New technologies, such as Cloud Computing, Artificial Intelligence (AI) or the Internet of Things (IoT), offer great opportunities for societies to enjoy the benefits of an increasingly interconnected world. However, the use of digital technologies also implies greater exposure to the risks of cyber attacks. The number of cyber attacks is outstripping defence capabilities, and one reason for this is the lack of an adequately skilled cyber security workforce. Enterprises around the world are facing shortages of skilled professionals in this area, limiting their ability to contain threats.
This report analyses the evolution of the demand for cyber security professionals from January 2012 to June 2022 in five countries: Australia, Canada, New Zealand, the United Kingdom and the United States. The analysis in the report leverages the information contained in nearly 400 million job postings collected from the internet (online job postings, OJPs). The report also looks at the supply side, zooming in on the landscape of cyber security education and training programmes in England (United Kingdom) and the policies and initiatives to make these programmes more accessible and relevant.
Along with the fast-paced digital transformation observed in many OECD countries, the demand for cyber security professionals outpaced the growth in aggregate demand across the rest of the occupations in all countries analysed in this report. Notably, since 2021, the volume of OJPs in cyber security increased at a faster pace than in the pre‑pandemic period, likely reflecting the challenges related to the expansion of remote working and a broader adoption of digital technologies.
The demand for cyber security professionals is heterogeneous. Cyber security architects and engineers stand at the core of the demand for cyber security professionals, recording the highest share of OJPs and the fastest growth in the period 2012 to 2022. Cyber security analysts also represent a large share of OJPs in the cyber security landscape, with particularly strong growth in Australia and New Zealand.
Most of the OJPs in the cyber security job market are for jobs located in main urban areas where major enterprise and government headquarters are found. However, the geographical concentration of cyber security OJPs in those areas has recently decreased, suggesting that, as the digital transformation permeates an increasingly larger number of economic activities throughout different geographies, the demand for cyber security professionals is also spreading out geographically.
The rapid adoption of new digital technologies is reshaping the skills that enterprises are demanding for their cyber security professionals. Data for 2021 indicates that the knowledge of cyber security-related frameworks (i.e. resources for the design and implementation of security systems) and “threat assessment” skills are highly relevant for the profession. Over time, new technologies are emerging, and these are increasingly mentioned as requirements in OJPs seeking to hire cyber security professionals. For example, the importance of knowledge in cloud computing has significantly increased in the last couple of years.
On the supply side, the case study for England shows that there can be various education and training pathways into cyber security roles, with opportunities for progression. The English further and higher education system provides multiple cyber security training programmes that lead to formal qualifications, including at the short-cycle tertiary level (or higher technical education) and bachelor’s level. Learners can also develop basic cyber security skills at lower levels of education, including through cyber security modules integrated in broader programmes and through dedicated cyber security programmes in further education. In addition to these classroom-based programmes, there are also apprenticeship opportunities in cyber security at various education levels – allowing learners to develop skills on the job.
Complementing these formal cyber security qualifications, young people and adults in England can also participate in non-formal training that typically leads to certificates. Such non-formal training is usually shorter and more flexible than programmes in the formal system. Bootcamps are one particular type of non-formal training that is available in the cyber security field, which can be offered by public or private education and training providers. The Department for Education offers Skills Bootcamps which can be fully funded by the government. These are flexible courses of up to 16 weeks to build up sector-specific skills and fast-track to a job interview with a local employer. While Skills Bootcamps are typically too short to prepare someone without a background in information technology to become a fully skilled cyber security professional, they provide opportunities for those with some relevant experience to specialise in cyber security and for those without experience to take their first steps in a longer cyber security training pathway.
Enrolment in cyber security education and training is relatively modest but on the rise for various types of programmes. Efforts have been made to improve the understanding of what a cyber security career looks like and the pathways to it. Moreover, programmes such as CyberFirst have been introducing young learners to the field to develop the next generation of cyber security professionals. As female learners are typically underrepresented in this field, various initiatives focus on bringing more girls and women into cyber security training and careers. More flexible training opportunities are being created (such as the Skills Bootcamps), and financial incentives are provided to make training more accessible.
Outcomes of cyber security programmes are positive overall, with on average, relatively high completion rates and progression into employment or further studies. As the cyber security field changes quickly, education and training programmes in this field need to adapt to stay relevant. Apprenticeships and skills bootcamps are designed in close collaboration with employers, and sectoral clusters facilitate co‑ordination between employers and education and training providers. Various initiatives have been set up to certify cyber security programmes and providers to signal their quality to learners and employers, facilitating students’ choice of programmes and ensuring cyber security training content and delivery is consistent with best practices.