Foreword by Tereza Horejsova,
Chair of Working Group on Cyber Security Culture and Skills,
Global Forum for Cyber Expertise
Cyber security has become an increasingly urgent global priority in recent years. There is clearly a serious need to increase the number of trained professionals able to tackle the cyber threats we face. If companies and other organisations are to address cyber risks effectively, they need to have the right people with the right skills.
More and more stakeholders are looking at how we can make cyber security an attractive career choice and how we can develop it as a recognised profession.
Professions such as law, medicine, engineering and accountancy all have clear career paths which employers can understand. And, perhaps more importantly, they offer a kind of status that many people would aspire to. Why not cyber security too?
The Global Forum on Cyber Expertise has developed a unique role in bringing together stakeholders from around the world to find solutions to shared challenges. At the end of 2021, the GFCE Working Group on Cyber Security Culture and Skills initiated a global survey on developing cyber security as a profession in order to gather views and ideas from different stakeholders and regions around the world. We wanted to understand how the cyber security profession is viewed and understood, as our Working Group
works towards a better understanding of the skills needed in future to be a successful cyber professional, be it in a very technical field or for instance in the policy or education sphere.
I would like to thank everyone who participated and who helped us put together such a valuable snapshot of current thinking. I hope the results presented here will help develop the global debate on cyber security, provide useful insights for policy makers around the world and ultimately, contribute to cyber security being a recognised career choice.
The Global Forum on Cyber Expertise (GFCE) is a multi-stakeholder community of more than 160 members and partners from all regions of the world, aiming to strengthen cyber capacity and expertise globally. This report was drawn up by the GFCE’s Working Group D on Cyber Security Culture and Skills in order to better understand different perspectives on developing cyber security as a profession,
including the possible barriers that exist, qualifications and accreditations, and the role of awareness campaigns and regulation. Our survey attracted over 200 responses, broadly balanced across stakeholder groups and global regions, with some clear areas of agreement as well as some different views emerging. The full set of questions in the survey can be found at Annex A of this report.
The vast majority of respondents recognised there is a significant shortfall of cyber security professionals across the globe. Most people thought that the idea of a “cyber security professional” is unclear and that this lack of clarity is a barrier to people pursuing a career in cyber. There is very strong support for public awareness campaigns to encourage people to join the cyber security profession, but views are mixed when it comes to possible regulatory interventions.
More than half of the responses were opposed to the idea of introducing regulation such as a “licence to practise” for cyber security professionals, although support for a “licence to practise” was slightly stronger in responses from people in government and responses from people in developing countries. A majority of responses thought that introducing a “licence to practise” would create barriers to people joining the profession and that this would undermine cyber security in the long term. Responses from people
in the private sector were particularly concerned about the risk of creating barriers.
Most people (68%) thought that better recognised qualifications were needed to strengthen cyber security as a profession, although this opinion was stronger in developing countries than in developed countries. The vast majority agreed that qualifications needed to be internationally recognised.
These results demonstrate the need to find a balance between strengthening the professional framework for cyber security while also avoiding introducing barriers to entry. They also bring out the different challenges faced by stakeholders in developing countries. Reflecting on these results, the GFCE community would point to recommendations in five broad areas:
- Stakeholders should consider how best to use awareness campaigns to
attract more people to pursue a career in cyber security. These should look at a full range of tools, including not only advertising but also careers advice services, school curriculum content, awareness raising for teachers and industry-led campaigns and events.
2. Governments should work with industry to consider how to raise awareness of qualifications, certifications, degrees and apprenticeship standards, reaching out both to employers and to cyber security professionals.
3. Policy makers should consider a range of interventions to develop cyber security as a profession without creating barriers to entry. Comprehensive regulation through a compulsory “licence to practise” might undermine cyber security in the long term by making it harder for people to join the profession. But policy makers can consider other more limited interventions, depending on their own circumstances, such as establishing a voluntary register of qualified practitioners.
4. Stakeholders should take into account the particular challenges faced by developing countries. We heard, for example, that the subscription rates for some professional associations can be higher than the average monthly salary for some cyber security professionals in developing countries. Some espondents to the survey also raised the affordability of qualifications. Stakeholders should consider steps to address these kinds of barriers.
5. Further research is needed, particularly in areas such as the role of universities and the need for effective and accessible training programmes. This should take into account views of all stakeholders, including governments, industry, the technical community, education experts and others.
We hope that this report will provide a useful starting point for a wider global debate on how best to develop cyber security as a profession, to attract more people to pursue a career in cyber and to support employers to identify and recruit the right people for their needs. GFCE will continue to address these issues and we encourage others to join us in this effort.