, more information, more connected devices: and key public, social and businesses processes today depend on it. This makes them likely targets of cyberattacks – which in recent years have risen in frequency and potential to inflict damage so much that the World Economic Forum called cybercrime a “substantial global risk” in its 2021 Global Risks Report. And this is not all. Today’s cyberattacks are more sophisticated and harder to detect, since they’ve had to evolve together with the digital transition. The accelerated adoption of technologies with a high potential for transformation and impact like Artificial Intelligence (AI) or the Internet of Things (IoT) across sectors and countries, cybersecurity professionals enable new processes to run in a smooth and secure way. In Europe, demand for cybersecurity skills rose by 22% on average in 2021 alone, with some EU Member States, like Germany, Poland or Romania, seeing a rise of over 30%.
The picture looks the same worldwide. Global cyber workforce numbers have reached an all-time high, with close to 5 million ICT experts specialised in this field currently in employment. Despite this progress, there is still a shortage of 3.4 million global cyber workers (ISC2, 2022). The demand for cybersecurity professionals shows a robust increase, especially during the period after the COVID-19 pandemic, as the OECD 2023 highlights: in one study, the number of online job announcements (OJAs) looking for cybersecurity professionals in the first half of 2022 was 5 times larger than at the start of 2012, and twice as large than at the end of 2019. Some estimates in Europe (EIT Digital 2021) suggest that that EU firms are searching for hundreds of thousands of cybersecurity experts, way more than the supply of the current talent database with cybersecurity skills. Research confirms this - more than half of EU companies reported difficulties in filling ICT vacancies according to the 2022 edition of DESI, the EU Digital Economy and Society Index – an annual index that tracks EU Member States’ digital progress across key areas, including skills.
Taking stock of the cyber gap: challenges ahead
A looming shortage of cybersecurity experts: in Europe and beyond
Europe is still falling short of cybersecurity-skilled professionals in more than one or two areas of expertise. The cyber gap is made up of several dimensions, each representing a specific challenge. Take a look at the infographic below to see some of the main aspects.
In 2022, the shortage of cybersecurity professionals in the EU ranged between 260,000 and 500,000, while the EU’s cybersecurity workforce needs were estimated at 883,000 professionals. There is also a pronounced gender imbalance in the existing pool of cybersecurity professionals: in 2022, women made up just 20% of cybersecurity graduates, and less than 20% of all Information and Communication Technology (ICT) specialists were women. Equally, women are underrepresented in STEM (Science, Technology, Engineering and Mathematics) subjects within higher education, making up just over 30% of all graduates in the field (Education and Training Monitor 2022). European universities have made sound progress in getting students excited about ICT security: the number of programs and students studying cybersecurity in higher education are growing. According to ENISA (2021), this means we could expect to see cybersecurity graduates’ number to double within the next couple of years.
Experts are hopeful about the impact of this trend on the workforce. One crucial area in which cybersecurity remains underdeveloped in Europe concerns the skills present in the workforce – something which over the years has become a ‘well-documented problem’ (ENISA 2021). On a global scale, the picture bears similarity. With more than 3.12 million jobs in cybersecurity going unfilled in 2021, the talent shortage worldwide is a cross-cutting issue that affects people, the labour force, education and digital experts alike. Looking at higher education, more effort is needed to attract people to ICT studies in general, and to cybersecurity in particular. Data from Eurostat shows that just 3.8% of graduates in the EU for 2018 received an ICT degree (Eurostat, 2020).
Still fewer women than men in cyber
Gender balance equally remains an issue, with just 20% of female students in Europe enrolled in cybersecurity programs in university (ENISA, 2021). Despite these averages, some EU Member States have made significant progress in bridging the digital gender gap. This is the case with Greece, where the share of women graduates in ICT almost doubled between 2019 to 2021, rising from 8.6% to 15.8% (World Economic Forum, 2022. Global Gender Gap Report). Getting more women interested into cybersecurity education and careers is key if we want to address this, and the lack of diversity in the sector is palpable. Data from LinkedIn shows that, amongst 12 EU countries, women make up just about 17% of the cyber workforce (this ratio is the highest in Poland – 13%, and the lowest in Italy, where women stand at 25%). Women represent less than one quarter (24%) of the global cybersecurity workforce (ISC2, 2022), and this ratio varies with age: they make up 30% of cyber professionals under 30, but just 14% of cyber employees above the age of 60. It will be hard to meet the EU’s target for 20 million ICT specialists by 2030 without improving inclusion. Based on current trends, less than 25% of ICT specialists will be female in 2030, rising from 19% in 2021. In many countries, the share is actually falling (Sekmokas & Vitaitė, 2021:8). And while some EU Member States are getting close to a more balanced ratio (women ICT specialists in Germany have topped 2 million, and those in France are above 1.5 million), based on current trends other countries are bound to lag behind when it comes to diversifying ICT. Studies point to worrying trends of an increasing gender ICT gap in countries like Bulgaria, Estonia, Ireland, Cyprus or Czechia (Sekmokas & Vitairte, 2021:15).
