Background: The Cybersecurity Workforce Gap

Cybersecurity is the practice of protecting oneself and one’s organization from digital attacks. This can include network, system, and program security; training personnel to be cyber-aware; and planning for and responding to incidents. In 2021, just under one in five Canadian businesses (18%) were impacted by cybersecurity incidents.

In 2022, the global cybersecurity workforce was made up of approximately 4.7 million professionals—the highest number recorded to date by cybersecurity workforce development organization ISC2. In Canada, ISC2 estimates there to be 138,726 cybersecurity workers, a 12.2% increase over their 2021 figure. However, the same report notes a critical shortage of cybersecurity workers in the face of mounting risks, with the demand gap growing much faster than the supply of workers worldwide. In Canada, ISC2 estimates there was a gap of 25,385 unfilled cybersecurity roles in 2022.

Furthermore, research in Canada and globally has shown that women are dramatically underrepresented in the field: for example, of all Cybersecurity Specialists in Canada (a category of workers including titles such as cybersecurity analyst, IT security architect, or systems security engineers), only 18.5% identify as women (trans inclusive). Data on the representation of other gender-equity-seeking groups is not currently available for Canadian cybersecurity positions; however, research on their representation in technology increasingly recommends an inclusive and intersectional approach to gender equity in workforce development, attraction, and retention.

Cybersecurity Talent Development’s Central Challenge

ICTC’s research into talent development (in cybersecurity but also in domains such as public sector IT work, health technology, or AI) finds that many technology-related roles require a “T-shaped” professional. This means that even early career entrants may require two things: First, a broad foundation in essential skills, often provided by post-secondary education that offers the time and space to learn about the basics and logic of computer science while taking electives that offer exposure to other disciplines. And second, students require specialized knowledge in up-to-date, rapidly changing programming languages and other tools and techniques specific to their domain in technology. The latter set of skills is difficult to teach in post-secondary settings due to the pace of curriculum development, the struggle to compete with private sector salaries for instructors, and other challenges. Accordingly, they may be best offered by industry in settings such as work-integrated learning. However, 98% of Canada’s businesses are small (with under 100 employees) and may not have the resources to invest in training a student. The result is a skills gap in new graduates.

About the Pilot Program

In 2021, ICTC and Microsoft developed a work-integrated learning (WIL) pilot with the goal of attracting, training, and retaining women and gender equity-seeking post-secondary students to cybersecurity careers. WIL involves paid, short-duration, experiential learning embedded in a workplace, along with early labour market attachment and on-the-job experience. Co-ops, internships, and apprenticeships are all examples of WIL. In this pilot program, students did a summer term work placement with cybersecurity employers.

This program was also informed by INACCT—the ICTC National Advisory Committee on Cybersecurity Training, which recommended increasing industry engagement in the early, mid, and end stages of post-secondary education to support skill building and networking.

The pilot program ran from January to August 2023, and participants included 36 students and nine employers. Phase I was designed to serve both employer and student needs and housed in two schools: the Toronto Metropolitan University and the University of Calgary. Participating students identified as women or gender-nonbinary and were within two years of graduating from a relevant program. They were offered coaching on resume-building, interviewing, LinkedIn, networking, workforce readiness, a mentorship community, and free access to training for Microsoft AZ 900 and SC900 certification. Mentorship communities were implemented by inviting students to enrol in the Global Mentorship Initiative (GMI) program, an organization that offers one-on-one mentorship with a technology professional in a virtual setting for one hour per week. In addition, students had access to mentors from Women in Cybersecurity Global (WiCyS). Fees were waived for both mentorship programs.

Meanwhile, participating employers received a 70% wage subsidy for their student’s salary up to $7,000, as well as a tailored book of resumes and administrative support. This program was designed to connect employers to women and gender-nonbinary students embarking on cybersecurity careers through a wage-subsidized work-integrated learning placement, thereby de-risking the hiring of new talent for the employer. It helped students build skills, a professional network in a real-world setting, and confidence.

ICTC conducted an internal formative evaluation of the pilot program to inform Phase II, which will run from 2023-2024 and expand the number of participating universities, students, employers, and certifications. Data used included in-depth exit interviews, mid-point check-ins, and mid- and exit surveys. (However, each of our data sources other than mid-point check ins were opt-in. In future iterations of this program, we will seek an improved response rate.) The following selected findings from the formative evaluation include lessons learned that we hope will be useful more broadly for the WIL and equity, diversity, and inclusion (EDI) in cybersecurity communities.

Desired Outcomes: Exposure to Cybersecurity, Real-world Work Experiences, Skill Development, Workforce Retention

The program appeared to successfully increase students’ exposure to cybersecurity. Several participating students would not have heard about cybersecurity were it not for the invitation to participate in this WIL program. They commented that despite studying computer science, they did not know about the diversity of skills required in cybersecurity or thought it “was all about hacking.” One noted:

“I think most computer science students think that computer science means coding, and they have to just go for software engineer jobs. And we just don’t know about how many different fields are in computer science. I was thinking about being a software engineer before, so now I am rewriting my career path related to cybersecurity.”

