A blog by ECSO

Having worked on education, training and skills in its WG5 since 2016, ECSO has seen first-hand the challenges posed by the fragmentation and scattered approaches that exist within cybersecurity today. In this blog post, ECSO reflects on the existing European approaches to education and up-skilling and focuses on ENISA’s European Cybersecurity Skills Framework (ECSF).

Education is not only a national prerogative. It is it also inherently linked to collaboration between national entities, the wider cybersecurity community and European bodies. With this in mind, collaboration is key when coming up with pan-European approaches to harmonise cybersecurity education curricula and tackling the skills or, more concretely, the workforce gap. There is ample opportunity to leverage the collaborative spirit of the European cybersecurity community to deliver practical solutions and initiatives that can have an impact “on the ground”, and ENISA’s European Cybersecurity Skills Framework (ECSF) can play a big part in this respect.

Cybersecurity education: an ECSO perspective

From the perspective of the European Cyber Security Organisation (ECSO), as representative body of the European cybersecurity public-private ecosystem and community), the potential value of the ECSF is non-negligible when it comes to linking existing efforts, providing foundational elements for a European cybersecurity workforce, and delivering a common framework and taxonomy for the application of profiles and skills. Cybersecurity professionals, education & training providers, policy makers, and recruitment professionals, alike, stand to gain from the wider implementation of the ECSF.

The Challenge

It is evident that there is a growing need for a skilled cybersecurity workforce. Various studies across the globe from industry and academia confirm that the cybersecurity workforce demand is very high and that it is difficult to hire competent professionals. The 2021 edition of the annual Cybersecurity Workforce Study published by ECSO Member (ISC)² states that the shortage of cybersecurity professionals is 2.72 million globally which, although having decreased from 3.12 million the year prior, is still a significant number. While these studies offer a basis upon which to assess the global situation, the reality is that it is very difficult to quantify the extent of the cybersecurity talent shortage in Europe. We know that the demand for experts will inevitably rise due to the growth of the cybersecurity market and regulatory landscape, leaving an urgent gap to fill with more (and different kinds of) experts.

The gap in cybersecurity professionals since 2019 according to (ISC)²

But it is not only a matter of numbers. Through a recent ECSO study on HR recruitment practices and trends, ECSO has also observed an increase in the time it takes, on average, for organisations to fill their cybersecurity positions. Many organisations indicate that it may take up to six months for the recruitment process, which is slower than in order knowledge domains, while others state that they have difficulties with filling their cybersecurity positions altogether. This clearly indicates that there is a mismatch between the supply and demand (i.e. gap between academia and industry requirements) and push/pull factors (i.e. candidate suitability and assessment, attraction to jobs and benefits). However, the main issue for employers remains the general lack, worldwide, of cybersecurity specialists, while the demand is constantly growing. Several organisations also highlight the complexity of hiring experts for a domain that they do not master. ECSO’s survey also indicated that, as a growing trend, several candidates, despite lacking significant cybersecurity skills, still enrich their CV with cybersecurity concepts and keywords.

These challenges clearly highlight the need for a common language to support recruitment efforts and the importance of considering the multidisciplinary nature of cybersecurity that is so unique to the field vs the more traditional IT/ICT professions. While existing frameworks such as NICE, CyBoK, and eCF provide useful guidelines for skills development, a European framework that provides an overarching profile taxonomy and career pathways inherent to cybersecurity, has been missing. The release of the ECSF is therefore very timely and fundamental to supporting the European cybersecurity community in attracting, skilling, and re-skilling experts.

There is a solution

Result and added value

The added value of the ECSF for the European cybersecurity community is first to have a common framework and taxonomy upon which to work. This will lead to a better understanding of the skills needs and the practical realities of different job profiles, which will enhance the cybersecurity workforce, not only through more efficient recruitment and retention measures, but also through facilitating the entry or re-entry of more women and other underrepresented groups (i.e., the neurodiverse) into the field. The ECSF, in highlighting the technical and non-technical aspects of different profiles, will contribute to removing the misconception that cybersecurity is only a technical topic, when it is as much about people and processes. In this respect, emphasising the importance of soft (transferable) skills in the domain will contribute significantly to attracting more women into the cybersecurity profession. The ECSF will also reduce the fragmentation of approaches by introducing top-down guidelines for how to categorise the multifaceted nature of the cybersecurity profession. The profiles proposed by the ECSF are sufficiently broad to be able to underpin the many roles that the profession has to offer while being segmented in a way that makes it understandable and applicable for practitioners, industry experts, policy makers, recruitment specialists and job seekers alike. 

At ECSO, we are convinced that the ECSF will provide significant value to our work and support the wider community with a concrete tool for harmonising efforts and bridging the gap between the demand and supply of experts.

Written by Nina Olesen, ECSO Head of Sector on Applications & Human Factors, and supervisor of the Women4Cyber Foundation.