20 February 2020
The Future Shape of Cybersecurity Professional Workforces in Europe
Gavin Belson is a bad guy from the HBO tv series, Silicon Valley, and his character is maybe inspired by some of internet giants CEOs. One of his famous comments is about “group of five”, an observation on how software teams organize themselves and end up having different and complementary characters, which in Silicon Valley fiction is exemplified by a different cultural background or look.
In Europe, for the joint cybersecurity teams of the future, we might even go step further, given the very diverse set of cultures, backgrounds and talent pools. Leaders, team players, eternal students, strong communicators, conservative guardians, technical gurus and “everybody’s friends”, might all be needed in a single team. Understanding human behavior will help in risk assessment, especially when it comes to social engineering threats. Persuasion and communication skills will be needed in approaching the higher management and convincing them about the importance of a continuous investment in cybersecurity. Education appetite and curiosity is essential to remain up to date. Strong situational awareness and analytical abilities, handling complexity, positive attitudes and stability, and many other human and social skills come to mind as well for cybersecurity experts. Technical knowledge, therefore, is only a part of what cybersecurity professional team should have.
In the Atos opinion paper on Digital Vision for Cybersecurity here is a lot of attention given to the future of cybersecurity workforce. To maintain a high level of cybersecurity workforce, we need to create a common framework where academia, industry, law enforcement and the public sector all fit, and can all refer to or understand. National Institute of Standards and Technologies (NIST), for example, published National Initiative for Cybersecurity Education Cybersecurity Workforce Framework where they define 7 categories; 33 specialty areas; 52 work roles, and then map these to 1,007 tasks, 374 skills, 630 knowledge areas and 176 abilities. Europe might need to adapt it to its own context.
The professional workforce must consider not only the EU member state context, but also organizational and scenario-specific situations. Cybersecurity experts in police will likely have a different profile to a cybersecurity specialist in the hospital. Personality traits should fit the organizational cybersecurity context, although it is still a sensitive issue, often neglected or avoided. Cyber threats, for example, might be ambiguous, which results in different categorization, labeling or structuring, depending on the cognitive or cultural bias of an individual. A well-balanced cybersecurity team must take this into account and should take care of leveling individual differences, when it comes to these bias-driven situations.
Europe wide cybersecurity workforce development plan must confront, sooner or later, this diversity and complexity, as well as cultural or technological legacy in some EU member states. The same applies also to the future European Cybersecurity Competence Centre, Network and Community. This framework should acknowledge regional differences, organizational fitness and social capabilities. Assessing team performance in constantly changing cybersecurity landscape is very difficult, but this is where Cybersecurity4Europe work can bring important contributions.
Aljosa Pasic, ATOS