Global Cybersecurity Education – Lessons from the CMM

25 June 2018

As the Global Cyber Security Capacity Centre (GCSCC) moves into its next phase, the centre is committed to expanding both the reach and impact of the Centre’s portfolio of work. With now over 60 deployments of the Cybersecurity Capacity Maturity Model for Nations (CMM) completed across all regions of the world, it has become clear from the data collected that education and training is critical in order for a country to develop capabilities across all five dimensions of the CMM. “Cybersecurity Education, Training and Skills” is therefore not only the focus of this one distinct dimension, but research confirms that it is a cross-cutting issue. Furthermore, the GCSCC has commenced research in to a Cyber Harm Framework (CHF), with the aim to develop a holistic and robust model for understanding the harm experienced by nations as a result of a lack of capacity, and how this can be reduced. The initial focus-groups and interview results suggest that an overwhelming majority of research participants (85% of them) identified education as a fundamental area where capacity-building is required.

As a Centre sitting within an academic institution, it is a natural development that the GCSCC has started to actively consider its role as a facilitator relating to the conversation and action on global cybersecurity education and training needs. Our research suggests that firstly, there is a need to ensure that the government’s own education and training programmes can connect all of this information together and secondly, there will be specific education and training requirements needed to support the development of maturity within and across all such dimensions. To help spark this conversation the Centre has produced a short discussion paper that provides a brief insight into the current evidence-base and research related to global cybersecurity education needs. Highlights of this paper are presented below:

Earlier this year, the World Economic Forum released its annual Global Risks Report 2018, which identified cyberattacks as a top ten global risk in terms of both impact and likelihood. The global development consequences of this risk and the impediment to ICT are clear, as can be seen by the  United Nations championing the important role ICTs can play in the achievement of the Sustainable Development Goals (SDGs) and the World Bank Digital Dividend. As such building cyber resilience and ensuring that secure use of the Internet becomes a priority is critical in this regard. However, a number of barriers to this priority exist including complexity of cybersecurity management, lack of political will, and the economic costs of risk mitigation have created road blocks in the advancement of cybersecurity capacity-building, although there are many positive outcomes achieved in this area.

Despite some positive developments towards building global and regional cybersecurity capacity, such as the Delhi Communiqué on a GFCE Global Agenda for Cyber Capacity Building, there is still much work that needs to be done in order to sufficiently equip nations to deal with cyber threats. One key area is the development of global human capital through cybersecurity education and training. The skills deficit in cybersecurity is a global challenge with nations all across the development spectrum facing resource shortages. A 2017 Global Information Security Workforce Study forecast a 1.8 million information security worker shortage by 2022 with 66% of study respondents indicating that there were too few information security workers in their respective departments.

Whilst the proliferation and adoption rate of technology is more comprehensive in high income nations, the cybersecurity skills shortage, is something felt by regions all across the world, with varying antecedents. In the ASEAN region, the cybersecurity industry faces structural challenges because of its highly fragmented nature. In Africa, there is an ongoing debate around the need for governments and enterprises to provide an enabling environment buoyed by a relevant educational curriculum designed to attract and groom these talents. A survey of higher income nations reports that cybersecurity education was deficient and that high-value skills are in critically short supply, the most scarce being intrusion detection, secure-software development, and attack mitigation.

With all this in mind, it is clear that significant improvements in the way the global community approaches the education and training of cybersecurity competencies and professionals is required in order to begin to close the skills deficit. Failure to do so will result in wide ranging and globally linked barriers to the achievement of the SDGs and the ability to harness and share in the benefits of technological development.

The GCSCC proposes that moving forward, what is required is an analysis of the full spectrum of cybersecurity educational requirements, and the development of a template national cybersecurity education strategy that countries can easily adopt and adapt as they seek to mature aspects of their national cybersecurity capacity.

If you would like to be part of this conversation and engage in the education template process, please contact the Global Cyber Security Capacity Centre at cybercapacity@cs.ox.ac.uk to discuss your ideas and how you and your organisation can get involved.

Want more? You can read about this topic further in our short discussion resource paper “Global Cybersecurity Education Needs Assessment”.