Regardless of the general cybersecurity skills, employees must be able to comply with the company’s own cybersecurity guidelines. In an endlessly digitalizing world, cybersecurity is a civic skill and this concept should, for example, be embedded in almost all business education. General cybersecurity knowledge is useful, but in addition it is necessary to know, for example, how to handle files of different levels of importance or how to act against malware and to whom to report them.
Citizens’ cyber skills are important not only for them as individuals, but also as an important element in developing national crisis resilience. Personal cyber skills are needed for the proper protection of one’s own IT terminals and for the use of digital services, so that they do not pose a threat to privacy or broader cybersecurity. The cyber domain is one of the key tools for hybrid operations. For example, fake news, hacking and malware attacks can destabilize society if citizens do not recognize fraudulent information and do not know how to protect themselves from large-scale cyber-attacks or other crises.
Citizens’ basic cybersecurity skills are directly dependent on the level of development of digitalization and general IT skills. Countries which are only taking their first steps towards digitalization pose the weakest skills. For example, in several countries in Africa thousands of people a day receive an Internet-connected computer or smartphone for the first time. Inexperienced people have access to mainly global commercial services and, of course, social media, which will be used without the awareness of appropriate security. In highly digitalized countries, digital public administration services are available with strong identification and basic cybersecurity practices are followed in working life, which means that the starting point for cybersecurity is, of course, at a higher level.
Cybersecurity campaigns — a good way to maintain and develop basic cybersecurity skills
In recent years, Cyber Security Centers has done an excellent job of spreading cyber awareness among citizens. The cause is also supported by activities all around Europe, for example in the form of the annual Cyber Security Month held in October. Repetitive cyber communication may seem numbing, but it needs to be repeated and further developed so that various cyber crises such as hacking and malware attacks do not act as the sole triggers for citizens.
The shortage of information and cybersecurity professionals has grown rapidly. ISC2, an American provider of certification services within the industry, estimates that the global need for cybersecurity experts has grown from a million to about four million. According to the same study, there are about three million cyber experts at work, so there is a need for more than double that of the current workforce. The training of cybersecurity professionals has long been based on commercially available courses and various additional courses. Commercial courses, sometimes very different in terms of content, have been seen as the basis to measure the competence of individuals in the absence of a more general assessment framework.
Education within information security and cybersecurity
The educational background of information security professionals varies immensely. Having a degree in computer science or technical studies is the most common, but people with other educational backgrounds also work in cybersecurity expert positions. Cybersecurity is also one of the few areas in which it is still possible to succeed without a formal education. An active hobby, internship in a new profession or further studies provide a fairly diverse background of expertise among cybersecurity professionals.
In recent years, study programs, focused on information security and cybersecurity, have been launched in various countries. Finland has been a pioneer in this area and masters’ degrees and other programs in cybersecurity are available at universities and other educational institutions. Elsewhere in Europe, such as the United Kingdom and Spain, it is now possible to study for a bachelor’s degree in cyber security. Undergraduate education specializing in cyber security therefore needs to be expanded rapidly in order to address labor shortages and collectively improve the skills level of cyber professionals.
Cybersecurity for employees
In addition to citizens and cyber professionals, the third major group is employees of companies and organizations. Corporate cyber policies are based on company-specific risk analysis and the controls and policies are defined on the basis of this analysis.
Cybersecurity training in critical infrastructure companies and organizations, for example, is generally decent. The trainings have traditionally been organized in a trainer-led class or in digital form as self-study. Training is compulsory, but participation is often not adequately monitored. In addition, training is often provided months after the start of the employment, when in actuality it should be provided as part of the orientation in the first few days. Measuring cyber competence is less common. Often the employees are assessed by an exam at the end of a digital course, in which a sufficient number of correct answers must be given or the exam will have to be retaken. Measuring the competence or performance level in the field of cybersecurity is generally rare, hence the appropriate metrics should be developed in this area.
Decision makers and cybersecurity skills
A fourth important group in cyber education is general managers in business and politics. Various crisis situations in the form of hacking, malware or denial-of-service attacks have brought the importance of cybersecurity to the attention of decision makers. Decision makers must, of course, master the basic skills of cybersecurity like any other employee, but special understanding is needed in integrating cybersecurity into the company’s strategy and developing preparedness accordingly. Decision-makers are, of course, assisted by leaders specializing in cybersecurity, but a strategic understanding of cybersecurity is also needed in the same way as in the fields of economics or production management. There is widespread need for independent, strategy-driven cyber education in both the public administration and the private sector.
- The cyber skill level of citizens is directly proportional to the development of digitization. In highly digitalized societies, citizens’ cyber skills and awareness are better than in less digitally developed countries. Regular cybersecurity campaigns support positive development and effort should be made to further develop these campaigns in the future as well.
- There is a shortage of cybersecurity professionals all over the world. Education is fragmented and the overall picture is difficult to comprehend. Established certificates are important, but the quality and price of the courses vary drastically. Undergraduate education with an emphasis on cybersecurity and the integration of cyber studies into other university studies must be increased in order to eliminate the skill gap.
- Employees’ cyber skills play a key role in implementing a company’s cybersecurity. In-house cybersecurity training and briefing need to be improved so that employees are aware of their responsibilities and know how to act correctly in different situations.
- The importance of cybersecurity, within a company, has come to the attention of decision makers. This has become especially apparent in the context of data breaches. There is a need for independent strategy-driven cyber training so that decision-makers understand the importance of cybersecurity for a company’s overall strategy and preparedness.
Featured in Sectra Newsletter, January 2021
Cybersecurity Skills Development in the EU, 12/2019. ENISA.
Cybersecurity Workforce Study 2020, ISC2.
Wang & Wang. Knowledge Management for Cybersecurity in Business Organizations: A Case Study, 4/2019. Journal of Computer Information Systems.
Kabanda et al. Exploring SME cybersecurity practices in developing countries, 2018. Journal of Organizational Computing and Electronic Commerce.