Mission impossible? Training cybersecurity experts
Training cybersecurity professionals takes time and effort too: both related to the higher education, but also to on-the job training, important for both up- and re-skilling. This is also the case with on-the-job training: making sure employees are trained in the latest cybersecurity and privacy approaches, or hiring qualified cybersecurity personnel can take a company from 6 months up to a year (Symantec, 2019). And if we talk about personal and professional growth, the picture gets even more complex. It can take years to become a skilled cybersecurity professional and an expert in the field, with knowledge and experience of the latest trends and developments. In a recent survey targeting cybersecurity professionals worldwide (ESG/ISSA, 2020), the majority of respondents estimated that it takes between 3 to 5 years to develop real cybersecurity proficiency; others pointed to a broader learning curve of 5 years and more.
Technology keeps changing, so it’s hard for industry personnel to keep up, and often it requires specialised knowledge that takes time to develop. According to the European Union Agency for Cybersecurity (ENISA, 2019), manufacturers and other organizations using Industry 4.0 and IoT solutions often don’t have time to train staff adequately before things change again, leaving themselves exposed to potential risks. What’s more, the training that is available is inadequate and/or expensive, making it even less feasible for SMEs.
Cybersecurity (together with IoT) is also an area in higher education, where universities have proven slow in adapting curricula or updating content so it reflects the latest technological developments, according to a 2021 report by EIT Digital that surveys the educational offer for cybersecurity in Europe. In another report by EIT Digital, which uses data from CyberHEAD, the biggest online database for higher education in ICT and cybersecurity, just 34% of bachelor’s and master’s level programs in the EU require an internship – an aspect that means many graduate students leave education with little to no practical experience, often needed to secure first-time employment in the sector.
Research shows that cybersecurity education in Europe is growing, but not evenly, and gaps affecting its quality remain (poor interaction with industry, lack of cybersecurity educators, lack of alignment with labour market realities, etc.) (Vishik & Heisel, 2015). Assessing CyberHEAD data, only 34% of EU programmes envisage a compulsory internship for students. While internships can be challenging to setup, the lack of internship opportunities may negatively impact the skills of graduates, and also make it more difficult to attain a security job given a lack of working experience.
Tackling the cybersecurity skills gap
Building cybersecurity frameworks and assessing qualifications
Several frameworks, resources and tools have been set up and commonly accepted to strengthen EU cyber competitiveness and enable cybersecurity experts to gain the skills needed to excel in a rapidly changing digital world. One example is the European Cybersecurity Skills Framework (ECFS), a practical tool that helps to identify the tasks, competences, skills and knowledge associated with the day-to-day work of cybersecurity professionals in Europe, bridging the gap between professional cyber workplaces and learning environments. The main aim of the ECFS framework is to create a common understanding between all actors of the cybersecurity ecosystem (individuals, employers, and training providers) in the EU Member States. It also supports the design of cybersecurity related training programs, and facilitates recognition of cybersecurity skills. The ECFS breaks down cybersecurity roles into 12 profiles, each of which individually assessed across pre-defined parameters (skills, responsibilities, tasks, interdependencies, etc.). Other frameworks that categorise and map out ICT and digital skills in general can also be useful and include privacy and security competence areas. For example, the EU Digital Competence Framework (DigComp), now in its 2.2 edition, includes knowledge of cybersecurity-related aspects such as privacy or sharing of personal information or data. The European e-Competence Framework (e-CF) provides common language for competences, skills and proficiency levels across Europe. Competences in the e-CF are organised according to 5 ICT business areas and related to the European Qualifications Framework (EQF). With the European Cybersecurity Act, Europe can now also benefit from a cybersecurity certification framework for products and services and a strengthened mandate of ENISA, the European Union Agency for Cybersecurity, first established in 2004.
Reducing the cybersecurity skills gap in Europe: one step at a time
Main EU initiatives and actions to bridge the cyber skills gap
Together with the European Commission, ENISA coordinates the European Cyber Security Month (ECSM) Campaign: an awareness-raising campaign that promotes cybersecurity through education, sharing of good practices, and competitions. The European Cyber Security Challenge (ECSC) is another annual competition that brings together young cybersecurity talents from across Europe to test their data security skills.
