Digitalization is rapidly transforming the global economy, but it has also spurred the rapid growth in the prevalence and intensity of cyber crime. Cybersecurity is a multifaceted field with numerous specializations, including Network Administration, General Cybersecurity Analytics, Incident Response, and Digital Forensics. Globally, there is a significant deficit in cybersecurity talent. In 2021, the international association for information security leaders (ISC)² reported a global cybersecurity workforce gap of 2.72 million workers, down from 3.12 million the previous year.1 Canada is no exception to this trend. The same (ISC)2 study found that there were 123,696 cybersecurity professionals in Canada, a large increase compared to two years earlier, but that there remains a talent shortage of 25,000 professionals in the field.2 In short, in a field with close to no unemployment, about one in six postings go unfilled.
ICTC has formed INACCT, the ICTC National Advisory Committee for Cybersecurity Training, to provide an evidence-based approach to addressing the talent crisis in cybersecurity. This research report, focused on describing the talent situation in cybersecurity in Canada and proposing potential policy solutions, summarizes existing scholarship on the cybersecurity ecosystem domestically and abroad, and combines it with primary research data from both employers and students. The report considers the viability of alternative pathways to obtaining cybersecurity education, such as microlearning experiences and work-integrated learning.
Our research confirms that cybersecurity is a rigorous, specialized field facing a sharp talent deficit. Due to high salaries driven by a talent shortage, many organizations cannot find the necessary personnel. And yet, despite very high compensation packages, there is widespread self-selection out of the field; close to a third of male respondents and around half of female students eventually leaving the field during their education. Among those who become fully-fledged cybersecurity employees, feelings of burnout are common. In some ways, Canada’s cybersecurity talent situation may be more intense than in the United States for several reasons. Firstly, the absence of a nationally implemented skills framework (similar to the NICE in the United States) has impeded communication between employers and potential cybersecurity employees about the skills necessary to succeed. Secondly, there is a gap in communication between industry and academia. Finally, Canada faces the risk of “talent poaching” by the United States, where the tech industry typically offers even stronger compensation packages.
Nevertheless, the study also finds positive developments in Canadian cybersecurity education. Micro-learning and work integrated learning programs are well-received by former students in the field, with a majority indicating that these programs might have deterred their decision to leave the field. Since there is no significant gap between what cybersecurity students desire to study and the needs of industry, providing students with suitable educational programs should enable the workforce to grow while satisfying the needs of industry.