For many Canadians, the world of cyberattacks and hackers still seems far removed from their day-to-day activities. Perception, however, does not always match reality.

Anyone employed by a sizable business in the private or public sector works in a place where cybersecurity is taken very seriously. Organizations know that those who fail to adequately invest in this area risk becoming perennial targets for cybercriminals in search of personal or proprietary data, valuable R&D information and more. They’ve also witnessed the devastating impact such attacks can have, resulting in significant service disruptions or the exposure of sensitive data, and are willing to do what it takes to avoid becoming casualties themselves.

Addressing these challenges requires the proper balance of technology, people and processes. As a result, cybersecurity expertise has become a must-have skill for most organizations. However, in seeking to bolster their cybersecurity posture, many organizations struggle to find the right talent to lead these initiatives. That’s because our country faces a growing cybersecurity skills gap. Research from Deloitte shows this lack of talent is being felt across corporate Canada and, unfortunately, it is more than a temporary issue. Critical roles are going unfilled, and it’s expected that organizations across Canada will need to fill an estimated 8,000 additional cybersecurity positions by 2021.

The challenge of the cybersecurity skills gap

Several factors have combined to get us here. First, the skill sets required for cybersecurity positions are evolving at such a speed that organizations are struggling just to keep pace. Chief information security officers used to be able to hire people with basic technical security skills and backgrounds, give them a quick security primer and largely call it a day.

Today, companies are embarking on a digital transformation strategy in a bid to run more efficiently and meet changing customer demand. As a result, they are running a variety of environments, such as multi-cloud networks or next-gen branches, which can expose their networks to potential attacks on more fronts, and sometimes these companies don’t even know where they are vulnerable. What is needed is specialized skill sets. General IT and security skills are still important, but they have quickly become outdated as the threat landscape evolves and networks expand.

Amid all this, organizations must contend with new and evolving Canadian security regulations while juggling a wide array of security tools they have accumulated over the years.

The result: Canada is in need of seasoned security people who are also well-versed in research, strategy, communication and data science, and they need to be able to apply these skills to new environments and ecosystems.

The answer would seem to be better education, but most of our universities and other educational institutions are failing to train students in cybersecurity necessities. Ironically, according to Deloitte, this is due in part to the same challenge facing businesses: not enough capable cybersecurity professionals are available to educate the next generation of security experts.

Additionally, due to rapidly changing technologies, schools are struggling to keep their curriculums up to date — so much so that some experts are concerned that the skills taught in school will soon be so far behind as to be functionally obsolete.

Bridging the skills gap

If we’re ever going to bridge the skills gap, we need urgent attention from – and collaboration among – government agencies, the private sector and academic institutions. Specifically, they must put aside the tendency to compete and instead work together to focus on training and education, combined with actively developing an apprenticeship and mentoring infrastructure that is necessary to bring up the next generation of cybersecurity professionals.

Training and education might sound the same, but they entail different curriculums. And they must work hand in hand to close the gap.


Education focuses on knowledge of threats that exist in the “wild” – the real world rather than in computer testing systems – along with skills and strategies to minimize them. It focuses broadly on security; training focuses on a particular security product. Education is as much about learning how to see and solve security challenges as it is about becoming familiar with a set of technologies.

And it’s here where organizations and academia can work together to overcome challenges surrounding competition and evolving curriculums. For example, Fortinet’s Network Security Academy has worked to design a curriculum for schools that can be incorporated into a multi-year program. Organizations can also take a more active role in academia, as security companies are starting to do in schools across Canada.

Additionally, cybersecurity experts and companies must work with independent organizations such as standards-setting bodies to establish cybersecurity competencies, job roles and responsibilities and professional certifications that are recognizable, verifiable and portable across companies. This will not only provide a critical benchmark for HR recruiters but will also be very useful for those seeking to join the cybersecurity profession.


There should also be a greater focus on training general IT professionals in specific security products and strategies. This approach is particularly useful for people already working in technical professions who might not be focused on cybersecurity, to help them become more involved in these roles. This is an effective way to give motivated people the hands-on experience they need in configuring and troubleshooting security controls while learning how to quickly respond to security incidents. Further, training in specific security products can provide insight into how security teams can leverage technology during an incident response.

Looking ahead

Finally, we must look ahead. Cybersecurity organizations are increasingly incorporating machine learning and automation into their tools to respond to threats in real time. It’s also a way to reduce the number of personnel required to run an effective security operation. Training with these cutting- edge tools, and keeping an eye on the next generation of technologies and strategies that are around the corner, such as artificial intelligence (AI), enables IT teams to understand how to leverage new solutions to augment existing security practices. By using automated systems to set up or remove users, analyze access logs or handle other mundane tasks, for example, organizations can allow their experts to focus on higher-order analysis, enabling them to be more efficient and effective.

As long as competition exists between companies, agencies and schools, the cybersecurity skills gap will continue to plague organizations in Canada and around the world. When we establish real working partnerships, the proper resources and objectives can be put in place, giving us the opportunity to become a model for the rest of the world and show what’s possible when all stakeholders come together for a common goal. For the good of our economy and the well-being of our citizens, it’s a mission we need to undertake, and soon.

Photo: Shutterstock, branjith ravindran

Do you have something to say about the article you just read? Be part of the Policy Options discussion, and send in your own submission. Here is a link on how to do it. | Souhaitez-vous réagir à cet article ? Joignez-vous aux débats d’Options politiques et soumettez-nous votre texte en suivant ces directives.

Rob Rashotte
Rob Rashotte is vice president of global training and technical field enablement at Fortinet. He has developed training and education strategies for start-ups and major global organizations for the past 20 years.

You are welcome to republish this Policy Options article online or in print periodicals, under a Creative Commons/No Derivatives licence.

Creative Commons License