Funding under the DIGITAL Europe Programme for the period 2023-2024 include a specific work programme focusing on cybersecurity, with a budget of €375 million for the period of 2023-2024, to enhance the EU's collective resilience against cyber threats. The role of EU Digital Innovation Hubs in streamlining funding under DIGITAL towards the cybersecurity domain will foster further innovation for SMEs and the public sector. With 2023 hauled as the ‘Year of Skills’ by European Commission President Ursula Von der Leyen, the EU-wide campaign of the year is focused around addressing skills shortages, and boosting investment in training. These goals are also key priorities embedded in the Digital Education Action Plan (2021-2027), the vision for the future of education in Europe at the heart of which lie digital skills.
Supporting businesses and SMEs
A range of mechanisms exist to support businesses and especially small and medium-sized enterprises (SMEs) make the most of cybersecurity and ensure their staff can handle online risks in a competent and informed way. Numbering 25 million (or 90% of businesses in the EU), SMEs are the backbone of European economy. With fewer resources, staff and knowledge, SMEs are less likely to invest in keeping their businesses and operations secure, and also less likely to train their staff. Several factors influence the lack of cybersecurity uptake amongst SMEs, and negatively impacts employee training. Low cybersecurity awareness of the personnel and lack of ICT cybersecurity professionals to monitor and guide in difficult tasks is a big challenge for SMEs. So is lack of budget to recruit new, and train existing, employees, and weak management support. This means sensitive and critical business information in many SMEs is left unprotected. SMEs are also likely to experience problems outside of their control and are more volatile to shifts and shortages in the labour market (ENISA, 2019). Organisations also often think they safer than they actually are, with cyber threats being underestimated both at employee and management level. In 2023 ENISA launched a new tool to help Small and Medium Enterprises (SMEs) diagnose, compare and enhance their level of cybersecurity maturity and, in this way, define and tackle the cyber risks they face.
Bridging the gender gap in cyber
A range of cyber-related initiatives aim to bridge the gender divide in the cyber field too. Women4Cyber is an EU platform, which offers networking opportunities, mentorship programmes, and a variety of resources that aim to support women in launching (or keeping up with) a career in cybersecurity. The annual campaign International Girls in ICT Day raises awareness about careers in the ICT sector amongst women and girls, including in cybersecurity since its kick-off back in 2013. Tackling the digital gender gap is also of main objectives of ManagiDITH, the Master of Managing Digital Transformation in the Health Sector (ManagiDiTH). Launched in January 2023, ManagiDITH wants to reach at least 50% of female certificated students at the end of the two cycles of the master. The CyberWISER Light project (Cyber Mentoring and Training for Women in Cybersecurity) focuses on increasing female participation in the cybersecurity field through training, mentorship, and capacity-building activities.
Amongst actions that can be taken to tackle gender disparities present in the EU cybersecurity landscape, successful strategies include spotlighting women in key, important cyber positions and interviewing female graduates in cybersecurity and ICT for testimonials and inspirational quotes. Providing scholarship and mentorship opportunities to women and girls is another winning approach, with proven impact on boosting female enrolment in cybersecurity education and in the world of work. Several initiatives in Europe attempt to do exactly this. MolenGeek, an innovative tech incubator and upskilling actor, bases its activities in an area in Brussels marked by high unemployment and populated by people from low socio-economic backgrounds. The project has to break a sort of a double stigma: prejudices related to women working in ICT, and then prejudices against refugees and their integration. In partnership with Microsoft, MolenGeek provides training programs in cybersecurity together with recognised industry certifications, boosting employment for marginalised groups, and those left behind by the digital transformation. Similarly, the Kosciuszko Institute in Poland offers a cybersecurity training program for Polish women and Ukrainian refugee women. The ReDI School of Digital Integration equips refugee and underprivileged women with cybersecurity and ICT skills.
Looking ahead to a cyber-proof future
With further synergies between different initiatives on various levels, the cybersecurity skills is being bridged every day. At the same time, looming shortages point to an urgent need for more cybersecurity professionals with the skills needed to support the digital transformation of European economy and society. Increased efforts to encourage more people to go into the cyber field and ICT in general have proven successful, but more action on local, regional, national and EU level is still needed. Europe is missing around 1 million of cybersecurity experts - and the global shortage looks equally alarming. Gender disparity in the ICT field in general, and the cybersecurity field in particular, is also still very much an issue that has to be resolved if Europe is to achieve the targets of the European Digital Decade - getting to 20 million ICT experts, with gender conversion across tech fields. Businesses, and especially SMEs, need additional support and resources to train their staff, as they are less likely to embark on training programs - and a variety of initiatives on an EU level aim to provide this support to SMEs, whether it is in the form of OERs (Open Educational Resources), making software open source, or helping via mentorship and guidance.
