In the realm of cybersecurity, a critical challenge often goes unnoticed: the skills pipeline. While New Zealand boasts a robust tertiary education system, with thousands of students pursuing business and IT-related degrees, the industry finds itself grappling with a skills gap. This disparity between education and the real-world demands of cybersecurity is a pressing issue that demands our attention. As Dr. Steven Woodhouse, a seasoned cybersecurity expert, aptly puts it, it's not a cyber skills shortage but an 'opportunity shortage'.
Universities, with their focus on theoretical knowledge, often fail to bridge the gap between education and industry-ready skills. The tertiary sector, while producing a wealth of graduates, may not adequately prepare them for the practical challenges of cybersecurity. This disconnect is a missed opportunity, not just for the tertiary sector but for the entire economy. The solution lies in a more holistic approach, where education and industry converge to create a robust skills pipeline.
One key aspect is the integration of industry into the classroom. Universities and polytechnics should foster stronger partnerships with security vendors and employers, co-designing courses that reflect real-world cybersecurity demands. This includes embedding vendor certifications and offering compulsory internships or co-op placements in security teams. By doing so, graduates will be better equipped with the practical skills sought after by industry and government cybersecurity teams.
Furthermore, cybersecurity should no longer be a niche technical elective but an integral part of all business degrees. Many cybersecurity professionals don't delve into technical network security or encryption systems; instead, they excel in administrative, compliance, and governance roles. By infusing cybersecurity into general business or management curricula, we can empower a broader range of graduates to pursue cybersecurity roles. This shift in perspective can help address the ad hoc approach currently prevalent in curricula.
The newly established Electrotechnology and Information Technology Industry Skills Board is a step in the right direction. This board will provide the industry with a stronger voice in shaping vocational education, ensuring that standards are set and maintained, and that programs are endorsed. By strengthening vocational education, we can create a more diverse and inclusive skills pipeline, targeting under-represented groups and mid-career workers.
Indigenous communities, for instance, present an untapped opportunity. Māori and Pasifika individuals, who are often excluded, should be actively included in cybersecurity programs. Understanding the blockers to their entry and creating tailored opportunities can help address this disparity. Additionally, with automation and artificial intelligence reshaping roles, mid-career workers can benefit from cybersecurity training, enhancing their existing skills and making them more valuable to businesses.
The urgency of addressing this skills gap is underscored by recent cybersecurity breaches, including exploits of sensitive patient and medical information. The Fortinet 2025 Cybersecurity Skills Gap Report highlights the alarming frequency of breaches, with nearly one-third of businesses surveyed experiencing five or more breaches in a year. As AI empowers cybercriminals with sophisticated tools, the pressure on organizations to protect their systems, data, and people intensifies. Therefore, bolstering the cybersecurity workforce is not just a strategic imperative but a matter of safeguarding our digital future.
In conclusion, the skills pipeline in cybersecurity is a complex issue that requires a multi-faceted approach. By integrating industry into education, infusing cybersecurity into business degrees, and targeting under-represented groups, we can create a more robust and inclusive skills pipeline. It's time to bridge the gap between education and industry, ensuring that New Zealand's cybersecurity strategy is not just aspirational but a tangible reality. The future of our digital security depends on it.
