In 2023, there were an estimated 2,365 cyberattacks. On top of this, there is a global shortage of at least 4 million cybersecurity professionals. The World Economic Forum and Accenture 2024 Global Security Outlook reports that 71 percent of organizations have unfilled cybersecurity positions. Cybersecurity preparedness is critical for preventing and responding to future attacks and without a skilled workforce, investments will fall short. In May, DAI hosted two sessions and joined international cybersecurity stakeholders at the RSA Conference (RSAC). At the conference, various approaches for boosting cybersecurity preparedness were discussed, including integrating human-centered practices, introducing tabletop exercises, and dedicating resources to target-rich, cyber-poor organizations.

1. Take a Human-Centered Approach to Cybersecurity Workforce Development

USAID’s Cybersecurity Primer acknowledges that cybersecurity is how people, processes, and systems protect information kept in digital formats. Cyberattacks occur when actors illegitimately access digital systems and data. Research studies, including from Stanford University, confirmed that nearly 90 percent of cyber breaches are caused by human error or behavior. Speakers at RSAC from the White House Office of the National Cyber Director and Purdue University emphasized the need for a human-centered cybersecurity approach to bolster workforce development. This approach entails “championing the human in cybersecurity” by focusing cyber defense efforts on user behavior and preferences not just tools and metrics. As a starting point, some recommendations include:

• To address slow curricula development, academia, the private sector, and state and local governments should increase collaboration. Employers must regularly talk to academia about what skills they need and how they can be applied. This is especially important as the cybersecurity field continues to evolve with new threat actors, new techniques, and the adoption of transformative technologies such as artificial intelligence (AI) and the internet of things (IoT).
• To cultivate new professional talent, public and private sectors should sponsor cybersecurity internships for students to gain real-life experience across a variety of industries. Some cybersecurity certifications require a minimum amount of work experience, which internships could help satisfy.
• To address the global cybersecurity skills gap, development assistance programs should prioritize cybersecurity education and work with local universities or vocational schools to develop robust curricula, training, and internships.
• To increase general cybersecurity awareness, it is necessary to build cyber-safe behaviors of nontechnical professionals. This includes people who do not work with computer systems or advanced software or hardware, but interact with email, teleconferencing tools, or other basic technologies as part of everyday life. A significant amount of cyberattacks come from identity-based avenues, such as logging into company emails or accounts. Improving basic cyber hygiene helps individuals understand the importance of simple prevention tactics like keeping their passwords and data safe and identifying phishing attempts.

2. Simulate Real-Life Scenarios to Increase Preparedness

Tabletop exercises can be an effective and engaging way to impart cybersecurity knowledge and skills for a variety of professionals at different levels. A tabletop exercise is a simulation of a cyberattack or cyber breach that allows participants to learn through roleplay. For organizations that already have an incident response and preparedness strategy, tabletop exercises can be a valuable resource to play out the process and iterate the steps to optimize security responses. For organizations that have invested less into incident response, tabletop exercises can present real-life scenarios for staff to learn from. Some benefits of these exercises are:

• Reactive to proactive mindset: A tabletop exercise can demonstrate to executive staff the importance of investing in cybersecurity resources for proactive preparedness instead of responding after an attack when the systems or data are compromised.
• Vulnerability identification: A tabletop exercise can help an organization understand and identify where potential vulnerabilities exist, such as through certain assets such as email, databases, or staff cyber hygiene and awareness.

DAI organized a tabletop exercise during RSAC where participants roleplayed as staff responsible for cybersecurity at a fictional company. They were tasked with investing in new security controls and responding to cyberattack scenarios at a power plant over several years. The exercise, customized for critical infrastructure organizations, was modeled on the University of Bristol’s Decisions and Disruptions board game where participants respond to cyber threats, assess vulnerabilities, and choose cybersecurity investments within a limited budget.

Under the USAID Cybersecurity for Critical Infrastructure (CCI) Activity in Ukraine, DAI helped design exercises for Ukrainian government agencies, law enforcement, transportation, and civil service sectors. These exercises, developed with guidance from the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA), allowed participants to practice responding to large-scale cyberattacks, rehearse mechanisms and processes for incident response, and coordinate and exchange information. At RSAC, the U.S. Agency for International Development and the Computer Emergency Response Team of Ukraine (CERT-UA) organized a panel sharing firsthand experiences from Ukraine on preparedness, response, and recovery from sophisticated attacks by Russian state actors.

3. Support Target-Rich, Cyber-Poor Organizations

Investing in cyber defense and capacity building through training, education, and software is often time-consuming and expensive. Not all organizations, especially local government agencies, schools, and nonprofit organizations, have adequate funding or resources for such investments, but they are still frequent targets of cyberattacks. During RSAC, speakers from CISA, CyberPeace Institute, and the University of California, Berkeley highlighted several creative cybersecurity solutions:

• To address challenges with funding, cyber industry leaders can offer cybersecurity products or services such as firewalls, virtual private networks, and anti-virus software free-of-cost or discounted for organizations in need. Organizations such as TechSoup are already doing this. The CyberPeace Institute runs a volunteer and donation program for experts to provide free consulting and support for nongovernment organizations and small- and medium-sized enterprises.
• To ease the burden on IT staff and make technologies as secure as possible, CISA recommends moving the cybersecurity responsibility away from consumers to technology developers and manufacturers. Not all organizations have dedicated chief information security officers or IT directors to support technical staff. Therefore, CISA’s “Secure by Design” principles recommend building cybersecurity into the initial design of technology products. This approach prioritizes cybersecurity for consumers as a core business requirement and aims to mitigate flaws and vulnerabilities in the technology before it goes to market. Examples include building in multi-factor authentication and single sign-on from the onset of product development.

Build Cyber Resilience through the Workforce

At its core, cybersecurity workforce development is a tool for cyber defense. Addressing the global cybersecurity skills gap and advancing cyber workforce development requires human-centered approaches. Private sector industry leaders should collaborate with governments, nongovernmental groups, small firms, and academia to design innovative and responsive curricula, interactive trainings, and professional development and upskilling programs. Echoed by the Global Conference on Cyber Capacity Building through the Accra Call, country governments, private enterprises, and international organizations have pledged commitments to cultivate a cyber-resilient workforce.

As digital technologies become more integrated into society and economies, the cyberattack surface will increase. Recognizing that cyber threat actors have vast and complex financial and political incentives, countries around the world must bolster their cyber preparedness by investing in their professional workforce.