Cyberspace has become an essential component of modern society, yet its merits are accompanied by threats. A growing number of reported cyber-incidents demand governments to come up with a strategic response to counter cyber-threats. This includes building national competences for cybersecurity, especially for protecting the critical infrastructure.
A team of Diplo researchers conducted a study Cybersecurity Competence Building Trends in response to an inquiry by the Federal Department of Foreign Affairs of Switzerland. They collected and analysed experiences from several OECD member states that have systematically advanced cyber competence building. Since the findings might be of a value to many other countries looking at strategic approaches for enhancing national competences, the results of the study have been made publicly available. The authors of the report, Vladimir Radunović and David Rüfenacht, presented the key findings during a webinar on 19 April 2016 (follow the webinar recording, and download the presentation).
The study identified key trends in competence building in Austria, Estonia, Finland, France, Germany, Israel, the Netherlands, the Republic of Korea, the United Kingdom, and the United States. The main driver for building cybersecurity competences in the studied states appears to be the demand to respond to the growing number of cyber-threats experienced, especially in critical sectors. Equally important, however, is the vision of the economic potential of cybersecurity. The increasing dependence of the corporate sector on the Internet has created a demand for qualified labour, which is being recognised by states as a possible driver for employment, economic growth, and global competitiveness. All the studied countries have recognised both sides of the cybersecurity coin, both the risks and the opportunities. All are developing the means to transform their national labour market to meet this changing environment.
The eight dominant trends identified can be clustered within two categories: measures for strengthening the academic programmes with long-term effects, and measures related to professional training and knowledge frameworks, with shorter-term effects. The first category sees specific measures such as the labelling of universities by security services in order to accredit programmes and accelerate the integration of students. Measures include support by governments and the corporate sector to develop modern university curricula. They also include extending research capabilities especially through public-private partnerships; such parternships can promote certain regions as leaders in cybersecurity by setting up innovation centres and start-up incubators at the established universities.
The second category outlines the benefits of partnerships between public sector and existing private sector professional certification bodies. These partnerships help fill the gaps between the existing qualified labour and the current training of state personnel. They also showcase good practices in improving the competences of the private sector – especially small and medium enterprises and operators of critical infrastructure – through various training workshops, standards, guidelines and recommendations. They note particular trends in manager and decision-making level training, and the creation of knowledge frameworks and cybersecurity job descriptions.
Several questions were raised, mostly with regard to identified fields of coverage within various trends. The researchers clarified that the technical and legal aspects of cyberspace were the most frequent in most identified trends, but other aspects, such as business and management, human resources, international relations or communications, were also present. Responding to a question as to which country could be marked as a leader in cybersecurity competence building, the researchers noted that each studied country has certain specific policy options. It would be up to other countries to decide which trends they should follow, based on national needs and specificities. The most remarkable and comprehensive trend, however, seems to be the public-private partnership initiatives for developing certain regions to lead in cybersecurity, such as the CyberSpark in Israel or the JyvSecTech in Finland.
An illustrated Executive Summary was presented (read or download); the full report is now also available: read or download. Access more resources on the Cybersecurity page on the GIP Digital Watch observatory.