Fintechs are among the sectors with a shortage of cybersecurity professionals, with a global shortage of 2.72 million. This comes as the worldwide cost of cybercrime in 2021 was pegged at $6 trillion.
Cybersecurity problems are worse in North America
The problem is especially acute in North America. According to research conducted by Rapid in 2018, the United States has the highest exposure to cybercrime, with the United Kingdom second and Canada third (187 countries were ranked). An IBM study indicated cyberattacks on Canadian companies are among the most expensive to fix. Overall, 21% of Canadian businesses were impacted by a cybersecurity incident; 40% of Canadian SMEs saw phishing and virus attacks; roughly one in three experienced Trojan or spyware attacks, and 27% suffered ransomware attacks.
Numerous factors make Canada vulnerable to cyber threats. In a 2020 report, the Canadian government warned that worsening international relations with China and Russia would lead to increased state-sponsored attacks. Canadians are also on the Internet more than any other nation, averaging 53.5 hours online monthly.
The COVID-19 pandemic has increased cybercrime’s threat. Six of seven Canadian security leaders said their organizations incurred a data breach in 2020, with 88% of victims saying they suffered “material” impacts and 78% saying they are facing more attacks overall. Those attacks, on average, are increasingly sophisticated.
How the ICTC is addressing the cybersecurity professional shortage
While 124,000 cyber professionals are employed across Canada, another 25,000 are needed. A combination of poorly defined job responsibilities, burnout, and higher salaries in the United States contributes. Still, ICTC vice president of capacity building and innovation Marc Lijour said they could be overcome.
The ICTC established the National Advisory Committee for Cybersecurity Training (INACCT) to target the shortage with evidence-based approaches. It conducts research, works with industry and government, and collaborates with education bodies to establish training programs.
Several main factors contribute to the shortage in Canada. There is no nationally-implemented skills framework similar to the USA’s National Initiative for Cybersecurity Education’s (NICE) Cybersecurity Workforce Framework. An initiative of the Cybersecurity and Infrastructure Security Agency (CIA), NICE provides a standard definition of cybersecurity, describes cybersecurity tasks, and outlines the knowledge, skills, and abilities needed to fulfill them.
Organizations around the world are incorporating NICE’s work. It delineates cybersecurity into seven categories, 32 specialty areas, and more than 1,000 tasks. There are more than 600 knowledge areas, 300-plus skills, and 176 abilities.
Canada is well-positioned to attract talent
In Canada, that lack of clarity contributes to burnout in the workplace, especially in smaller companies. If they even have a cybersecurity department, a company may assign generalists who are expected to deal with any situation. Given the rapidly changing nature of cyber threats, this unpredictability is a problem from the outset. It is a clear indicator that management does not know what a proper cybersecurity department looks like.
As the number and variety of threats rise, the pressure increases. In a 2017 international study, two-thirds of information security workers said they did not feel adequately staffed to address these growing threats.
Canada is working towards an American-style environment but faces the added challenge of talent poaching from American companies offering higher wages. That has long existed.
Lijour sees opportunities for Canadian companies to repatriate some of that talent as American tech companies undergo massive layoffs. The pluses are many, beginning with an attractive cost of living. There is also a thriving ecosystem in southern Ontario that Lijour said is bigger than Silicon Valley in some respects.
The Government of Canada is including tech workers in its immigration priorities in the coming years, which are expected to attract 500,000 people, Lijour added. People will be introduced to ICTC programs that will work with them on their resumes and find them a job.
“It’s a win-win,” Lijour said.
The need to diversify the talent pool
Federal agencies must also work to increase the diversity of the cybersecurity labor pool. A 2021 ISC report found only 20% of Canadian cybersecurity workers were women, while 25% were Black, Indigenous, or a person of color.
More must be done to attract women to the field and keep them in it. North of half of the women in one survey left the area, nearly double the rate of men. Men are four times as likely to make the executive level and nine times more likely to be in management. Even though the average woman in cybersecurity is more educated, she earns less than men at every employment level. Only 41% of women in one cybersecurity professional survey felt they had the same career advancement options as men.
Canada is addressing these gender- and racial-based disparities. Ryerson University’s Accelerated Cybersecurity Training Program also incorporates education, experiences, cultural differences, and age into its curriculum. It targets women, mid-career individuals, career-changers, and immigrants.
Designing responsive education
Designing the right education programs is crucial to attracting and retaining talent, Lijour said. The process begins away from the classroom by clearly defining the requirements for individual jobs and classifications, similar to NICE.
Once skills gaps are identified, the next step is responsive training programs. The University of New Brunswick’s Canadian Institute for Cybersecurity offers classes and advanced certifications (Bachelor’s and Master’s programs are rare in Canada).
The industry needs to pay the tab. The high cost of education deters current and prospective employees. A 2019 ISC study found only 37% of organizations fully covered training costs, and 35% of students were forced to pay the entire tuition fee.
Work-integrated learning programs and targeted micro-learning courses have proven attractive, Lijour said. They don’t involve taking years to complete a degree.
“We’ve mapped it down to the skills,” Lijour said. “When they identify gaps, we can send them to get the skills that fill those gaps. Instead of sending them to get another Ph.D., we send them for a three- or four-month certificate that gets them the skills that they need.
Tony is a long-time contributor in the fintech and alt-fi spaces. A two-time LendIt Journalist of the Year nominee and winner in 2018, Tony has written more than 2,000 original articles on the blockchain, peer-to-peer lending, crowdfunding, and emerging technologies over the past seven years. He has hosted panels at LendIt, the CfPA Summit, and DECENT's Unchained, a blockchain exposition in Hong Kong. Email Tony here.