Canada will need creative and innovative ways to build up talent for cybersecurity if we want to take advantage of opportunities and protect ourselves from the threats of new technologies, according to a recent report by Deloitte Canada on the state of cybersecurity talent.

The report, titled The changing faces of cybersecurity: Closing the cyber risk gap, notes that the demand for cybersecurity talent is increasing annually by 7% to reach 28,000 by 2021. By extrapolation, about 8,000 spots will need to be filled in between 2016 and 2021.

The study was undertaken with the Toronto Financial Services Alliance (TFSA), a non-profit group, with private and public sector partnerships with the three levels of government and academia. It was based on interviews with more than 40 Canadian cybersecurity leaders and an in-depth survey of more than 110 Canadian executives from financial services and other key sectors of the economy.

The report notes that filling in the demand for cybersecurity talent will be a challenge if organizations stick to traditional approaches to building talent and recruitment. The good news is that stakeholders are already taking the necessary steps to address this demand.

TFSA, for example, has an ongoing ASPIRE pilot program launched in 2017 to create 10,000 new work-integrated learning opportunities for post-secondary students by the end of 2020. The program creates internship and co-op opportunities for cybersecurity and financial services, Jennifer Reynolds, president and CEO  of TFSA, tells RE$EARCH MONEY.

The federal government has recently released details of the National Cyber Security Strategy which was first announced in Budget 2018. Aside from creating the Canadian Centre for Cyber Security that will coordinate federal cyber expertise, and the National Cybercrime Coordination Unit that is the cybercrime investigation hub, the strategy encourages innovation in the cyber ecosystem and supports cybersecurity talent build-up. The strategy cautions that the talent shortage makes it difficult for organizations to protect themselves from threats.

The national strategy supports initiatives around emerging technologies, such as quantum computing and blockchain technologies. It also encourages students who register for science, technology, engineering and math (STEM) programs and other disciplines, such as psychology, sociology and management, to specialize in cybersecurity jobs.

“Policies that encourage investments in cybersecurity talent are definitely important," says Reynolds. "You need to encourage people to the right direction where there are jobs, and these are not just any jobs. These are jobs that are critical to the economy.” Reynolds emphasizes that cybersecurity is important to any industry, not just in the financial services.

The Deloitte report notes that talent shortage is one of the top challenges in managing cybersecurity within organizations. Other top challenges are: evolving threat landscape; pace of change; need for security/privacy compliance; and disparate security tools.

Canada is the fourth largest cybersecurity hub in the world based on venture capital deals in the cybersecurity sector, according to a 2016 report commissioned by the Ontario Centres of Excellence (OCE) and the TFSA, and produced by Deloitte. The report notes that Ontario leads in cybersecurity and concludes that it would benefit not just the financial services sector if the province can strengthen its cybersecurity innovation ecosystem.

Creative approach

The 2018 Deloitte report notes that it is “imperative” for governments to establish policies and programs to help address the cybersecurity talent shortage, noting ongoing efforts to address this gap, including the $507.7-million National Cyber Security Strategy, New Brunswick’s CyberNB agency that is government-mandated to focus on growing the province’s cybersecurity ecosystem, and the Ontario Liberal’s $64-million, three-year initiative in the 2018 provincial budget to enhance cybersecurity and attract talent.

“While these are positive steps, they will take time to affect the talent ecosystem, and require significant public/private collaboration to be effective,” the Deloitte report states. The report calls for action now, by growing talent inorganically, such as through migration, and by preparing for advancements in technology, by “recogniz(ing) and act(ing) on the interdependencies between technology advancements and cyber risk.”

The Deloitte report suggests a Cyber Talent Framework, a “human approach” to filling in the cybersecurity talent gap by introducing seven “personas,” namely: Strategist, Advisor, Defender, Firefighter, Hacker, Scientist, and Sleuth, which are more fluid in terms of roles and skills requirements. Each persona is a personification of the capabilities that apply to specific cybersecurity functions.

“Success will require fresh thinking and a fresh perspective—specifically, a new cyber talent framework that can inspire new and innovative ways to tackle the problem by viewing it through a human-centric lens,” the report states.

What makes this framework more successful is that instead of focusing on skills, the “personas” focus on “sustainable capabilities that are portable across different occupations and roles.”

For example, a “scientist” persona needs capabilities in critical thinking, quantitative analysis and threat mindset. This persona, which also needs knowledge and skills in intelligence analysis, data science and cryptography, is best suited for common roles such as threat intelligence analyst or cyberanalytics manager.

A “hacker” persona, on the other hand, may have the following capabilities: threat mindset, critical thinking and creativity ethical impact. For knowledge and skills, the requirements are: penetration testing, computer forensics, Infrastructure security and threat modelling. This persona is perfect for roles as cyberoperator or threat hunter.

“By personifying key capability groupings, the model strives to put a human face at the centre of the cyber talent discussion,” the report states.

The 2018 Deloitte report also notes that there are opportunities for women in addressing the talent shortage. Survey results show that females comprise only 29% of Canada’s cybersecurity pool though better than the global average of 11%.

“We need to think about how to get women into these types of careers,” says Reynolds. “We need to think about our educational system … what role does the private sector play …? We have a massive pool of women in our economy who are underutilized. They tend to be not in higher paying, higher productivity jobs that STEM jobs are.” She adds that Canada needs to think about how encouraging women to go into STEM could create the 28,000 cybersecurity professional jobs needed by 2021.

The report concludes that although there are many emerging technologies, such as AI and machine learning, that could help augment cybersecurity efforts, human experts still cannot be eliminated.

“For the foreseeable future, Canadian businesses, educational institutions, and governments that look at the cyber talent shortage through a human-centric lens, and take bold and deliberate steps to overcome the challenges will push ahead of their peers,” states the report.

R$