Adapting higher education to address the cybersecurity skills shortage

In this Help Net Security interview, Dr. Jason R.C. Nurse, Associate Professor in Cyber Security in the School of Computing and the Institute of Cyber Security for Society (iCSS), at the University of Kent, talks about cybersecurity higher education and how it can help close the cybersecurity skills gap.

We have seen a great demand for cybersecurity professionals for quite a while, but the gap still remains. What is the main cause for this persistent issue?

The digital nature of today’s world, coupled with a substantial increase in cyber-attacks and waves of data protection regulation, has made cybersecurity a significant concern for businesses and governments internationally.

As security has grown in importance, so too has the need for skilled security professionals capable of designing, architecting, and implementing secure systems and environments. Unfortunately, the demand for such individuals has greatly overtaken the supply, resulting in the skills shortage, an issue that is further exacerbated by the skills gap where many professionals in the industry lack key required skills.

While several initiatives have been launched to address these issues, they persist, and there are various reasons why.

One of the primary causes is numeric and relates to the argument that the number of skilled professionals that exist for certain security roles is simply far lower than required. Therefore, unless persons retrain, significantly upskill, or new talent enters the market (e.g., from traditional educational routes), the problem will endure.

There is another, rather ironic, cause to the plethora of unfilled cybersecurity vacancies that also fuels skills shortage discussions. That is, many organisations today place unrealistic requirements on individuals applying for cybersecurity roles. This relates to technical expertise, years of experience, and certifications or degrees possessed. In essence, organisations are missing good candidates because they are too idealistic in their approaches to recruitment.

How can cybersecurity higher education address this shortage of qualified workers and what are the perspectives?

Higher education has played a central role in the training of individuals across countless sectors and provides a foundation through which graduates can later enter industry. The field of cybersecurity is no different.

To address the lack of qualified workers, we must target the main avenues where individuals are taught and trained. All educational and training institutions fit this remit, but Higher Education Institutions (HEIs), in particular, have risen to the challenge and increasingly provide a range of degrees and qualifications which have cybersecurity as a core component. This is beneficial for many reasons.

First, it builds awareness and allows initial exposure to the topic – for instance a student studying computing or politics can opt to take optional cybersecurity modules. Second, it enables students to specialise, as there are complete degrees concentrated on cybersecurity both at the undergraduate and postgraduate levels. This means that students who leave some HEI programmes will have more training in security than in previous years, and better equipped to take on appropriate security roles depending on their level.

Education takes time. When can we expect a positive outcome regarding skilled cybersecurity professionals?

It is certainly the case that some qualifications will be slower and others quicker. For instance, postgraduate diplomas, certificates and degrees can have turnaround times between 3 months to 2 years. Undergraduate degrees on the other hand are at least 3 years if studied full-time.

I recently had the pleasure to co-author a policy report from the European Union Agency for Cybersecurity (ENISA), titled Addressing the EU Cybersecurity Skills Shortage and Gap Through Higher Education where we considered this question of time scale. There, we found that through the HEIs programmes in Europe, the number of graduates – and thus individuals likely to enter the cybersecurity workforce – in the next 2-3 years would double. There are undoubtedly similar situations in the UK and the USA as countries continue to ramp up their training capacity.

Postgraduate qualifications, especially master’s degrees, appear to be the most popular offerings by far, which is beneficial given that they can produce graduates quicker. Such degrees also allow specialisation – therefore enable professions to upskill on a range of topics from cryptography to ethical hacking and cybersecurity management – and even career switch through conversion courses.

Why is there still a gender imbalance in cybersecurity education and how to solve this issue?

The gender imbalance in students studying cybersecurity is linked to the wider lack of diversity in Science, Technology, Engineering, and Mathematics (STEM) subjects. These subjects have traditionally failed to engage representative cohorts and even before students enter university, they do not view STEM subjects as an option. While approaches have been proposed to address this issue, its systemic nature means that it will take considerable effort and time to resolve.

From our report on cyber specifically, we found that only 20% of female students were enrolled in HEI programmes. This is lower than current estimates that women occupy 25% of cybersecurity workforce roles globally.

Addressing this issue requires a multi-tiered approach. There needs to be significant initiatives to engage females and other underrepresented groups in STEM subjects early on at the school level. This sets a good foundation and opens students to STEM-based opportunities. To boost recruitment to cybersecurity programmes in HEIs, mentoring sessions can be arranged where students meet professionals or graduated students of similar backgrounds. Scholarships can also be marketed and offered to these groups to increase awareness of the subject and its career prospects.

How has the educational system adapted to the growing demand for cybersecurity professionals? Have there been changes in the programs?

Over the last two decades, HEIs have launched a range of new programmes oriented around cybersecurity topics. These were first focused on the postgraduate level, particularly master degrees, and marketed as a way to specialise. The idea here was that an academic security qualification could compliment security certifications available including CISSP, CISM and CEH. Currently, the vast majority of cybersecurity degrees still target the master level. That being said, there has also been a gradual increase in programmes offered for undergraduates – the assumption being that students would be willing to specialise quite early in their studies.

We have also seen official bodies such as the UK’s National Cyber Security Centre (NCSC) engaging with HEIs through the creation of NCSC-certified degrees. Accredited degrees act to identify high quality degree offerings and are assessed based on skills taught, the academic team delivering the degree, student assessments, amongst other key criteria.

These developments highlight that HEIs and governments are well aware of the growing demand for cybersecurity professionals and are adapting to suit the need in terms of courses and skills.

Another area where HEI programmes are changing is in the topics their syllabi cover. Traditional security degrees have been predominately technical and centred on computer and network security, cryptography and secure programming, for instance. While these topics still feature in today’s course structures, there is also a substantial presence of new interdisciplinary topics including cyber law, the psychology of cybercrime, cyber policy, cyber terrorism, compliance, ethics, and digital investigations. These growing prevalence of these topics is critical to addressing the cybersecurity skills gap as technology is only part of the solution to the range of cyber issues we as a society face today.