Elena Mena Agresti
Graduated in Aerospace Engineering from the University La Sapienza of Rome, sheworks for the GCSEC Foundation and the structure for the Protection of Information of the Italian Post Office. Expert in compliance, international standards, governance of information security, risk management, security audit, training andawareness. She has participated in international technicalworking partiesof ISO and OECD for the review and development of standards and guidelines of information security. She has been the scientificdirector of threemaster’s courses in cyber securityestablishedin 2015-2016 with the University of Calabria and Poste Italiane and currentlycollaborateswithmanyItalianuniversities in cyber security courses. She has worked for a number of consulting firms, including Booz &Company in the Risk, Resilience and Assurance practice. Member of Europrivacy and Oracle Community for Security, Sheis Lead Auditor ISO/IEC 27001:2013 and ISO 22301 and has obtained STAR Auditor and ISIPM Project Management certifications.
Marco is a research fellow of the Fondazione Global Cyber Security Center of Poste Italiane. Graduated in Law from La Sapienza in Rome in Criminal Procedure. He did a thesis on “Interceptions of Blackberry Instant Messaging and Probative Use in Criminal Proceedings”. After his studies, he did his forensic practice and at the same time completed a Master’s degree in “Homeland Security” at the Bio Medical Campus in Rome, where he deepened his knowledge of Security and Privacy and Social Communication. He continues to do research for the GCSEC Foundation. Among the various relevant initiatives, he contributed to the 2019 study on the international Cyber Security Skill Shortage Mind the Gap and the Italian study “The phenomenon of the Italian Cyber Security Skill Shortage in the international context”. Contributes to the management and publication of various publications on the official website of the magazine Cybertrends.it.
In a scenario where cyber threats become more and more sophisticated and changeable over time, the needs of security teams are constantly changing, requiring increasingly specialized personnel able to cope with a constantly changing environment.
Unfortunately, this already demanding task of companies to protect themselves against cyber threats is aggravated by the skill shortage, i.e. the lack of expertise in the field of cyber security. The phenomenon of Skill Shortage is becoming a vulnerability of organizations. In 2017 the global shortage was estimated at 1.8 by 2022 but already at the end of 2018, according to an estimate by ISC2 it was 2.93 million jobs1. The shortfall is also estimated at 3.5 million by 2021. In order to analyze this phenomenon and provide indications for its mitigation, the Global Cyber Security Center foundation has funded and supported a research project conducted by researchers from the University of Oxford2. The objective of the study was to analyze the characteristics and causes of the shortage and the actions taken by the 12 countries with the highest ICT and cyber security development index3 to mitigate it. The study reveals a very complex phenomenon with causes to be attributed to various factors. Difficulties in balancing supply and demand for jobs in the Cyber Security industry have been widely encountered in countries such as Australia, Japan, the UK and the US. In the American market alone, from September 2017 to August 2018, out of 715,715 open positions, 313,735, almost 50%, remained vacant. The shortage of 80,000 units in 2013 had become 132,060 in 2016 and is estimated to exceed 193,010 units in 2020. The Australian Cyber Security Sector Competitiveness Plan clearly states that in the field of Cyber Security the nation will need an additional number of experts between 7,500 and 11,000 resources by 2026 (Australian Cyber Security Growth Network, 2017). The missing figures are mainly the technical-operational ones, as is evident, for example, from the Australian and American markets, where the most sought after profiles are those relating to the “Operate & Maintain”, “Securely Provision” and “Protect & Defend” categories of the NICE framework of NIST. The American data was obtained through CyberSeek, a tool that provides an overview of supply and demand in Cybersecurity. The professional career is also mapped according to a professional career path from entry-level to advanced-level. For each role, the average salary, associated job titles, training, competences, skills and certifications required are indicated. It emerges, for example, that Cybersecurity Engineer, Analyst and Manager/ Administrator are the most requested profiles, while Cybersecurity Architect, Cybersecurity Manager and Cybersecurity Engineer are the most remunerated ones. The Study also highlighted a lack of homogeneity in the definition and implementation of national policies aimed at mitigating the phenomenon of Skill Shortage defined by the 12 most influential countries in the ICT and cyber security sector.
Figure 1: National policies to mitigate the CCSS
Policies have been analysed by size: Primary and Secondary School, Apprenticeship and Vocational Institutes, University and Research, World of Work. Countries have invested mainly in the world of university and research and in the workforce, while more general initiatives have involved primary and secondary schools, as well as vocational training and apprenticeship programmes. The state of implementation and the level of maturity of the policies varies from country to country but it can be said that the governments that have gained over time more experience and awareness in dealing with the Skill Shortage and reached a higher level of maturity are the United Kingdom, Japan and Australia.
