European Union members have a collective cybersecurity skills shortage that may be partially addressed by a surge in new graduates -- but even that potential solution is not without its problems.
ENISA, the EU's transnational cybersecurity agency, has now raised a flag about the enduring labor market supply problem and says it won't be resolved despite a doubling of the number of graduates in the next two years.
"The number of skilled and qualified workers is not enough to meet the demand, and national labour markets are disrupted worldwide, Europe included, as a consequence," ENISA says in a new report.
"The number of graduates in the next 2-3 years is expected to double. However, gender balance is still an issue with only 20% of female students enrolled."
Free market competition for security professionals also impacts the supply of expertise to the public sector and central banks, which don't pay as much as banks and insurance companies.
ENISA separates the terms cybersecurity "skills gap" and "skills shortage" in a new report that explores how to solve the problem. The former refers to a lack of appropriate skills in the workforce to perform cybersecurity tasks within a professional setting.
The latter refers to "unfilled or hard-to-fill vacancies that have arisen as a consequence of a lack of qualified candidates for posts."
ENISA says there are 126 higher education programs from 25 countries that meet the EU's definition of a cybersecurity program. For example, a master's degree requires at least 40% of the taught modules to address cybersecurity topics. Using this definition, master's-level qualifications constitute 77% of ENISA's Cybersecurity Higher Education Database (CyberHEAD).
Remote learning became the norm during the pandemic. Still, ENISA found that only 14% of higher education cybersecurity programs are purely online, while 57% are classroom-only, and 29% are a blend of face-to-face and online learning. Online may help reduce geographic barriers to entry, argues ENISA.
The language was another barrier to entry. Of the EU programs included in the database, there were 16 languages, with 38% taught in English, 17% in Spanish, 11% in German, 7% in Italian, 5% in French, 4% in Greek, and 4% in Portuguese.
ENISA argues that an "even higher percentage of English-based programs also presents additional benefits" by producing graduates who are confident at interacting in an international setting.
University fees are another barrier to entry. Some 71% of programs required fees to enrol.
In terms of placing new graduates in the private and public sectors, ENISA found that compulsory internships were only part of 34% of EU programs. Only 23% of programs prepared students for specific professional certifications, such as CISSP, ISO 27001 and CompTIA Security+.
On the question of gender, women made up at least 20% of cybersecurity programs in only six EU nations: Romania (50%), Latvia (47%), Bulgaria (42%), Lithuania (31%), France (20%,) and Sweden (20%).
"Unfortunately, these statistics mean that, overall, most HEI programmes in Europe have particularly low levels of gender diversity," ENISA notes.
ENISA made several recommendations to address the EU cybersecurity skills shortage and gap:
- Increase enrolments and graduates in cybersecurity programs by diversifying the content, levels and languages used in the higher education curricula
- Provide scholarships, especially for underrepresented groups, and promote cybersecurity as a diverse field
- Adopt a common framework for cybersecurity roles, competencies, skills and knowledge
- Promote challenges and competitions in cybersecurity skills
- Increase collaborations between member states in sharing program results and lessons learnt
- Support the analysis of demographics (including the diversity) of new students and graduates in cybersecurity