Beyond supply and demand: Addressing the multidimensional workforce gaps in cybersecurity

The shortfall between global supply and demand for cybersecurity professionals was estimated at 2.72 million in 2021. This highlights that the current skills and capability gaps within cybersecurity represent a systemic vulnerability in global cyber resilience. Thus building an inclusive cybersecurity workforce will be key to addressing this and building a resilient digital economy system.

By:

  • Dr Mamello Thinyane Senior Research Adviser, United Nations University Institute in Macau
  • Debora Christine Project Manager for Data Policy and Governance, Tifa Foundation
  • Keith Detros Programme Lead, Tech For Good Institute

The global cybersecurity workforce gap – the shortfall between supply and demand for cybersecurity professionals – was estimated at 2.72 million in 2021. This is a notable improvement from 2020, where the need for cyber talent was estimated to be at 3.12 million. While this is a step in the right direction, it is expected that the demand for skilled cybersecurity professionals will continue to grow for the foreseeable future as the cybersecurity market becomes worth more than $370 billion by 2029. The demand is primarily fuelled by growing digitalization and proliferation of digital technologies – from personal computing (e.g., wearables and human augmentation technologies), home appliances and devices (e.g., home automation and digital assistants), the internet of things, and smart city digital infrastructures, to the projected growth of the online infosphere and the metaverse. Digital technologies present opportunities for socioeconomic development and are recognized as a means of implementation for the UN Sustainable Development Goals. However, they also present significant global risks, as noted in the WEF Global Risk Report, and an increasingly profitable opportunity for malicious threat actors. Illustratively, the cost of cybercrime is estimated at $6 trillion in 2021 and projected to grow by 15% annually for the next five years. In addition, extortion demands and payouts for ransomware have been steadily increasing. Not only is there an increase in the frequency of cyber threats, but also in their novelty, variety, sophistication, impact and scale. These threats play out at a transnational level requiring multistakeholder, multilateral and global coordination capability for effective resolution. Against this backdrop, the increased demand for cybersecurity professionals is evident. However, it is important to consider the workforce gap not only in terms of the headline supply and demand numbers, but also the multidimensional aspects of cybersecurity capabilities.

1. Supply and demand gap

The supply and demand shortfall is the often-highlighted composite dimension of the cybersecurity skills gaps. The Asia Pacific region alone is in need of about 1.42 million cyber professionals. Efforts to address this gap have been made across the different skill development pipelines, from traditional higher education institutions, professional development and certification bodies, to in-house upskilling approaches. While there’s a definite effort towards meeting this overall supply and demand gap, increased enrolments in cybersecurity programmes are needed across the various pipelines. There is also a need for a coordinated multi-stakeholder effort to map out the needs in specific contexts. Furthermore, in order to address the current supply and demand shortfall, there are opportunities to leverage technological solutions, including artificial intelligence, to automate cybersecurity functions and processes.

2. Competency and social skills mismatch gaps

Cybersecurity has its roots in computing and information technology domains, which has resulted in the predominant focus on the physical and logical layers of cyberspace. This means cybersecurity is most often tackled from technological perspectives, despite the numerous socioeconomic and political implications of cybersecurity incidents. As such, the bulk of cybersecurity skills development has traditionally been shaped around technical competencies associated with identification, protection, detection, response and recovery activities for securing information and communication technology infrastructures. However, cyberspace comprises not only the physical and logical layers, but also the social layer where the human and societal elements of cybersecurity are located and the socio-technical threats such as social engineering and online abuse are increasingly proliferating. Building human and institutional capacity to address these risks requires soft skills with roots in disciplines such as psychology, sociology, communication and media studies. As a systemic and global problem, designing and implementing appropriate cybersecurity solutions therefore demands non-technical competencies such as business, management, legal, policy and diplomacy competencies. These are not just add-ons to technical skills but dedicated competency areas requiring specific skill sets and training.

3. Sectoral gaps

Digital technologies have permeated every sector of society and support critical functioning for individuals and organizations across sectors. The COVID-19 pandemic has illustrated the wide-ranging role of digital technologies to support resilience and operational continuity for public, private and civil society organizations. When adverse cyber incidents occur, they can cascade across sectors, with varying impacts on stakeholders within those sectors. There remains a cybersecurity capability gap across sectors through a combination of structural, economic and political factors. The public and private sectors are generally better resourced, more influential, more capable and cooperate more frequently to handle adverse cyber incidents. Furthermore, critical societal sectors that are not formally recognized as part of the critical national infrastructure, might not receive as much cybersecurity support as critical information infrastructure owners and providers. For example, despite increasing reliance on digital technologies and targeted exposure to cyber threats, civil society organizations remain marginalized within the cybersecurity domain with lesser support, in terms of incident response, than their private and public sector counterparts. Targeted efforts to strengthen cybersecurity capability within marginalized sectors (e.g., non-governmental organizations; micro, small and medium enterprises, and civil society organizations) are crucial, including developing dedicated programmes to upskill personnel and establishing incident response functions dedicated to these sectors.

