Cybersecurity Practical Skills Gaps in Europe: Market Demand and Analyses
The recent study of the CyberSecPro European innovation project confirms the cybersecurity practical skills gaps in Europe [1]. CyberSecPro aims to bridge the gap between degrees, working-life and marketable cybersecurity skill sets necessary in the digitalization efforts and become the best practice for all cybersecurity training programs. University of Novi Sad is one of the project partners within consortia of the seventeen (17) higher education institutions and thirteen (13) security companies who propose the agile CyberSecPro professional cybersecurity practical and hands-on training program that will complement, support and advance the existing academic programs by linking innovation, research, industry, academia and SME support [2]. The project is funded by the EU Digital Europe Program.
The cybersecurity industry faces increasing challenges with the growing number and complexity of cyber threats. To address these challenges, a skilled and competent cybersecurity workforce is required. Understanding the industry’s specific needs can help inform education and training programmes, recruitment and retention strategies, and workforce development initiatives. In order to assess and determine the cybersecurity knowledge areas and skills demanded in the labour market and the key sectors of energy, maritime and health, a survey was conducted as one activity of CyberSecPro project. The survey was distributed to EU partners in the CyberSecPro consortium to further distribute to their respective networks. The survey aimed to identify the hands-on skills and competencies needed in the cybersecurity industry, focusing on the health, energy, and maritime sectors.
A total of 243 participated in the survey. The results show that 23 % of respondents worked at large organisations, 2.9 % were professional practitioners, 8.6 % worked for government organisations, 35.4 % worked at a university or research institute, and 27.6 % were in small and medium-sized enterprises (SMEs). Sector-wise, participants were distributed as follows: 54.7 % Digital-ICT, 8.2 % maritime, 6.2 % healthcare, 4.5 % energy sector, and 26.3 % miscellaneous.
Figure 1. Respondent’s Types of the Organisation
The first part of the survey asked respondents to select the professional profiles that are most needed in their organization/company from a list of options. The most in-demand job role was Chief Information Security Officer (45 %), followed by Cybersecurity Educator (39 %), Cybersecurity Architect (38 %), Cybersecurity Researcher (34 %), Cyber Legal, Policy and Compliance Officer (34 %), and Cyber Incident Responder (33 %). Cybersecurity Auditor (20 %) and Digital Forensics Investigator (15 %) were also often selected by the respondents.
Table 1: Cybersecurity Job Roles Needed in the Industry
| Job role / Work sector | Health (14) | Energy (10) | Maritime (20) | ICT (130) | Other (61) | Total (235) |
| Chief Information Security Officer | 8 | 8 | 11 | 55 | 24 | 106 (45 %) |
| Cybersecurity Educator | 6 | 2 | 6 | 59 | 19 | 92 (39 %) |
| Cybersecurity Architect | 2 | 6 | 6 | 57 | 18 | 89 (38 %) |
| Cybersecurity Researcher | 3 | 2 | 4 | 54 | 18 | 81 (34 %) |
| Cyber Legal, Policy and Compliance Officer | 7 | 3 | 8 | 40 | 21 | 79 (34 %) |
| Cyber Incident Responder | 4 | 5 | 10 | 39 | 20 | 78 (33 %) |
| Cybersecurity Implementor | 5 | 5 | 4 | 47 | 12 | 73 (31 %) |
| Cybersecurity Risk Manager | 6 | 6 | 5 | 33 | 24 | 74 (31 %) |
| Cyber Threat Intelligence Specialist | 3 | 4 | 3 | 42 | 15 | 67 (29 %) |
| Penetration Tester (Ethical Hacker) | 2 | 3 | 6 | 43 | 13 | 67 (29 %) |
| Cybersecurity Auditor | 2 | 3 | 6 | 27 | 9 | 47 (20 %) |
| Digital Forensics Investigator | 1 | 3 | 4 | 18 | 10 | 36 (15 %) |
Next, the survey asked respondents to indicate which cybersecurity knowledge areas are currently most important in their domain. Table 2 presents the most popular knowledge areas as indicated by the respondents.
