Addressing the EU Cybersecurity Skills Shortage and Gap Through Higher Education

The cybersecurity skills shortage and gap are well-documented issues that are currently having an impact on national labour markets worldwide. While various initiatives related to cybersecurity skills have been proposed and multiple actions have been launched to address the problems, the shortage and gap persist. ENISA has a long tradition of studies and programmes that have attempted to mitigate similar cybersecurity issues. In an effort to increase the EU’s future cybersecurity workforce and ensure the availability of appropriately trained professionals, ENISA has investigated the problem further.

In this report, ENISA contributes to both practice and research on the cybersecurity skills shortage and gap in two distinctive areas. Firstly, it provides an overview of the current supply of cybersecurity skills in Europe through an analysis of data gathered and generated by the recently established Cybersecurity Higher Education Database (CyberHEAD). Secondly, it describes the policy approaches adopted by EU Member States in their quest to increase and sustain their national cybersecurity workforces. These approaches have been classified and analysed based on objectives defined by ENISA’s National Capabilities Assessment Framework (NCAF), namely cybersecurity awareness, training, challenges and exercises. Here we note that this report focuses on the role of the higher education sector in addressing the EU cybersecurity skills shortage and gap, and therefore vocational or lower forms of education in cybersecurity related topics are not considered as core parts of this study.

Based on the data collected and analysed under the two areas mentioned above, this report makes five recommendations to address the EU cybersecurity skills shortage and gap:

- Increase enrolments and eventually graduates in cybersecurity programmes through:

-- the diversification of the Higher Educational Institutes’ (HEIs) curricula in terms of content, levels and language.

-- the provision of scholarships, especially for underrepresented groups, and more active efforts to promote cybersecurity as a diverse field.

- Support a unified approach across government, industry and HEIs through:

-- the adoption of a common framework regarding cybersecurity roles, competencies, skills and knowledge, for example, the one provided by the European Cybersecurity Skills Framework.

-- the promotion of challenges and competitions in cybersecurity skills.

- Increase collaborations between Member States in:

-- launching European cybersecurity initiatives with shared objectives.

-- sharing of the outputs of programmes (including results and lessons learnt).

- Promote analysis of the cybersecurity market needs and trends through:

-- the identification of metrics showing the extent of the problem and possible measures to cope with it.

- Support the promotion of CyberHEAD (and its further evolution) in order to:

-- facilitate an ongoing understanding of the status of cybersecurity higher education programmes in the EU.

-- monitor trends regarding the number of cybersecurity graduates who could potentially fill current vacancies in the sector.

-- support the analysis of demographics (including the diversity) of new students and graduates in cybersecurity.

-- assist in monitoring the effectiveness of cybersecurity initiatives targeting the supply side (e.g. changes in enrolments in HEI programmes after the release of new cybersecurity initiatives).

-- demonstrate the value of CyberHEAD for HEIs as well as incentivise HEIs to submit their programmes to CyberHEAD.