Lack of Cybersecurity Talent Poses a Global Challenge and Opportunity
Sep 1, 2022
The limited supply of a skilled workforce is one of the major challenges plaguing the technology ecosystems of countries around the world. The field of cybersecurity is an excellent case study. According to the 2021 (ICS)2Cybersecurity Workforce Study, the cybersecurity workforce gap—the number of people needed to help organizations protect their critical assets from cybersecurity threats—is 2.72 million worldwide. Although down from 3.12 million the previous year, this is still a significant gap. The true shortfall is likely greater, as the study does not account for the public policy, diplomatic, or business talent in small and medium-sized enterprises. This post explores opportunities to enhance the cybersecurity literacy of policymakers, diplomats, and business leaders, and makes the case for cybersecurity workforce development across these professions.
Digital tools and services are becoming ubiquitous across sectors. As countries rapidly digitalize, complex policy questions arise about how and when to use technology, how to protect consumer privacy effectively, and what tools lawmakers should have at their disposal when a country’s critical systems are compromised via a cyberattack. Answering these questions requires policy makers to understand the capabilities of technologies active in the market and how their use cases might transform in the future. In other words, countries need policy makers who are technology literate and technologists who are policy literate—enabling the development of policies that are responsive to organizational and individual needs. Because policy makers also hold the purse strings at the national and local levels, knowledge on these topics is even more critical to ensuring adequate budget is allocated to cybersecurity activities. If this argument isn’t convincing enough, listen to Bruce Schneier’s remarks from 2019.
In the United States, and other mature markets, there are efforts to bridge the lack of technology talent in government. Efforts like Tech Congress—which gives technologists an opportunity to experience policy making firsthand—or The Bridge—a network bringing together technologists, policy makers, and politicians through events and other community activities—are examples of these efforts. Although further and broader upskilling across the national, state, and local levels must occur to enable the United States to have an informed debate about how technology should be regulated, these are steps in the right direction. Similar efforts should be replicated in emerging markets. International development donors have an opportunity to provide seed funding for these types of exchanges. In particular, they could focus on city, municipal, or state programming where major private sector actors or other stakeholders may be less likely to invest. Where starting an initiative seems unlikely, a more targeted approach—such as embedding cybersecurity courses, tabletop exercises, or lectures into already existing professional training for policymakers across government—will at minimum expose policy makers to key cybersecurity concepts and vocabulary.
These ideas do not contend with the problem of policy maker or civil servant turnover, which is why these initiatives must also be coupled with integrating cybersecurity courses and curricula into formal policy education beginning at the secondary level. This helps ensure that future generations of policy makers are already equipped with basic cybersecurity knowledge.
The global expansion of digital technology has introduced some complex foreign policy questions over the last several years. Debates about the People’s Republic of China’s Belt and Road Initiative, data localization, whether a cyberattack is considered an act of war, and announcements by heads of state that Bitcoin will be a legal tender, are reshaping diplomatic exchanges. Although many diplomats around the world recognize that rapid digitalization is reshaping their portfolios, many do not understand the cybersecurity implications and how these cybersecurity risks affect diplomacy. Enabling diplomats and their staff to understand how cybersecurity interplays with their area of expertise will enable emerging and mature economies alike, to debate a set of international norms that will govern how countries operate in a highly interconnected world. The new Alperovitch Institute at the Johns Hopkins School of Advance International Studies or the Chevening Fellowships focused on cybersecurity exemplify how the United States and the United Kingdom are investing in building this cadre of diplomatic professionals, at home and abroad.
Although there is much to be done in both countries, these two efforts can serve as exemplary pathways for diplomatic cybersecurity upskilling. The first is through higher education. Leading foreign policy universities and universities whose graduates are likely to choose foreign service as a career path, must embed courses on cybersecurity and international relations. At a minimum, this would introduce future diplomats to the basic cybersecurity concepts—including examples of how to mitigate cybersecurity risk—and vocabulary. The second is offering prestigious professional development opportunities for mid-career leaders, which could provide a more in-depth review of global cybersecurity challenges. Alternatively, a third pathway exists, which would be to embed cybersecurity courses into existing diplomatic corps training programs. This would ensure that all diplomats are equipped with baseline cybersecurity knowledge and vocabulary prior to deploying to their posts.
Ultimately, these actions will facilitate thoughtful exchanges between nations as the world contends with how to govern a world order in an increasingly digitalized world.
Private sector decisions can have immense repercussions on how societies are organized and therefore governed. For example, the rapid transition of the urban transportation landscape with the adoption of ride-sharing apps has sparked a lively debate about labor rights and prompted cities to partner with private companies to address public transportation shortfalls.
Cybersecurity is no different. Without guidance from governments, many private sector actors—especially those with resources—pursued their own cybersecurity policies to protect their bottom line. Smaller businesses, due to a lack of resources, have under-invested in cybersecurity. Despite the private sector, particularly large firms, being well ahead of the policymaking and diplomatic community in terms of cybersecurity literacy, two challenges persist. First, there is limited information sharing about cybersecurity threats across private sector sectors despite the creation of Information Sharing Analysis Centers. Lack of trust and fear of reputational damage are two factors that contribute to this problem. Second, small businesses’ limited adoption of cybersecurity best practices introduces vulnerabilities to supply chains. This is what happened in the 2013 cyberattack against Target, where a cybersecurity threat actor accessed Target’s system through a third-party supplier providing HVAC services. It resulted in Target paying an $18.5 million fine. Integrating cybersecurity courses into business degree curricula or requiring a cybersecurity risk mitigation plan for small businesses integral to supply chains, could be an avenue to further increase businesses’ cybersecurity literacy.
Combined with clearer guidance from governments to improve cybersecurity information sharing and investment in small and medium-sized cybersecurity training, the business community can demonstrate the types of upskilling policy makers and diplomats should undertake.
This post covered three careers that need further cybersecurity training. Not covered in this post, but no less important is ensuring that women and minorities are represented in this field. I’ll be exploring that topic in a future post.