By:

• Dr Mamello Thinyane Senior Research Adviser, United Nations University Institute in Macau
• Debora Christine Project Manager for Data Policy and Governance, Tifa Foundation
• Keith Detros Programme Lead, Tech For Good Institute

The global cybersecurity workforce gap – the shortfall between supply and demand for cybersecurity professionals – was estimated at 2.72 million in 2021. This is a notable improvement from 2020, where the need for cyber talent was estimated to be at 3.12 million. While this is a step in the right direction, it is expected that the demand for skilled cybersecurity professionals will continue to grow for the foreseeable future as the cybersecurity market becomes worth more than $370 billion by 2029. The demand is primarily fuelled by growing digitalization and proliferation of digital technologies – from personal computing (e.g., wearables and human augmentation technologies), home appliances and devices (e.g., home automation and digital assistants), the internet of things, and smart city digital infrastructures, to the projected growth of the online infosphere and the metaverse. Digital technologies present opportunities for socioeconomic development and are recognized as a means of implementation for the UN Sustainable Development Goals. However, they also present significant global risks, as noted in the WEF Global Risk Report, and an increasingly profitable opportunity for malicious threat actors. Illustratively, the cost of cybercrime is estimated at $6 trillion in 2021 and projected to grow by 15% annually for the next five years. In addition, extortion demands and payouts for ransomware have been steadily increasing. Not only is there an increase in the frequency of cyber threats, but also in their novelty, variety, sophistication, impact and scale. These threats play out at a transnational level requiring multistakeholder, multilateral and global coordination capability for effective resolution. Against this backdrop, the increased demand for cybersecurity professionals is evident. However, it is important to consider the workforce gap not only in terms of the headline supply and demand numbers, but also the multidimensional aspects of cybersecurity capabilities.

1. Supply and demand gap

The supply and demand shortfall is the often-highlighted composite dimension of the cybersecurity skills gaps. The Asia Pacific region alone is in need of about 1.42 million cyber professionals. Efforts to address this gap have been made across the different skill development pipelines, from traditional higher education institutions, professional development and certification bodies, to in-house upskilling approaches. While there’s a definite effort towards meeting this overall supply and demand gap, increased enrolments in cybersecurity programmes are needed across the various pipelines. There is also a need for a coordinated multi-stakeholder effort to map out the needs in specific contexts. Furthermore, in order to address the current supply and demand shortfall, there are opportunities to leverage technological solutions, including artificial intelligence, to automate cybersecurity functions and processes.

2. Competency and social skills mismatch gaps

Cybersecurity has its roots in computing and information technology domains, which has resulted in the predominant focus on the physical and logical layers of cyberspace. This means cybersecurity is most often tackled from technological perspectives, despite the numerous socioeconomic and political implications of cybersecurity incidents. As such, the bulk of cybersecurity skills development has traditionally been shaped around technical competencies associated with identification, protection, detection, response and recovery activities for securing information and communication technology infrastructures. However, cyberspace comprises not only the physical and logical layers, but also the social layer where the human and societal elements of cybersecurity are located and the socio-technical threats such as social engineering and online abuse are increasingly proliferating. Building human and institutional capacity to address these risks requires soft skills with roots in disciplines such as psychology, sociology, communication and media studies. As a systemic and global problem, designing and implementing appropriate cybersecurity solutions therefore demands non-technical competencies such as business, management, legal, policy and diplomacy competencies. These are not just add-ons to technical skills but dedicated competency areas requiring specific skill sets and training.

