Why is there such a massive cybersecurity talent gap in Canada?

The following article first appeared in DX Journal on October 18, 2023.

This is a story about the acute talent gap in Canada’s cybersecurity industry, which threatens the productivity of Canadian companies, and could soon create major national security issues.

But it starts with a lesson from the world of football.

Rushmi Hasham, Director of Cybersecurity Workforce Training at Toronto Metropolitan University’s Rogers Cybersecure Catalyst, says the two areas are analogous. 

“In June 2018, FIFA announced that the 2026 World Cup would be held in North America. Canada, the US, and Mexico’s successful joint bid put more pressure on each host country to qualify for the tournament and perform in front of its home fans,” says Hasham.

Of course, it would be disastrous for any of these countries to start nurturing 2026 World Cup talent in 2025. Building a talent pipeline takes years and years. Today’s 15-year-old phenom is tomorrow’s national team star. You have to get ahead of it.

And therein lies the lesson.

Canada’s cybersecurity industry is currently lagging behind demand, with an estimated 25,000-person shortage. In fact, one out of every six cybersecurity openings in Canada goes unfilled.

To extend the metaphor: Canada is effectively playing the World Cup every day but we’re not able to field a full team. You don’t win a lot of matches that way.

So, what created this talent gap?

“It’s partly demand that’s driving the gap, especially as organizations put more budget behind cybersecurity,” says Hasham. “But there is also high mobility in the cybersecurity profession because the demand for talent is so high. People tend to move and create vacancies in the places they leave.”

As organizations struggle to find talent, Rogers Cybersecure Catalyst is on the frontlines of the struggle to change the dynamics in the Canadian cybersecurity industry. The group empowers individuals and organizations to seize the opportunities and tackle the challenges of cybersecurity. They do this through training and certification programs, in an accelerator for cybersecurity startups, as part of public education programs, and in policy development.

The training element is key.

Many cybersecurity professionals — both at entry level and as part of ongoing career upskilling efforts — covet ‘gold standard’ training for the skills it provides and the career doors it opens.

“With our programs, we chose to partner with the SANS Institute [a global leader in cybersecurity training], because their training is so rich in content,” says Hasham. 

“It’s also delivered by industry leaders. The trainers are Chief Information Security Officers for leading organizations. The program content is updated every 3-6 months, so it always reflects the current needs of the industry. The resulting certifications that participants get are coveted by organizations around the world.”

But while programs like those at Rogers Cybersecure Catalyst turn out highly appealing professional candidates, the national talent gap is a systemic one.

And it might not get better anytime soon.

How the cybersecurity talent gap in Canada could actually get worse in the future

In her role, Hasham has a comprehensive view of Canada’s cybersecurity talent challenges and the pressures on the sector that could make things harder in the future.

These include:

Digital transformation: The all-industry trend towards digital transformation is creating more digital properties all over Canada in need of cybersecurity protection. This has fundamentally created more potential points-of-attack for cybercriminals and hackers — right as the country is facing this critical shortage of talent. And of course, we’re only going to become a more digital nation in the future.

A changing Industry: Cybersecurity is a rapidly changing industry where skills and requirements for practitioners change regularly and make the talent gap more acute, especially with respect to priority areas within the industry.

Stress and turnover: The reality is that cybersecurity is a frequently high stress environment for those already in the profession. This leads to turnover, especially considering that many professionals are overworked given the roles that go unfilled. This stress also serves a deterrent for new people to enter the industry, particularly in an age of employee empowerment. As a result of all of this, organizations are now prioritizing mental wellness.

The ‘brain drain’ potential: There’s a growing concern that U.S. and European companies will trigger a Canadian cybersecurity brain drain by offering higher salaries, appealing remote working arrangements, and training and other perks that many Canadian firms can’t match. In a global war for cybersecurity talent, Canadian firms need to be ready to compete and win.

How to address Canada’s cybersecurity talent gap

Okay, so things are bad. And they might get worse.

How do we change it?

Like with the housing crisis, the cybersecurity talent issues Canada faces involve multiple stakeholders and will require coordinated efforts to address. There is no silver bullet. But one of the most important avenues to pursue is rethinking how we look at people across the Canadian workforce, even if they’re not already skilled as cybersecurity professionals.

This ‘latent talent pool’ needs to be more fully tapped.

“Individuals are coming to cybersecurity training with previous skills from previous career roles. says Hasham: 

“For example, we had someone in our program who was a professional chef who pivoted to cybersecurity. When you think of the skills that she developed as a chef — working under pressure, working within a team, knowing how to communicate, knowing when to take the lead, knowing when to follow — these skills are transferable. They are valued by employers. The key is for people to combine these skills with the cybersecurity knowledge and hands-on cybersecurity experience they get in programs like ours. That can create a deeper talent pool for companies.”

Hasham also suggests that recruiting itself needs to change.

“We need to explore alternative ways of recruiting — within the veteran community, within the pool of new Canadians and with women (who are underrepresented in cybersecurity at about only 25% of professionals globally). How do we bridge people from these groups into cybersecurity and what challenges and needs will come with that? How do we profile unusual paths into the industry to show it can be done?”

The barriers to entry into cybersecurity also remain stubbornly high in Canada — often in ways that create issues for talent and employers alike.

“Some new cybersecurity positions require two-to-three years of experience, as noted in a job posting,” says Hasham. “But in reality the role doesn’t actually require that. But someone who might come out of a training program, that has work experience that would make them highly effective in a role gets filtered out. They may not apply. Or if they do, they may not be considered.”

Inevitably, solutions will unfold at the macro level over the long-term as the industry looks at its overall workforce requirements and approach to talent development.

But the issue is now unavoidable.

Canada’s leading cybersecurity agency recently warned that cybercrime “will very likely pose a threat to Canada’s national security and economic prosperity over the next two years.”

Hasham: “This risk aversion in Canada on how and who we hire creates barriers — and that means that roles go unfilled. We need to address that.”

More from the Catalyst