Table 2: Cybersecurity Knowledge Areas in Demand
| Knowledge areas (KA) in demand | Health (69) | Energy(55) | Maritime (91) | ICT (599) | Other fields(221) | Total (1035) |
| Cybersecurity Tools | 5 | 6 | 8 | 55 | 29 | 103 (10 %) |
| Cybersecurity Management | 6 | 8 | 0 | 49 | 25 | 88 (9 %) |
| Cybersecurity Technologies | 3 | 5 | 0 | 52 | 24 | 84 (8 %) |
| Cybersecurity Principles | 7 | 5 | 2 | 48 | 19 | 81 (8 %) |
| Emerging Digital Technologies | 3 | 3 | 5 | 40 | 14 | 65 (6 %) |
| Ethical Hacking | 5 | 6 | 0 | 30 | 13 | 54 (5 %) |
| Offensive Security | 3 | 5 | 2 | 25 | 12 | 47 (5 %) |
| Cybersecurity Education and Training | 4 | 1 | 0 | 17 | 6 | 28 (3 %) |
| Cybersecurity Regulations | 1 | 0 | 3 | 15 | 8 | 27 (3 %) |
| Cyber threat awareness | 0 | 1 | 6 | 12 | 5 | 24 (2 %) |
| Incident response | 2 | 1 | 4 | 12 | 2 | 21 (2 %) |
| Forensics | 1 | 1 | 0 | 9 | 7 | 18 (2 %) |
| Threat intelligence | 0 | 0 | 0 | 14 | 4 | 18 (2 %) |
| Communications and Network Security | 3 | 1 | 0 | 13 | 0 | 17 (2 %) |
| Cybersecurity for ML and AI | 1 | 1 | 0 | 13 | 1 | 16 (2 %) |
| Penetration Testing | 1 | 0 | 1 | 11 | 3 | 16 (2 %) |
| Vulnerability Assessment | 2 | 1 | 3 | 10 | 0 | 16 (2 %) |
| Cybersecurity Compliance | 0 | 0 | 2 | 12 | 1 | 15 (1 %) |
| Risk Assessment | 0 | 2 | 3 | 5 | 5 | 15 (1 %) |
| Risk Management | 3 | 1 | 2 | 7 | 2 | 15 (1 %) |
| Defensive practitioners | 0 | 1 | 0 | 9 | 4 | 14 (1 %) |
| Cybersecurity Management Systems | 0 | 0 | 12 | 0 | 1 | 13 (1 %) |
| Cloud Security | 0 | 1 | 0 | 8 | 2 | 11 (1 %) |
| Cybersecurity Architecture | 0 | 0 | 1 | 7 | 2 | 10 (1 %) |
| Cybersecurity Engineering | 1 | 1 | 6 | 2 | 0 | 10 (1 %) |
| Cybersecurity Processes | 0 | 0 | 8 | 0 | 2 | 10 (1 %) |
| Data protection and security | 2 | 1 | 0 | 5 | 1 | 9 (1 %) |
Finally, the survey asked respondents about the different hands-on skills and skillsets needed for work in cybersecurity. Table 3 presents the most sought-after practical skills identified by the survey responses. Overall, the survey results demonstrated a considerable dispersion of responses across the various categories. However, some skills were reported more than others: The top-reported needed skills were Network security control (4 %), Penetration testing (4 %), and Incident response (4 %). Other highly reported needs included Cloud security (3 %), Risk management (3 %), Education and training skills (3 %), and Risk assessment (3 %).
Table 3: Cybersecurity Hands-on Skills in Demand
| Hands-on skills in demand | Health (54) | Energy (36) | Maritime (53) | ICT (420) | Other (151) | Total (714) |
| Network security control | 2 | 0 | 1 | 22 | 7 | 32 (4 %) |
| Penetration testing | 1 | 0 | 1 | 26 | 4 | 32 (4 %) |
| Incident response | 0 | 1 | 3 | 18 | 8 | 30 (4 %) |
| Cloud security | 1 | 4 | 1 | 13 | 4 | 23 (3 %) |
| Risk management | 5 | 2 | 1 | 10 | 5 | 23 (3 %) |
| Education and training skills | 2 | 1 | 1 | 8 | 9 | 21 (3 %) |
| Risk assessment | 1 | 2 | 1 | 12 | 5 | 21 (3 %) |
| Forensics | 0 | 1 | 1 | 16 | 2 | 20 (3 %) |
| Network and system administration | 0 | 2 | 2 | 12 | 5 | 21 (3 %) |
| Technical skills | 0 | 0 | 0 | 10 | 8 | 18 (3 %) |
| Legal Training | 1 | 0 | 0 | 12 | 4 | 17 (2 %) |
| Threat detection | 2 | 0 | 0 | 12 | 3 | 17 (2 %) |
| Analysis and Critical thinking | 1 | 0 | 0 | 10 | 5 | 16 (2 %) |
| Artificial intelligence (AI) | 1 | 1 | 1 | 9 | 4 | 16 (2 %) |
| Cybersecurity architecture | 0 | 0 | 2 | 11 | 3 | 14 (2 %) |
| Software security | 1 | 1 | 1 | 13 | 1 | 17 (2 %) |
| Programming skills | 1 | 0 | 1 | 9 | 4 | 14 (2 %) |
| Compliance | 0 | 2 | 0 | 12 | 0 | 16 (2 %) |
| Vulnerability assessment | 0 | 0 | 0 | 10 | 4 | 14 (2 %) |
| Communication – teamwork (soft-skills) | 2 | 2 | 2 | 5 | 2 | 13 (2 %) |
| Threat understanding / knowledge | 0 | 0 | 3 | 6 | 3 | 12 (2 %) |
| Operating Systems | 0 | 1 | 0 | 8 | 2 | 11 (2 %) |
| Software Design Skills | 0 | 0 | 0 | 8 | 3 | 11 (2 %) |
