ARGUMENT: DIGITAL WORKFORCEThe Strategic Relevance of Cybersecurity Skills

Published 28 June 2022

Evidence suggests there is a global cybersecurity skills shortage affecting businesses and governments alike, which means that organizations are struggling to fill their cybersecurity vacancies. Tommaso De Zan writes that “the absence of cybersecurity experts protecting national critical infrastructures constitutes a national security threat, a loophole that may be exploited by malicious actors.”

Evidence suggests there is a global cybersecurity skills shortage affecting businesses and governments alike, which means that organizations are struggling to fill their cybersecurity vacancies. For example, the United Kingdom would need to attract approximately 17,500 new people every year into its cybersecurity sector to meet demand, and similar workforce difficulties have been reported in Australia, Italy, Japan, and the United States. Cybersecurity firm Fortinet depicted a stark picture of this gap in its 2022 report: 80 percent of polled organizations suffered one or more breaches due to a lack of cybersecurity skills and/or awareness, and 67 percent agreed that this shortage creates additional risks for their organizations. 

Tommaso De Zan writes in Lawfare that

Further compounding this growing skills shortage has been increasing reliance on information systems, data, and networks to facilitate daily life. Modern information and communication technologies (ICT) are the main drivers of the “information society” of which cyberspace is a constitutive element and very much intertwined with the other physical, social, economic, and political layers. Hence, the absence of professionals who could defend the technological backbones of modern societies could have dire consequences for economic development and national security. For example, when cybersecurity skills are not available in the private sector, companies may incurheavier financial losses, experience disrupted operations, or compromise customers’ privacy and safety. And if this shortage were to happen on a large scale, firms will suffer because of cyber-related incidents in addition to market-related ones.

Meanwhile, the absence of cybersecurity experts protecting national critical infrastructures constitutes a national security threat, a loophole that may be exploited by malicious actors. The importance of securing systems that are generally unclassified or nonmilitary was highlighted even during the ongoing military confrontation in Ukraine by the former head of the U.K. National Cyber Security Centre, who pointed out that “[t]he strategic vulnerability to disruption and sabotage lies not so much in the military space but in the hospital booking system (Ireland), the logistics schedule (Maersk), the political party … and thousands of other mainstream, civilian, mostly privately owned networks.” Because societies are dependent on these information technology (IT) systems, which today are subject more than ever to “elevated cyber threats,” stakeholders should have a twofold approach: start treating the cyber skills shortage as a strategic policy challenge and devise a comprehensive strategy to deal withit.

He concludes:

Compared to five years ago when I started analyzing solutions to the skills shortage, we now know moreabout the problem and what tools may be used to remedy it. However, more could be achieved if stakeholders started treating the shortage as a strategic issue requiring appropriate resources. The lack of cybersecurity professionals might harm information society’s progress and beget geopolitical confrontation, and stakeholders need to converge on strong PPPs [public-private partnerships] to find common solutions before it is too late.