Maintaining cybersecurity in a constantly evolving threat landscape is a challenge for all organizations. Traditional reactive approaches, in which resources were put toward protecting systems against the biggest known threats, while lesser known threats were undefended, is no longer a sufficient tactic. To keep up with changing security risks, a more proactive and adaptive approach is necessary. Several key cybersecurity advisory organizations offer guidance. For example, the National Institute of Standards and Technology (NIST) recommends adopting continuous monitoring and real-time assessments as part of a risk assessment framework to defend against known and unknown threats.
Major challenges that must be continuously addressed include evolving threats, the data deluge, cybersecurity awareness training, the workforce shortage and skills gap, and supply chain and third-party risks.
Additionally, organizations can gather a lot of potential data on individuals who use one or more of their services. With more data being collected, the likelihood of a cybercriminal who wants to steal personally identifiable information (PII) is another concern. For example, an organization that stores PII in the cloud may be subject to a ransomware attack. Organizations should do what they can to prevent a cloud breach.
Additionally, organizations can open the door to entry-level candidates by creating and promoting internship, apprenticeship, and entry-level positions, which provide opportunities for individuals to gain the necessary skills and experience to advance in the cybersecurity field. Collaboration between the private and public sectors, as well as the academia, is also crucial in addressing the skills shortage.
In conclusion, addressing the cybersecurity skills shortage requires a multi-pronged approach that includes targeted training and education programs, incentives to attract and retain talent, building a diverse and inclusive workforce, investing in new technologies, and opening the door for entry-level candidates.
Remote work could potentially help to alleviate the shortage of cyber talent in the EU by providing organizations with access to a larger pool of skilled professionals from around the world. Remote work allows organizations to hire individuals who may not be physically present in the EU, but who possess the necessary skills and qualifications to perform the role.
In order to fully address the shortage of cyber talent in the EU, a comprehensive approach is needed. This should include standardizing cybersecurity education and certification across the EU, encouraging more individuals to enter the cybersecurity field, consider tax reform, security clearance, and investing in training and development programs to help individuals acquire these skills.
A major regulatory challenge involves increasing cybersecurity. Most African countries lack a comprehensive legal framework and institutional capacity to address cybercrime. Instead, efforts to prevent cybercrime are appearing at the more local level or are implemented by private sector actors themselves. For example, between 2015 and 2016, there was a 73 percent increase in Information Security Management System-certified companies, from 129 in 2015 to 224 in 2016, with the majority in South Africa, Nigeria, and Morocco.23 Adopting widely accepted and appropriate norms and regulations, such as these, is a first step to increasing cybersecurity. At the same time, companies should invest in their employees to develop cybersecurity skills and integrate cyber risk protection in their decision making process.
Due to the increasing number of cyber incidents and overwhelming skills shortage, it is required to evaluate the knowledge gap between cyber security education and industrial needs. As such, the objective of this study is to identify the knowledge gaps in cyber security graduates who join the cyber security workforce. We designed and performed an opinion survey by using the Cyber Security Knowledge Areas (KAs) specified in the Cyber Security Body of Knowledge (CyBOK) that comprises 19 KAs. Our data was gathered from practitioners who work in cyber security organizations. The knowledge gap was measured and evaluated by acknowledging the assumption for employing sequent data as nominal data and improved it by deploying chi-squared test. Analyses demonstrate that there is a gap that can be utilized to enhance the quality of education. According to acquired final results, three key KAs with the highest knowledge gap are Web and Mobile Security, Security Operations and Incident Management. Also, Cyber-Physical Systems (CPS), Software Lifecycles, and Vulnerabilities are the knowledge areas with largest difference in perception of importance between less and more experienced personnel. We discuss several suggestions to improve the cyber security curriculum in order to minimize the knowledge gaps. There is an expanding demand for executive cyber security personnel in industry. High-quality university education is required to improve the qualification of upcoming workforce. The capability and capacity of the national cyber security workforce is crucial for nations and security organizations. A wide range of skills, namely technical skills, implementation skills, management skills, and soft skills are required in new cyber security graduates. The use of each CyBOK KA in the industry was measured in response to the extent of learning in university environments. This is the first study conducted in this field, it is considered that this research can inspire the way for further researches.
