A skills gap in cybersecurity within Ireland has long been a source of warning from industry professionals. As incidents such as this year’s HSE attack emphasise the need to close such a gap, moves are being made to address these shortfalls.
The Cyber Security Skills Report 2021 published by Cyber Ireland found Ireland to have both a serious skills shortage and a skills gap in the cybersecurity sector. Cybersecurity teams were found to be understaffed in a male-dominated industry afflicted by a “serious” skills gap, albeit one that is now investing heavily in upskilling and training.
42 per cent of respondents to the report’s survey stated that they were understaffed, defined as “the cyber security function in that business does not have sufficient staff to carry out those day-to-day tasks required for the organisation to be cyber protected”, with five per cent said to be “significantly understaffed”. 43 per cent of organisations were found to be staffed to appropriate level.
One possible explanation for such understaffing is an inability to recruit suitable candidates within these organisations. 49 per cent of the survey’s respondents stated that they had unfilled positions within their organisations at the time of asking. Security engineer was found to be the most difficult role to fill, with 28 per cent of organisations naming it as their hardest role to fill. Security analyst, architect and consultant were all found to be next with 24 per cent each.
Respondents noted that the primary reasons they found these roles so difficult to fill were “candidates lacking the desired attitude, skills, qualifications or experience” (49 per cent of respondents), “too much competition from other employers” (42 per cent), general lack of candidates (39 per cent), “candidates lack the required attitude, motivation or personality” (37 per cent) and a lack of the desired technical skills (34 per cent). 77 per cent of the unfilled positions were found to be technical cybersecurity positions.
77 per cent of unfilled positions being of the technical variety and 34 per cent of respondents stating that a lack of desired technical skills as its main difficulty with regard to recruiting point to what has long been known in the Irish cybersecurity sector: that a significant skills gap exists and must be addressed. This became a common talking point in the late 2010s as cybersecurity job openings skyrocketed in Ireland. From 2017 to 2019, cybersecurity vacancies increased by 40 per cent, only for it to be found that there was little domestic ability to fill the vacancies.
In response, initiatives such as the Cybersecurity Skills Initiative were launched. Founded in 2018, the CSI’s plan was to train 5,000 people in cybersecurity skills and help 4,000 companies to tackle the cybersecurity skills shortage over a course of three years. In 2020, 14 new cybersecurity courses in Higher Education Institutes (HEIs) were funded by government under the Human Capital Initiative (HCI) Pillar 1 and Springboard to address industry skill needs, and under the HCI Pillar 3, the CYBERSKILLS project received €8.1 million in funding. The project is led by Munster Technological University and will be coordinated nationally along with the university of Limerick, Technological University Dublin, University College Dublin and Cyber Ireland.
Ireland’s skills gap and shortages are happening within a context of international gaps and shortages, with a global shortfall between 1.8 and 3.5 million security professionals estimated within five years by EY and Cybersecurity Ventures. Multiple international reports paint a global picture similar to that of Ireland’s cybersecurity sector, with organisations experiencing skills shortages, gaps and struggling to access talent.
EY’s Global Information Security Survey 2018-19 reported that 30 per cent of organisations struggled with cybersecurity skills shortages, which they deemed to be more pressing than budgetary constraints, cited by 25 per cent in comparison. ISC2’s 2018 Cybersecurity Workforce Study saw 63 per cent of organisations reporting skills shortages. One-third of these categorising their shortages as significant. Stott and May’s 2020 report Cyber Security in Focus found that 76 per cent of respondents perceived a shortage of cybersecurity skills within their own companies, citing no improvement on 2019 levels. A 10-year study carried out by the Enterprise Strategy Group and the Information Systems Security Association published in 2020 revealed that cybersecurity skills continued to deteriorate for the fourth year in a row, with over 70 per cent of organisations affected.
The technology sector is also said to be male dominated, both in Ireland and internationally, with reports estimating the share of women within the cybersecurity industry worldwide to now be 24 per cent, an increase on previous years, although it is believed that the percentage of women in actual cybersecurity roles within those industry positions is lower. In Ireland, 27 per cent of organisations have all male cybersecurity teams and 42 per cent have “significantly” more men than women. 27 per cent of organisations state that they have difficulties retaining women as part of their cybersecurity teams, with 30 per cent of turnover due to “family situation changes (e.g., children, marriage)”.
There are plans afoot within the industry to address these skills shortages and gaps, with 72 per cent having conducted an analysis of their cyber skills needs and 52 per cent now having a formal cybersecurity training programme, although 32 per cent were said to be dissatisfied or unsure of the effectiveness of their training programme. 93 per cent of organisations stated that they support their employees in pursuing further cybersecurity education.