Building the Next Generation of Cybersecurity and Privacy Professionals

Context

In the past two decades we have witnessed a dramatic evolution in the cyber domain; new technologies have revolutionized the world we live in, our habits, our behaviors and our way of thinking. Cloud Computing, Edge Computing, Internet of Things/Everything, Smart Environments, Artificial Intelligence, Distributed Ledger Technologies, and Quantum Computing technologies now represent the foundation of the information society that we all depend on.

These new technologies have also created a number of points of discontinuity within our society, especially between different generations, and within political and economic organizations. The exponential growth of technologies and their revolutionary impact has not been accompanied by an equally fast change in governance and management approaches. There has been no update or even upgrades of the organizational models, skills, and expertise required to manage the opportunities and risks brought to us by technological advances.

As a matter of fact, the so-called knowledge gap is one of the biggest challenges that our society is facing. It affects any societal and business realm and the large majority of organizations, no matter which business sector or geography they operate within (public administration, healthcare, manufacturing, distribution, information technologies, etc.).

The cybersecurity and privacy domains are certainly a critical factor in this story. They represent at the same time the enablers and the custodians of information society. As they protect data and the e-infrastructure, they support the continuity and the correct functioning of processes and systems.

The cybersecurity and privacy domains are at the crossroads of several different sciences and practices, ranging from computing science to sociology, passing through mathematics, engineering, economics and law. This inherent complexity makes their management an extremely difficult task to deal with.

The challenge that society as a whole is facing, and the cybersecurity and privacy community in particular, is to understand how to fill the existing knowledge gap and how to create and operate solutions that are scalable in terms of volume and over time.

CSA’s goal vis-à-vis the knowledge gap

The objective of the Cloud Security Alliance (CSA) is to contribute to the solution of the cybersecurity and privacy knowledge gap. CSA wants to take steps toward addressing both the issue of a general lack of cybersecurity and privacy awareness and the issue of a qualified workforce.

Looking at the medium-term horizon

When talking about the knowledge gap, we typically refer to two distinct, but closely related problems: the shortage of a qualified workforce and the general lack of cybersecurity and privacy awareness. The size of the workforce shortage is measured mainly on expert opinion and surveys. We don’t have an exact number, but some estimates tell us that we are currently short about one million to three million cybersecurity professionals.

The magnitude of the problem related to the lack of general cybersecurity and privacy awareness is possibly even more difficult to measure. However, taking as indirect reference the number of security breaches that have happened in these last eighteen months during the COVID-19 pandemic when most of us were working and studying from home, we can infer that a large portion of the worldwide population is completely lacking in the most basic knowledge of the technology they are using and the implication of their actions in the cyber space.

The numbers that describe the size of the knowledge gap are likely to worsen in the next few years given the increasing technological complexity I mentioned earlier.

This is not to be defeatist, on the contrary I’m typically an optimist, but we need to be pragmatic and acknowledge that only a select few will be able to keep up with the continuous changes in technologies, and the large majority of us will need to play catch-up until there’s a coordinated, coherent global plan to address the problem in a meaningful way. Our community has to learn to better plan for the future, extend the horizon beyond the short term, and work to identify a plan to understand what will be needed 10 years from now, both in terms of skills and expertise, and in terms of the number of professionals necessary to support our society.

Since oracles do not exist outside the realm of mythology, the only way to define an effective plan and solutions to address the knowledge gap is to have a coordinated approach between all the most relevant stakeholders. This includes the policy makers that would need to support the definition and implementation of the plan with policy and financial aid, and academia, schools, the industry, professional associations, and training institutions that would need to chime in with their ideas, competences and will to execute.

Where CSA stands

CSA wants to identify what’s the right combination of theoretical and practical knowledge and the areas of expertise that the cybersecurity and privacy practitioners of the future would need to acquire in order to be able to support the organizations they work for.

The approach

CSA is an organization that has made collaboration with other members of the stakeholder community one of its trademarks. The large majority of CSA best practices, guidelines and educational materials are the results of the contributions of individual volunteers, member organizations, other professional and industry fora and public institutions. To address the issue of the knowledge gap we will follow the same approach.

CSA would like to engage with industry practitioners, professional training and accreditation bodies, academia, public agencies, and analyst and consulting firms to:

• define new cornerstones for professional credentialing,
• identify the correct approach for staying relevant over time and ensuring ‘REAL’ continuous education and professional updates and developments are maintained,
• develop its bodies of knowledge and curricula to address the various needs for society in the near future.

What’s the first step?

The first step is a community consultation to determine:

• What are the key areas of expertise that a modern professional credentialing should cover?
• What are the key technologies to be covered?
• What’s the target audience?
• What’s the right mix of theoretical and practical knowledge?
• What’s the correct approach to “continuous education”?

Key questions

The key questions to be addressed during the consultation phase are:

• What are the fundamental ICT competences that the professional of the future should have? Should ICT be a part of the curriculum?
• What are the fundamental cybersecurity competences that the professional of the future should have?
• What are the fundamental privacy competences that the professional of the future should have? Should privacy be a part of the curriculum?
• Within the cybersecurity domain what are the key areas to be covered?
  • Risk management
  • Governance, accountability and compliance
  • Secure code development and engineering
  • Identity and access management
  • Data and code management
  • Encryption
  • System resilience and incident management
  • Etc.
• What are the key principles and properties cybersecurity professionals should be aware of and be able to design and operate accordingly?
  • Need to know
  • Least privilege
  • Automation and self-management
  • Plasticity
  • Scalability
  • Resilience
  • Security by design
  • Privacy by design
  • Accountability
  • Etc.
• What are the key technological areas to be covered?
  • Cloud Computing
  • Edge Computing
  • IoT and Smart Environments
  • Distributed Ledger Technologies
  • Artificial Intelligence / ML
  • Etc.
• What’s the right mix of theoretical and practical knowledge to be taught?
  • What is the ratio between the two?

Looking at the short-term horizon

CSA gathered cloud and cybersecurity professionals together in Bellevue, Washington in September 2021 for SECtember, our first in-person event since the COVID-19 pandemic began. SECtember was an opportunity for all of the stakeholders described here to learn from each other, collaborate, and try to address the cybersecurity knowledge gap. Two days of in-person CCSK and CCAK training were offered, as well as two more days of keynotes and educational breakout sessions. This event was just one of many steps required to adequately elevate cybersecurity and privacy and fill the hole in our industry.