4. Participation and diversity gaps

Cybersecurity is a complex domain that requires a diversity of expertise and perspectives to craft effective solutions. Diversity is needed for a more innovative, creative and holistic cybersecurity ecosystem and to help reduce biases and identify blind spots in the threat landscape. One of the dimensions of the cybersecurity gaps is associated with the lack of participation of women and representation of people of colour. In particular, women currently make up only 24% of cybersecurity professionals. As part of a larger and complex societal challenge, addressing the cybersecurity participation gaps requires transformative leadership and dedicated diversity, equity and inclusion strategies, and policies that address the underlying structural factors.

5. Development gaps

The recent International Telecommunications Union’s Global Cybersecurity Index notes that least developed countries also tend to score less in terms of their cybersecurity capacity. These developing countries are facing many challenges in addressing their cybersecurity capacity gaps, which includes limited financial and knowledge resources, as well as the brain drain of skilled professionals who leave their home countries in pursuit of career opportunities. While there are efforts to increase cybersecurity capability worldwide, plugging the brain drain of skilled professionals requires increasing opportunities for gainful employment and career advancement for local cybersecurity professionals in developing countries. It also requires creating opportunities and incentives to retain and attract skilled personnel.

How to improve cybersecurity resilience

The current global skills and capability gaps within the cybersecurity domain represent a systemic weakness and vulnerability in overall global cyber resilience. While some individuals, organizations, sectors and countries might be well-resourced and capable to address their cybersecurity skills demands, the transnational and connected nature of the cyber world, as well as the cascading nature of adverse cyber incidents, means that cyberspace is only as strong as its weakest constitutive link. It is therefore important to continue improving cybersecurity awareness and capacity-building efforts among various stakeholders. There is a need to continue addressing the gaps at different levels and over a spectrum of cybersecurity competencies, from initial awareness to advanced technical and managerial competencies. Worldwide efforts are under way to strengthen the whole of society’s cyber capability, targeted at addressing some of the specific gaps highlighted above:

The need for cybersecurity professionals is certainly a challenge stakeholders will continue to contend with as the digital economy continues to grow. The numbers may look staggering, with the workforce gaps in millions. But in order to address the gaps more meaningfully, it is time to recognize that the issue is more than just a discussion of supply and demand. A resilient digital economy system would need an inclusive cybersecurity workforce as well.

The views and recommendations expressed in this article are solely of the author/s and do not necessarily reflect the views and position of the Tech for Good Institute. This article was first published by the World Economic Forum on October 21, 2022.

Download Report

Download Report

Latest Updates

Latest Updates​

Keep pace with the digital pulse of Southeast Asia!

Never miss an update or event!

Mouna Aouri

Programme Fellow

Mouna Aouri is an Institute Fellow at the Tech For Good Institute. As a social entrepreneur, impact investor, and engineer, her experience spans over two decades in the MENA region, South East Asia, and Japan. She is founder of Woomentum, a Singapore-based platform dedicated to supporting women entrepreneurs in APAC through skill development and access to growth capital through strategic collaborations with corporate entities, investors and government partners.

Dr Ming Tan

Founding Executive Director

Dr Ming Tan is founding Executive Director for the Tech for Good Institute, a non-profit founded to catalyse research and collaboration on social, economic and policy trends accelerated by the digital economy in Southeast Asia. She is concurrently a Senior Fellow at the Centre for Governance and Sustainability at the National University of Singapore and Advisor to the Founder of the COMO Group, a Singaporean portfolio of lifestyle companies operating in 15 countries worldwide.  Her research interests lie at the intersection of technology, business and society, including sustainability and innovation.

 

Ming was previously Managing Director of IPOS International, part of the Intellectual Property Office of Singapore, which supports Singapore’s future growth as a global innovation hub for intellectual property creation, commercialisation and management. Prior to joining the public sector, she was Head of Stewardship of the COMO Group and the founding Executive Director of COMO Foundation, a grantmaker focused on gender equity that has served over 47 million women and girls since 2003.

 

As a company director, she lends brand and strategic guidance to several companies within the COMO Group. Ming also serves as a Council Member of the Council for Board Diversity, on the boards of COMO Foundation and Singapore Network Information Centre (SGNIC), and on the Digital and Technology Advisory Panel for Esplanade–Theatres on the Bay, Singapore’s national performing arts centre.

 

In the non-profit, educational and government spheres, Ming is a director of COMO Foundation and Singapore Network Information Centre (SGNIC) and chairs the Asia Advisory board for Swiss hospitality business and management school EHL. She also serves on  the Council for Board Diversity and the Digital and Technology Advisory Panel for Esplanade–Theatres on the Bay, Singapore’s national performing arts centre.

 

Ming was educated in Singapore, the United States, and England. She obtained her bachelor’s and master’s degrees from Stanford University and her doctorate from Oxford.