ENISA flags cybersecurity skills shortage; identifies measures to bolster workforce

Close on the heels of the U.S. Department of Homeland Security (DHS) focusing on improving federal cybersecurity talent, the EU Agency for Cybersecurity (ENISA) identified a cybersecurity skills shortage. The number of skilled and qualified workers is not enough to meet the demand, and national labor markets are disrupted worldwide as a consequence.

In the report, titled, ‘Addressing the EU Cybersecurity Skills Shortage and Gap Through Higher Education,’ the agency revealed that the number of programs and students engaged in cybersecurity higher education is growing. As a consequence, the number of graduates in the next two to three years is expected to double. However, gender balance is still an issue with only 20 percent of female students enrolled. The cornerstone of the report is its focus on the role of the higher education sector in addressing the cybersecurity skills shortage and gaps within the EU. 

The ENISA report examines data gathered by the Cybersecurity Higher Education Database, CyberHEAD, to make predictions on the future trends. The database is the largest resource of its nature and is able to provide a reliable and up-to-date snapshot of cybersecurity academic programs available across Europe.

ENISA has made use of three strategic objectives in order to classify the initiatives of member states to mitigate the cybersecurity skills shortage and gap, including raising user awareness amongst the general public, as well as primary and secondary education, strengthening training and promoting cybersecurity in higher education, and organizing cybersecurity exercises and challenges.

The ENISA report recognized that the lack of cybersecurity professionals is usually discussed in the context of the cybersecurity skills gap and cybersecurity skills shortage. These are two distinctive, albeit closely related, issues. The cybersecurity skills gap is seen to refer to a lack of appropriate skills in the workforce to perform cybersecurity tasks within a professional setting. On the other hand, the skills shortage refers to a lack of cybersecurity professionals to fill cybersecurity roles or, as aptly defined, the ‘unfilled or hard-to-fill vacancies that have arisen as a consequence of a lack of qualified candidates for posts. Both these aspects have been dealt with in this report. 

There have been various attempts to address the cybersecurity skills shortage and gap, such as policy changes in higher education programs, closer engagement between academia and industry, and an increasing number of security certifications and training opportunities, ENISA said. Educators, in particular, are often viewed as central figures, as evidenced by existing research using France, Germany, Netherlands, Spain, Italy, and the UK as units of analysis. 

One important question for the EU is how such national policies, programs, and interventions, including any additional ones from industry and academia, may apply to the EU as a whole, and whether they can help in addressing the cybersecurity skills shortage and gap. Therefore, in the report, the agency intends to pursue these questions to provide insights and recommendations that are suitable in an EU context, the report added.

ENISA contributes to both practice and research on the cybersecurity skills shortage in two distinctive areas. Firstly, it provides an overview of the current supply of cybersecurity skills in Europe through an analysis of data gathered and generated by the recently established Cybersecurity Higher Education Database (CyberHEAD). Secondly, it describes the policy approaches adopted by EU member states in their quest to increase and sustain their national cybersecurity workforces.

The ENISA report also analyzed the policies and approaches adopted by member states, classifying them according to the ENISA National Capabilities Assessment Framework (NCAF). The framework covers awareness, training, challenges and exercises. It includes the list of actions taken around Europe, not only to increase the cybersecurity workforce but also to increase the quality of candidates and equip them with such skills needed and requested the highest in demand on the job market. 

Based on the data collected and analyzed, the ENISA report makes five recommendations to address the EU cybersecurity skills shortage and gap. It seeks to increase enrolments and eventually graduates in cybersecurity programs through the diversification of the higher educational institutes (HEIs) curricula in terms of content, levels, and language. It also aims to provide scholarships, especially for underrepresented groups, and more active efforts to promote cybersecurity as a diverse field.

The agency intends to support an unified approach across government, industry, and HEIs by adopting a common framework regarding cybersecurity roles, competencies, skills and knowledge, and promoting challenges and competitions in cybersecurity skills. It also chooses to work in the area of increasing collaborations between member states by launching European cybersecurity initiatives with shared objectives, and sharing of the outputs of programs, including results and lessons learned. 

The European agency also sought to promote analysis of the cybersecurity market needs and trends by identifying the metrics showing the extent of the problem and possible measures to cope with it.  

ENISA will also support the promotion of CyberHEAD and its further evolution, in order to facilitate ongoing understanding of the status of cybersecurity higher education programs in the EU, monitor trends regarding the number of cybersecurity graduates who could potentially fill current vacancies in the sector, and support the analysis of demographics, including the diversity, of new students and graduates in cybersecurity. It will also assist in monitoring the effectiveness of cybersecurity initiatives targeting the supply side, and demonstrate the value of CyberHEAD for HEIs as well as incentivize HEIs to submit their programs to CyberHEAD.

ENISA also engages in a number of actions that support and strengthen the enhancement of cybersecurity skills and competence across sectors and at all levels, from non-experts to highly technically skilled professionals. These initiatives aim to align with the EU’s Digital Education Action Plan. To this end, ENISA promotes and analyses cybersecurity higher education in the EU in order to respond to the current shortfall in the cybersecurity workforce, the agency said.

A recent report from the U.S. Government Accountability Office (GAO) said that the federal government faces a severe shortage of digital expertise in fields such as artificial intelligence and cybersecurity. A recent report urged establishing a new service academy, similar to the military academies, to train future digital civil servants.

The agency collected opinions from technology leaders from government, academia, and nonprofits to discuss such an academy and related issues. Their comments included that an academy might best focus on master’s degrees because agencies need staff with advanced skills, current federal digital staff compensation is not competitive, and digital staff may not be willing to endure the lengthy federal hiring process, GAO said. 

Anna Ribeiro

Industrial Cyber News Editor. Anna Ribeiro is a freelance journalist with over 14 years of experience in the areas of security, data storage, virtualization and IoT.