Best cyber security experts can be much more productive than the low-skilled cyber security graduates. Skilled graduates in cybersecurity roles can help the nations address cyber security problems on time (National Research Council, 2013). Therefore, nations aim to address this skills gap in cyber security effectively and efficiently. One approach is to use the industry and government partnerships with education providers. Cyber security Challenge UK can be considered as the first example that aims to increase the number of cyber security professionals and improve the capacity in the UK. This not-for-profit British company organized several security competitions to solve the skills shortage problem in the UK and increase the number of skilled cyber security professionals (Vogel, 2016). Also, governments are working together with academic institutions to develop cyber security programs. In 2014, Government Communications Headquarters (GCHQ), which is a cyber security organization in UK, accredited cyber security MSc programs of six universities to fill the roles required for UK Vogel (2016).
The Center for Strategic and International Studies (CSIS) performed a survey on the cyber security skills in eight countries in 2016. The survey showed that 82 percent of employers refer to the shortage of cyber security skills and 71 percent of employers consider that this gap results in damage in their organizations (Crumpler and Lewis, 2019). This CSIS study also reported that the skills of cyber security operators, namely intrusion detection and secure software development, are the most difficult skills to find (Crumpler and Lewis, 2019). The workforce shortage is valid nearly for all positions in cyber security, however, the most important need is for highly skilled technical expertise (Crumpler and Lewis, 2019). This kind of missing skills have also been reported in software engineering field. Due to the missing skills in new hires, companies allocate resource investments for training of them Garousi et al. (2019). As in the case of software engineering, a similar concern exists on the mismatch between knowledge learned in universities and the cyber security industry needs.
With the help of this study, we improve the body of knowledge on knowledge and skill gaps of new cyber security graduates who join the labor market. We determine the important topics that are required in practice and identify the missing skills. This objective is achieved with the help of a critical evaluation of programs and based on data collection from experts in cyber security industry. Our contributions to this study are listed as follows:
There is a considerable number of studies in the literature on cyber security awareness. In these studies, parameters covering education, trained human resources, informatics policies, and regional differences are analyzed. However, most of these studies are based on the experts in the IT (information technologies) sector who are not directly involved in the relevant processes. Within the scope of our study, a comprehensive analysis was made with the data obtained based on the CyBOK, which defines the cyber security knowledge areas in a broad framework, and the cyber security experts who are constantly intertwined with the cyber incidents are involved.
Ahmed and Roussev stated that the peer education model as a well-defined teaching protocol is a good tool that can be used to perform cyber security education effectively (Ahmed and Roussev, 2018). Wilk mentioned that cyber space creates great difficulties for computer experts (Wilk, 2016). As a result of the study, it is specified that the legal awareness of the students about privacy and IP (Intellectual Property) is crucial because these aspects affect all the computer professionals. Ricci et al. stated that people are generally the weakest link in the security chain in terms of cyber-attacks and identity theft Ricci et al. (2019). Cabaj et al. stated that the current cyber security workforce is not sufficient to meet the growing demand for qualified cyber security professionals and the shortage will increase (Cabaj et al., 2018).
A detailed quantitative survey about the cyber security labor market of the UK provides several recommendations (Research and analysis Cyber security skills in the UK labour market, 2020). The report discusses skills gaps, required training, qualifications, recruitment process, and skill shortages for the market. This study provides insights into the skill gaps that affect the industry and employers and discusses how much training the employees need to maintain the standard in the cyber security sector. It also mentions how the curriculum of the universities should be updated regularly to provide sufficient skill sets to new graduates. Furthermore, it discusses guidance paths for the qualification and training processes of the recruiters as well as the candidates. Finally, the report recommends specific roles for the government and industry to take responsibility and help to improve this sector. 2b1af7f3a8