(The Cybersecurity Talent Framework and European Cybersecurity Skills Framework)
Recognising the Problem
The global shortfall in cybersecurity talent is a pressing issue that requires immediate attention. As digital threats proliferate, the demand for skilled cybersecurity professionals far outstrips supply. The World Economic Forum (WEF) has highlighted this crisis in its strategic Cybersecurity Talent Framework (CTF) white paper, emphasising the need for millions of industry professionals to protect our increasingly digital world.
Despite a 12.6% increase in the global cybersecurity workforce between 2022 and 2023, the talent gap remains alarmingly wide. Currently, the industry needs an additional three to four million workers globally. This shortage is projected to grow significantly, with estimates suggesting a global shortfall of over 85 million workers across various sectors by 2030. The economic impact of this gap could be staggering, potentially resulting in $8.5 trillion in unrealised annual revenue, equivalent to the GDP of the world’s third-largest economy.
Why is there a Talent Gap?
The cybersecurity talent gap is a multifaceted issue, driven by a combination of escalating demand, insufficient training pipelines and diversity challenges. As digital threats become more pervasive, organisations require increasingly robust cybersecurity teams to fend off attacks. However, the gap between global demand and available cybersecurity personnel reached 3.4 million in 2022, a 26% increase from the previous year. This discrepancy is projected to worsen, with Gartner predicting that over half of significant cyber incidents by 2025 will stem from a lack of skilled personnel and human error.
A further core reason for this gap is the mismatch between the speed of evolving cyber threats and the pace of educational and training programs. Despite the existence of academic programs and boot camps, they fail to produce graduates quickly enough to meet the surging demand. Additionally, stringent certification requirements and four-year degree mandates often exclude non-traditional and diverse talent pools.
The industry faces a significant diversity issue, with only 9% of the cybersecurity workforce being Black, 4% Hispanic and 8% Asian. Minority representation in leadership roles is even lower, despite high levels of education among these groups. Those who do enter the field often encounter high-pressure environments, heavy workloads, and the looming threat of being held solely accountable for breaches, leading to severe burnout. This combination of factors exacerbates the talent shortage and highlights the urgent need for comprehensive solutions.
Recognising the global nature of this problem, the WEF has introduced the CTF. This initiative, developed in collaboration with over 50 public and private organisations, aims to create sustainable talent pipelines and address the critical shortage of cybersecurity professionals worldwide. The Framework features four actionable approaches to dealing with the shortage:
Attracting Talent into Cybersecurity
The CTF emphasises attracting talent into cybersecurity as a crucial approach. Organisations face key challenges, including a lack of awareness about cybersecurity careers, high entry barriers, and competition from other tech sectors. Failing to attract talent can lead to increased vulnerability to cyber threats and financial losses.
To address these challenges, the CTF suggests targeted outreach programs to raise awareness, partnerships with educational institutions to develop relevant curricula, and offering internships and apprenticeships. Implementing these approaches involves creating clear career pathways, reducing certification barriers, and promoting diversity and inclusion initiatives. By adopting these strategies, organisations can build a more robust and diverse cybersecurity workforce.
Educating and Training Cybersecurity Professionals
CTF emphasises the need for enhanced education and training for cybersecurity professionals. Current programs often fail to keep pace with rapidly evolving threats, lacking practical, hands-on experience and alignment with industry needs.
Future cybersecurity education should incorporate dynamic, real-world scenarios, interdisciplinary studies and continuous learning opportunities. Programs must evolve to include more diverse entry pathways, such as certifications and apprenticeships, alongside traditional degrees.
Effectiveness should be regularly assessed through collaboration with industry stakeholders to ensure curricula meet current demands. Metrics for success include placement rates, skill competency, and adaptability to emerging threats, ensuring graduates are well-prepared for the workforce.
Recruiting the Right Cybersecurity Talent
The CTF underscores the importance of recruiting the right cybersecurity professionals. The search for talent involves navigating a competitive landscape with a limited pool of qualified candidates.
Actionable approaches include utilising skills assessments, simulations and practical exercises to evaluate and validate candidates’ competencies effectively. Emphasising a skills-first approach, rather than traditional qualifications, seems to prove particularly applicable to cybersecurity. This approach prioritises practical abilities and problem-solving skills over formal degrees, enabling organisations to tap into a broader, more diverse talent pool. By focusing on demonstrable skills and real-world performance, organisations can also identify the most capable professionals to bolster their cybersecurity defences.
Retaining Cybersecurity Professionals
In the CTF the Forum identifies retaining cybersecurity professionals as a critical approach. High turnover is often caused by heavy workloads, burnout, and lack of career advancement opportunities. Understanding the impact of attrition is essential, as losing skilled employees can compromise security and incur high replacement costs.
To boost retention, organisations should implement actionable approaches such as clear career progression paths, continuous professional development and competitive compensation packages. Prioritising mental health is crucial; providing resources for stress management and promoting work-life balance can mitigate burnout.
Tactics for retention include fostering a supportive work environment, recognising and rewarding achievements, and ensuring employees feel valued and engaged. These strategies help maintain a stable, effective cybersecurity workforce.
European Cybersecurity Skills Framework (ECSF)
Alongside the CTF, the ECSF is a strategic initiative designed to address the global shortage of cybersecurity talent by clearly defining the tasks, competences, skills and knowledge required for cybersecurity roles in Europe. It was established as part of the EU’s efforts to enhance cybersecurity capabilities and was formally introduced during the first ENISA cybersecurity skills conference in September 2022.
The principal aim of the ECSF is to create a standardised reference point for defining and assessing cybersecurity skills. This standardisation helps bridge the gap between the demand for skilled professionals and the supply of qualified individuals, as outlined in the recently announced Cybersecurity Skills Academy by the European Commission.
The ECSF has five key goals:
- Common Terminology and Understanding: Ensuring a shared language between employers, recruiters, and training providers across the EU to streamline workforce and recruitment processes.
- Identification of Critical Skill Sets: Helping educational institutions and training providers align their programs with the most essential skills required in the cybersecurity workforce.
- Role and Skill Clarity: Offering detailed insights into various cybersecurity roles and the necessary skills, including soft skills, to assist HR departments and non-experts in resource planning and recruitment.
- Harmonisation in Education and Training: Promoting consistency in cybersecurity education and workforce development across Europe, connecting cybersecurity roles with the broader ICT professional domain.
- Enhanced Cybersecurity Resilience: Contributing to better protection against cyberattacks and ensuring secure IT systems by providing structured guidance for capacity building in the cybersecurity workforce.
The ECSF works by summarising cybersecurity roles into 12 profiles, each analysed for responsibilities, skills, synergies and interdependencies. This comprehensive breakdown facilitates the recognition of essential skills and supports the design of targeted training programs.
Since its introduction, the ECSF has proven effective in creating a common understanding of cybersecurity roles and skills, aiding in the alignment of educational programs with industry needs. The framework was further discussed during the second ENISA Cybersecurity Skills Conference in September 2023, highlighting its ongoing impact and future role within the Cybersecurity Skills Academy. This initiative aims to enhance coordination among existing cyber skills initiatives, ultimately boosting competitiveness, growth, and resilience across the EU.