Exclusive: Bridging the cybersecurity skills gap

The demand for cybersecurity professionals has been increasing for some time now and any significant shortage of experts inevitably creates risks for national security, organisations and citizens. As the field is constantly evolving, it also becomes harder for both employees and employers to assess who has the right qualifications for open positions. As an industry, we are still very dependent on professional certifications that are US-centric and not based on formal training.

In some European countries, steps have been taken to set up a certification scheme and, in some cases, this includes validating that formal education support these certificates. Yet, the uptake of these schemes is still limited and there remains a lack of alignment with existing competence frameworks. In this respect, ENISA’s Ad-Hoc Working Group on the European Cybersecurity Skills Framework is a positive step forward in the development of a comprehensive European approach. The WG will advise and aid ENISA in developing a skills framework for a common understanding of the roles, competencies, skills and knowledge used by individuals, employers and training providers across the EU Member States.

At ECSO, our Working Group 5 (WG5) is focused on skills, education, training, awareness and cyber ranges and has, since 2016, worked on addressing the cybersecurity skills gap and the need for increased cyber resilience through key publications and concrete initiatives.

Supporting HR

Our European Human Resources Network for Cyber (EHR4CYBER) Task Force aims to create awareness among private companies, regional/local administrations and EU decision makers about the need to develop skills and training measures which will address the demand in the cybersecurity field. Our aim here is to develop a common benchmarking system in cybersecurity recruitment, foster collaboration through the exchange of best practices, harmonise skills and training approaches in Europe and support the recruitment process of cybersecurity specialists.

Addressing the lack of gender diversity in cyber

We launched Women4Cyber in January 2019 with the aim of attracting more women to the field to meet the growing demand for cybersecurity professionals. We had such a positive response to the initiative that we created a dedicated non-profit European private foundation in September 2019 (Women4Cyber ‘Mari Kert-Saint Aubyn’ Foundation) to promote, encourage and support the participation of girls and women in cybersecurity. Cybersecurity roles require a wide range of skills, both hard and soft and a variety of experts will be needed to face the increasing challenges brought on by digital transformation, which is why gender inclusion is so crucial. The Women4Cyber Foundation was established with this goal in mind and has achieved significant results so far, with the launch of the Women4Cyber Registry in collaboration with the European Commission, an online role model campaign and book contest, the organisation of Masterclasses and the formal launch of three national chapters (Spain, North Macedonia and Albania) with many more in the pipeline.

Educating and raising the awareness of European youth

Our Youth4Cyber initiative focuses on educating and raising the awareness of young people (6 to 26-year olds) on cybersecurity. It aims to increase the level of cyber hygiene and to stimulate an interest for a career in cybersecurity among the European youth. Through a set of modules targeting specific age groups, Youth4Cyber endeavours to teach young kids about cyber hygiene and basic cybersecurity concepts and young adults on cybersecurity trends and the different possible career paths in cyber.

Linking education curricula with industry needs

There is a need to create stronger synergies between educational paths and professional training and to design education curricula to include cybersecurity in a comprehensive way. Far from being just a technical/IT topic, cybersecurity requires a good understanding of law, human factors, psychology, mathematics, cryptography, social sciences, economics, security & risk management/IT audit, etc. Cybersecurity should be viewed as an emerging meta-discipline rather than an “add-on” discipline. We are currently working with our members to develop minimum reference model curricula for cybersecurity which reflect industry needs and which can be used by education providers as a reference point for course design.

Advocating a skills and abilities verification approach

The skills shortage requires scalable and flexible solutions to quickly allow organisations to train and upskill their workforce. Competence frameworks should be complemented by practical competence assessment mechanisms to keep up with the needs of the job market. Many professional certifications exist but holding an established certification does not necessarily prove to a company that the individual can do a specific job. EHR4CYBER has therefore launched a ‘Top 10 Abilities’ initiative which aims to provide immediate answers to employers who try to understand if a person can do a specific job. Rather than focusing on the competencies required for a job, the emphasis is on observable abilities which can be assessed through realistic scenarios simulating job-specific tasks. Here, we are focusing on measurable abilities that will give employers a reasonable assurance of the suitability of a person for a specific job role, along with options for simulated environments that can be used to test them.

Showcasing European cyber ranges, including the use of realistic environments to train staff and assess skills

The past years have seen the development of a number of cyber range technologies, products and national and international initiatives. Cyber range technologies and cyber ranges today are able to deliver several use cases, including for competence building, skills assessment and recruitment. ECSO is working on bringing together the European cyber range community (European/national/regional), in particular, the different European cyber range providers, to provide visibility to European cyber range solutions and make the European cyber range community the reference point for cyber range methodologies, concepts and best practices. This will include the organisation of workshops to highlight specific use cases and link providers and end users. One such use case will be focused on training and skills assessment, specifically on how we can use cyber ranges or cyber-range enabled services to test the previously mentioned approaches and help grow the cybersecurity workforce.

With these efforts, we hope to bring added value to the European cybersecurity community and citizens to reduce the skills gap and raise the cyber resilience of our economy, infrastructure and society. I hope that many will join us in our endeavour.

By Nina Olesen, Senior Policy Manager, European Cyber Security Organisation