3. Sectoral gaps

Digital technologies have permeated every sector of society and support critical functioning for individuals and organizations across sectors. The COVID-19 pandemic has illustrated the wide-ranging role of digital technologies to support resilience and operational continuity for public, private and civil society organizations. When adverse cyber incidents occur, they can cascade across sectors, with varying impacts on stakeholders within those sectors. There remains a cybersecurity capability gap across sectors through a combination of structural, economic and political factors. The public and private sectors are generally better resourced, more influential, more capable and cooperate more frequently to handle adverse cyber incidents. Furthermore, critical societal sectors that are not formally recognized as part of the critical national infrastructure, might not receive as much cybersecurity support as critical information infrastructure owners and providers. For example, despite increasing reliance on digital technologies and targeted exposure to cyber threats, civil society organizations remain marginalized within the cybersecurity domain with lesser support, in terms of incident response, than their private and public sector counterparts. Targeted efforts to strengthen cybersecurity capability within marginalized sectors (e.g., non-governmental organizations; micro, small and medium enterprises, and civil society organizations) are crucial, including developing dedicated programmes to upskill personnel and establishing incident response functions dedicated to these sectors.

4. Participation and diversity gaps

Cybersecurity is a complex domain that requires a diversity of expertise and perspectives to craft effective solutions. Diversity is needed for a more innovative, creative and holistic cybersecurity ecosystem and to help reduce biases and identify blind spots in the threat landscape. One of the dimensions of the cybersecurity gaps is associated with the lack of participation of women and representation of people of colour. In particular, women currently make up only 24% of cybersecurity professionals. As part of a larger and complex societal challenge, addressing the cybersecurity participation gaps requires transformative leadership and dedicated diversity, equity and inclusion strategies, and policies that address the underlying structural factors.

5. Development gaps

The recent International Telecommunications Union’s Global Cybersecurity Index notes that least developed countries also tend to score less in terms of their cybersecurity capacity. These developing countries are facing many challenges in addressing their cybersecurity capacity gaps, which includes limited financial and knowledge resources, as well as the brain drain of skilled professionals who leave their home countries in pursuit of career opportunities. While there are efforts to increase cybersecurity capability worldwide, plugging the brain drain of skilled professionals requires increasing opportunities for gainful employment and career advancement for local cybersecurity professionals in developing countries. It also requires creating opportunities and incentives to retain and attract skilled personnel.

How to improve cybersecurity resilience

The current global skills and capability gaps within the cybersecurity domain represent a systemic weakness and vulnerability in overall global cyber resilience. While some individuals, organizations, sectors and countries might be well-resourced and capable to address their cybersecurity skills demands, the transnational and connected nature of the cyber world, as well as the cascading nature of adverse cyber incidents, means that cyberspace is only as strong as its weakest constitutive link. It is therefore important to continue improving cybersecurity awareness and capacity-building efforts among various stakeholders. There is a need to continue addressing the gaps at different levels and over a spectrum of cybersecurity competencies, from initial awareness to advanced technical and managerial competencies. Worldwide efforts are under way to strengthen the whole of society’s cyber capability, targeted at addressing some of the specific gaps highlighted above:

• Capacity-building initiatives, including Global Forum on Cyber Expertise, the World Bank Cybersecurity Multi-Donor Trust Fund, and (ISC)2 recently launched One Million Certified in Cybersecurity programme, are aimed at improving cyber capability around the world.
• Women in Cybersecurity initiatives are looking to enhance the participation of women within cybersecurity.
• Communities of trust, such as the FIRST Threat Intel Coalition Special Interest Group, are providing civil society organizations with access to threat intelligence and cybersecurity supports.
• The latest Guide to Developing National Cybersecurity Strategies, developed by a consortium of industry, intergovernmental and academic partners is also providing further detailed recommendations to countries for improving and addressing their multi-dimensional cybersecurity skills gaps.

The need for cybersecurity professionals is certainly a challenge stakeholders will continue to contend with as the digital economy continues to grow. The numbers may look staggering, with the workforce gaps in millions. But in order to address the gaps more meaningfully, it is time to recognize that the issue is more than just a discussion of supply and demand. A resilient digital economy system would need an inclusive cybersecurity workforce as well.

The views and recommendations expressed in this article are solely of the author/s and do not necessarily reflect the views and position of the Tech for Good Institute. This article was first published by the World Economic Forum on October 21, 2022.