In recent years, there has been much written about endless cybersecurity job vacancies. More recently, more has been written about how to fill those vacancies and with more urgency.
It is widely believed that cybercrime has already surpassed the drug trade as the single most profitable sector of illegal activities in the world. It is becoming clear to the layperson, that data breaches are affecting everyone, even those who barely use the Internet, because everyone’s personal data has been digitized by one company or another, and subsequently breached.
In essence, cybersecurity is not something specific to IT and its hardware and infrastructure, but embedded in business, and government and their processes that rely on IT. If cybersecurity is foundational to business, government and education, and military, then it has thus become fundamental to society as a whole and therefore, of concern to everyone.
In British Columbia, ISACA Vancouver’s commissioned two studies by Carmel Info-Risk, 5 years apart, thereby creating the unique opportunity to witness the change between two different snapshots of BC’s cyber talent pipeline from the perspective of postsecondary cybersecurity and privacy program offerings. Conclusion? This may not have been the best place to witness progress in tackling this problem.
Why? Here are key findings of the second (2021) study, which repeated the 2016 typographical methodology of looking for keywords such as information security, cyber, information protection, privacy, and secure coding, and others in the descriptions of courses offered by information technology and computer science programs at the postsecondary level.
- The number of courses fitting this scope increased some 49% over 5 years, compared to BC’s population growth rate of 7.7% as a whole during that time.
- The number of such courses that mentioned, even once, the methodology’s keywords, was approximately 12.7% in 2021, which was actually down from 13.9% in 2016.
Despite all of the high-profile breaches, and security vulnerabilities in those five years between the two studies, such as SolarWinds, and Life Labs, Facebook, and Google, and Marriott, to name a few, BC’s postsecondary cyber-related program offerings did not appear to swell and mobilize any new significantly sized legion of young minds into the industry. This was the single biggest finding in the 2021 study.
After the second study in 2021, and the surprise results in comparing to the 2016 study, came an intense harvesting of unique insights. First of all, there was an “Ah-ha” moment that the employer owns at least some if not most of the responsibility for the cyber talent pipeline shortage. If the cyber talent pipeline doesn’t really commence at the postsecondary level as the 2021 study suggests, then it must start sometime after the completion of other postsecondary programs, or perhaps part way in the early stages of other careers of a wider variety of graduates beyond IT and computer science such as internal and IT audit, general sales, marketing and communications.
Our 2021 study highlighted how little research there is in this area. For example, what kind of individuals and career professionals are actually being hired into cybersecurity today, and at what stage of their careers?
If we don’t know this, how is the postsecondary sector ever going to know what part to play in reducing the perceived size of the cyber talent shortage? This lack of visibility was a finding in itself. Still, our intense navel-gazing did yield some additional recommendations for the different stakeholders:
Recommendations For Employers
1. Employers need to look internally as well as externally for people that might be able to fill their vacancies. This may require more creative internally selling, i.e., “illuminate all of the internal career paths that can end up in their cybersecurity ranks”. Employers simply can’t wait forever for external candidates. The marketplace is much too competitive.
2. Employers must now shift from buying expensive security technologies to studying the enormous amounts of cyber analytical data that few are looking at and creating an action plan for. At the least, entry level junior cybersecurity analysts need to be created, to help turn prior cyber technology investments into actionable cyber plans.
Recommendations For Students
1. BC Students may need to think outside of the province. Yes! The study found only a handful of cyber-specific programs at the postsecondary level. According to the Canadian federal government’s own listing of institutions across Canada offering cyber programs, only 3 of 76 institutions were based in BC at time of writing, despite the province making up more than 10% of the population. This listing appears to be an online resource for students, but BC-based students looking for a cyber career on www.cyber.gc.ca will have been disappointed looking at this list as it is dominated by out-of-province programs. This might even lead them to consider a degree out of province in order to begin their cybersecurity career.
2. Students may need to think outside of the box. A number of very active professional associations have been attracting young persons in recent years, and their members, in general, are an important source of information, connections for employment, or even potential mentors. Associations such as ISACA Vancouver, VanSecSIG, MARS, and OWASP Vancouver all put on important events and conferences regularly that are open to prospective cyber students. It’s true that students may need to push themselves to circulate and network sooner than ever, even before graduation, and maybe even acquire micro-credentials to accompany their degrees, but regardless, these organizations generally exist with arms wide open to postsecondary students.
Recommendations For Government
1. Since the first study in 2016, The Canadian federal government has invested over $500 million in cybersecurity nationally, and created strategic organizations like CCCS, CCTX, Serene Risc, In-SEC-M and the National Research Council’s IRAP program. More than acronyms, these new cyber institutions are providing public awareness of cyber risks, facilitating the sharing of information on cyber threats, and subsidizing net new spend on cybersecurity services by the private sector. More funds have been provided since the 2021 study, in the Spring 2022 federal budget, towards improved critical infrastructure and national security.
In contrast, evidence of BC’s provincial government’s action on cybersecurity has been harder to find. And the loss of prestige due to chronic underfunding or neglect in cybersecurity is exemplified by the fact that no BC postsecondary institution is included in the recently announced Cyber Security Innovation Network (CSIN), which is driven by five non-B.C. universities across Canada called the National Cybersecurity Consortium (NCC).
The following four-pronged approach is suggested for the BC provincial government:
- Form a province-wide postsecondary roundtable to encourage institutions to introduce cyber programs in one domain or another. Foster the idea of different institutions each becoming centres of excellence, experts in their own domain of cybersecurity (e.g., Operational Technology/Industrial Control Systems, Mobile and Internet security, Governance, artificial-intelligence-driven security, etc.)
- Create a world class research centre of excellence at UBC, either to help track and solve endemic cyber problems like the cyber talent shortage, or to develop and commercialize new world-leading security technology. Spin-off benefits will be immense.
- Create a cyber-specific wage subsidization program that augments the federal IRAP program and helps the private sector create those all-so-important entry level / analyst positions that students graduating from postsecondary cyber programs can readily fill. An existing program that could be tweaked and replicated for cybersecurity positions specifically is the Innovator Skills Initiative program announced in Fall 2021 for general IT workers.
- Work with the federal government to offer grants and/or tax credits to prospective cyber students that will make enrollment into cyber programs irresistible.
In all of these recommendations, in order to attempt to make even a dent on the cyber talent pipeline shortage, in the coming years, diversity of talent must be kept top of mind. Whether it be reaching out to new immigrants or visible minorities, professionals from other fields (e.g., Internal Audit, Sales, Electricians), or improving participation across all genders, the cyber talent pipeline cannot afford to have any disenfranchised or overlooked talent pools on the sidelines.
With Vancouver being host to Canada’s digital technology supercluster, and a burgeoning tech sector, growth will ultimately be tied to how quickly and efficiently BC’s cyber talent pipeline shortage is addressed by, students, employers, and the provincial government alike.