While employer expectations of students were modest, many of them were impressed by the quality of student work: “We were able to leave her alone with tasks after a couple of shadowing sessions,” one noted, while another described their student as “instrumental.” For the most part, employers reported giving students tasks related to cybersecurity documentation and policy development.

“I’ve been part of co-op programs where you had student-make-work projects that are kind of tangentially involved with things. But she was right there in the thick of things. This is a process for our company, and she was driving it.”

The one exception to this was a larger participating company, which reported designing student deliverables to be focused on training and development rather than essential workplace contributions.

Technical Skill Development: Students reported learning about using virtual machines on a colleague’s computer, encoding and decoding using Linux, and developing security operations centre (SOC) infrastructure. Employers reported that students had learned about documentation, compliance, project consulting frameworks and review cycles, low-code/no-code workflows, agile projects, disaster recovery, gap analysis, policy analysis, SQL database user management, and PowerBI.

Interpersonal Skill Development: Many of the students and employers reported that co-op participants were shadowing client-facing work and/or given responsibilities to present to internal teams for implementing cybersecurity protocols.

One student said, “I also got involved in client-facing work. We had team meetings, and I was able to shadow those and see how consulting and cybersecurity happen hand in hand.” Another reported, “I had to do weekly presentations as well as communicating with other team members because they kept asking me questions like ‘Why did this happen? What do I have to do?’ So, a lot of communications and speech, leadership.”

Of the five employers who opted into an exit interview, three reported offering contracts to their students for part-time or full-time non-subsidized work following program completion.

Student job titles in the WIL pilot included:

  • Cybersecurity Analyst
  • Entry Level Information Security Analyst
  • Firmware Developer Intern
  • Cybersecurity Intern
  • Summer Associate, Security Consulting

Lessons: Employer Capacity and Recruiting More Employers

Employers, by and large, did not report reflecting on their own practices or changing their workplaces to accommodate students—other than ensuring they had adequate onboarding, professional development opportunities, work, and supervision. One exception was the largest employer interviewed, who planned professional development opportunities and networking outings for their co-op students. The same employer suggested that more explicit guidance about their responsibilities to student development would be helpful in future. While smaller companies might not have had the staff and resources to plan professional development for their co-op students, they did report giving students significant portfolios with relevance to the business. This came with important skills development and time management risks. Most students reported experiencing safe and welcoming work environments, but some had trouble with work-life boundaries and took on work during unexpected hours. Future iterations of this program will seek to set up further safeguards and resources for students.

One of the major challenges the pilot program faced was employer recruitment: more students expressed their interest in securing WIL placements than were ultimately able to do so. To this end, exit interviews with employers asked what they were looking for and what had incentivized them to participate. Key takeaways included the following:

  • Co-op student salary subsidies were the number one incentive for participating among interviewed employers.
  • Employers found it difficult to distinguish between student resumes: they felt that they could tell which students had implemented resume coaching effectively but wanted more differentiation, such as relevant professional passions and interests. One commented:

“It would be nice to have a hobbies or passion section… where they’re passionate about AI, or using advanced functions and regression formulas for understanding computing power… It gives us a perspective into what they’re interested in in their free time, and the more technical ones or the more creative ones we can shortlist because they’ll succeed in this kind of environment.”

  • In interviews with students, employers were looking for workplace fit, validation of claimed skills in their resumes, interpersonal skills, ability to solve technical problems, and enthusiasm.

Finally, after a presentation of key findings and takeaways from the formative evaluation, the ICTC National Advisory Committee on Cybersecurity Training recommended adding the following questions to exit interviews or surveys in Phase II of the program:

  • If students are offered contracts after their co-op placements, what types of roles/job titles are they being hired for?
  • What types of training are employers providing students when they hire them back?
  • Do program participants offer the same level of quality as entry-level talent in the employer’s existing cybersecurity talent pipeline?
  • How do certifications impact the student’s ability to do work?
  • Do students feel adequately prepared for their work experiences?

Conclusion and Next Steps: Increasing Industry Engagement in Training

Phase II of this program, funded by the Digital Learning Lab (Digital Supercluster), will include 150 students from the following institutions: Toronto Metropolitan University, the University of Calgary, the British Columbia Institute of Technology, Red River College Polytechnic, Dalhousie University, New Brunswick Community College, and the University of New Brunswick/McKenna Institute. A key priority for Phase II is further employer engagement. Employer participants in the ICTC/Microsoft Pilot reported that students made essential contributions to their workplaces and could effectively expand an employer’s staff with little training if hired on after the WIL placements. Private sector involvement in student training is essential to workforce development. As the cybersecurity workforce gap continues to grow, workplaces seeking skilled entry-level talent will increasingly need to be a part of the solution by fostering students during their degrees.