14 February 2020
Addressing the Shortage of Cybersecurity Skills in Europe
The European Union needs to ensure that sufficient highly-skilled engineers, scientists and other cybersecurity specialists are educated to be ready to support and lead solutions to current and future industrial, scientific, societal and political cybersecurity-related challenges. But how well is the EU doing in this area? Are European universities educating students in all areas of cybersecurity? Or are there much-needed cybersecurity skills being neglected?
One of the aims of CyberSec4Europe is to identify and prioritise the cyber skills needed at university level, and to investigate existing cybersecurity curricula. As a first step towards such a goal, the project deliverable D6.2 “Education and Training Review” presents a review of existing European university MSc cybersecurity programmes. The review is based on a survey of more than a hundred MSc programmes at participating universities in EU Member States. The heads of studies or other senior members at these universities were contacted through the extensive CyberSec4Europe partner network and using existing education maps in cybersecurity, such as the one provided by ENISA.
The survey uses well-understood terminology for cybersecurity knowledge topics and skills drawn from existing cybersecurity curricula frameworks, such as the ACM Cybersecurity Curricula and NIST’s NICE Cybersecurity Workforce Framework. Based on the analysis of the survey data collected, the summary focuses on pinpointing the cybersecurity skills that are either sufficiently or insufficiently covered by individual Member States and the EU as a whole.
Our main findings identify a set of cybersecurity knowledge areas and topics that are insufficiently covered by the surveyed education programmes and countries. We believe that our findings, together with European initiatives like the JRC taxonomy, the Cybersecurity Atlas, and the new edition of the ENISA cybersecurity map, can be a good starting point for the identification and prioritisation of the cyber skills needed in the European Union, and that those skills should be promoted to enrich cybersecurity education programmes. The apparent lack of focus on topics related to system retirement, security- and privacy-by-design is critical as the use of legacy and third-party software and systems, possibly produced outside the EU, and their dismantlement and replacement poses challenges to security and privacy that require specialised training and skills.
Alberto Lluch Lafuente, DTU