| Auditing | 0 | 0 | 0 | 8 | 2 | 10 (1 %) |
| DevSecOps / DevOps | 1 | 2 | 0 | 6 | 1 | 10 (1 %) |
| Management skills | 0 | 0 | 2 | 5 | 3 | 10 (1 %) |
| Threat intelligence | 0 | 0 | 0 | 9 | 1 | 10 (1 %) |
From the point of view of the market-elicited knowledge areas and skills, the outcome of the survey implies that most academic programmes are not offering the sufficient workforce supply and knowledge areas demanded by the market. For example, in 2022, the shortage of cybersecurity professionals in the EU ranged between 260,000 and 500,000, while the EU’s cybersecurity workforce needs were estimated at 883,000 professionals. In addition, women only amounted to 20% of cybersecurity graduates and to 19% of information and communications technology specialists [4]. We identified knowledge areas and skills that require more focus by EU academic programmes to help with new cybersecurity workforce and existing workforce’s skilling, upskilling and reskilling. The results also suggest a significant gap in essential cybersecurity skills.
Based on the results, the following recommendations are proffered to address the cybersecurity skills gap:
- Boost the transformation of higher education programmes to address market demand and increase investment in cybersecurity education and training.
- Encourage effective dissemination and implementation of the European Cybersecurity Skills Framework (ECSF) [5] and consolidate the cybersecurity workforce training programme.
- Encourage collaboration between educators and industry experts for cybersecurity skilling, upskilling and reskilling of educators/trainers and professionals.
- Promote collaboration between academia, industry, government, and other stakeholder in developing cybersecurity talent and workforce.
We hope that the results of this survey will provide valuable insights for industry professionals, policymakers, and educators regarding the skills and competencies needed in the cybersecurity workforce. In addition, they will help to inform strategies for developing a more skilled and competent workforce.
Acknowledgements
Danijela Boberic Krsticev, University of Novi Sad, authored this blog contribution. The research conducted in this paper was triggered by the project ‘Collaborative, Multi-modal and Agile Professional Cybersecurity Training Program for a Skilled Workforce In the European Digital Single Market and Industries’ (CyberSecPro) project. This project has received funding from the European Union’s Digital Europe Programme (DEP) programme under grant agreement No 101083594. Special thanks to the partners of these projects and their contributions. The sole responsibility for the content of this paper lies with the authors. The authors are grateful for the financial support of these projects that have received funding. The views expressed in this paper represent only the views of the authors and not of the European Commission or the partners in the above-mentioned projects.
Sources of the information / References:
- Rathod, P., Ofem, P., Polemi, N., Hynninen, T., Lugo, R. G., Alcaraz, C., Kioskli, K., & Rannenberg, K. (2023). Cybersecurity practical skills gaps in Europe: Market demand and analysis. CyberSecPro-Digital Europe Programme. Retrieved from https://www.cybersecpro-project.eu/
- CyberSecPro-Digital Europe Programme Project. (2023). Retrieved from https://www.cybersecpro-project.eu/
- The Digital Europe Programme. (2022). Retrieved from https://digital-strategy.ec.europa.eu/en/activities/digital-programme
- Cybersecurity Skills Academy: a coordinated approach to boost the EU cyber workforce. (2023). Retrieved fromhttps://digital-skills-jobs.europa.eu/en/cybersecurity-skills-academy
- European Cybersecurity Skills Framework (ECSF) – ENISA. (2023). Retrieved fromhttps://www.enisa.europa.eu/topics/education/european-cybersecurity-skills-framework
You must be logged in to post a comment.