Figure 2: Existing interventions at the international level
The United Kingdom has made significant investments. Important government initiatives for students such as Cyber First, Cyber Challenge, Cyber Security Discovery and the Cyber Security Skills Immediate Impact Fund have been established. Cyber First provides students with various training courses in cyber security. The programme provides scholarships of € 4500 as well as paid apprenticeship and extra-curricular training activities for the summer period. In Cyber First, women also play an important role. In order to increase female employment, a specific Cyber First Girl programme has been set up, which also includes a competition and in 2018 saw the participation of around 3,400 girls from 841 schools. Also on the subject of Cyber competitions, an important initiative created by the British government is Cyber Discovery. The program includes a challenge for learning cyber security for young people aged between 14 and 18 years divided into 4 phases where students are trained by experts in the field with dedicated courses and then face real online challenges ranging from Linux to encryption and programming. The plan put in place by the United Kingdom is very varied. In order to combat the phenomenon of the national skill shortage, in fact, a further programme has been set up to train and place individuals who do not yet have a job in cybersecurity roles and intended for organisations and associations that present specific programmes to increase and diversify resources in the field of Cyber Security. The phenomenon is also very evident in Italy, which has indicated in its national policies (e.g. National Plan for cybernetic protection and computer security) the objective of increasing the skills in the field of cyber security. However, a single national policy to reduce the skill shortage has not yet been defined, even though some initiatives have arisen spontaneously within individual bodies and organisations. One policy that could potentially be relevant for IT security is the National Digital School Plan, which provides for specific objectives and actions to develop the digital skills of students and teachers and to foster entrepreneurship and work in order to bridge the digital divide in terms of both skills and employment. In Italy, the problem of CSSS has been recognised in numerous official and unofficial reports. The Department of Information for Security (DIS), has recognized already in 2017 that Italy has a “vast problem” in relation to the education of Cyber Security and the CINI (Consorzio Interuniversitario Nazionale per l’Informatica,) has emphasized in its White Paper of 2018, as the educational policies on Cyber Security are insufficient. The studies of Kaspersky lab in 2016, the Observatory on Digital Competences in 2017 and the Cyber Security Barometer in 2018 confirm the Italian difficulty in recruiting professionals in cyber security. In order to understand the real needs of Italian organizations in all their meanings, an anonymous online survey was proposed to CISO of the main Italian organizations (+50% of organizations have over 500 employees), and interviews were conducted with representatives of the public administration and the academic world. From the point of view of organizations, Italian CISOs have recognized an acknowledged difficulty in finding resources for the Cyber Security sector. In fact, the survey conducted shows that in 75% of cases companies have serious difficulties in hiring in the field of cyber security and that in 50% of cases are struggling to find even a single candidate for the position required. I often respond to open positions with candidates with little operational experience. The skills most in demand in Italy are cyber security management, incident response, threat analysis, risk mangament, cyber investigation, cyber operations and, mainly for the private sector, digital forensics. It also emerges that, although “1 – 3 years” is the minimum professional experience required by companies, in order to fill vacancies organizations are willing to hire even new diplomats to train.
However, the lack of professional experience is not the only obstacle in the current job market of Cyber Security. Although work experience is one of the main causes, they admitted that they „do not always offer wages and benefits at current market levels”. The Italian CISOs, in fact, attribute among the main causes of the phenomenon in Italy, the lack of practical skills of the resources and the salaries and benefits that are not adequate in relation to the international market of reference. In fact, the few candidates in Italy who have acquired the skills required by the companies turn to the international market that can ensure significantly higher wages and greater stability.
The ability of the Italian education system to produce a sufficient number of candidates with the right knowledge and skills is another critical factor. The survey shows, in fact, that in Italy the academic system guarantees, especially with degrees in Engineering and Computer Science, knowledge in cyber security but only theoretical. There is a lack of practices and operations that allow the immediate integration into the world of work. The Italian education system has generally reacted slowly to new trends, including computer training. In addition to inadequate training, there is also a lack of university teachers. The new degrees are beginning to be born, but they are still insufficient and excessively focused on theory rather than on the more operational aspects of Cyber Security. The interviews also revealed the lack of a safety culture still perceived as a cost and a burden and not necessary and enabling the business. Interviews have confirmed on several occasions that in complex contexts, where sometimes it is not possible to think strategically about information security, cyber security experts are particularly rare and expensive and the most sought after profiles do not have adequate training to work in immediately operational contexts. A further critical factor is that salaries are too low and not in line with the international market, contributing to the “brain drain” from the national territory. The Italian scenario in the study is not isolated but in line with the international scenario, as identifiedfrom the studies conducted at a global level by ISACA4, which validate the results regarding the size of the phenomenon and the time needed to find a qualified candidate for vacancies in company structures, a period ranging from 30 days to almost 6 months (or more). Less than 50% of the candidates, according to the ISACA study, are not properly qualified to hold the position required by the organizations themselves, since it reinforces even more the important factor of insufficient technical and operational training and understanding of the business in the field of cyber security. The phenomenon of CSSS, as already amply demonstrated in the international report “Mind the Gap”, is strongly felt at international level and countries such as the United Kingdom, Australia or Japan are co untries that are currently investing heavily both in economic terms and in the structuring of mature policies to combat the shortage. Comparing Italy with the United Kingdom, one of the countries with a sophisticated approach to cyber security skill shortage, Italy’s economic commitment in terms of cyber security and education is lower. The United Kingdom has had a national approach to the phenomenon, especially in terms of policies and training of the younger generations. Between 2011 and 2016, it invested 38.2 million Euros in training and education programmes and is currently defining a further strategy for the creation of skills in cyber security, which should be published by the end of 2019.5 It has dedicated to cyber security about one billion euros of public budget already in the period 2011-2016, increased to 2.2 billion for the period 2016-2021.6 It is not yet clear how much Italy spends overall on cybersecurity but the 2017 strategic plan reiterated that the cybersecurity policy should not entail additional costs for the administration and that the Government has created a new fund for cybersecurity, presumably intended for the Ministry of Defense, for a total of 3 million for the period 2019-2021. Certainly, Italy could draw inspiration from the model adopted by the United Kingdom, while taking into account the differences between the two countries, and put in place some initiatives to reduce the phenomenon of the skill shortage in cyber security. It could define a national solution to the phenomenon of cyber security skill shortage involving Government, Industry and Education System, designate a single national body responsible for the relevant policies and allocate the appropriate budget without which the Italian administrations can hardly implement policies on education and skills. Italy should prioritise policies on school-work transition, higher education and high schools and develop campaigns to encourage women to undertake cyber security training in order to promote female employment in the sector.
The reports of the international study and of the case Italy are available on the website of the foundation www.gcsec.org.